MuleSoft Product Support for TLSv1.3

MuleSoft is providing support for TLSv1.3 in selected products and platforms. This article will provide details for the various deployment environments and their support for TLSv1.3 protocol.

 

Mule Runtime On Premise

Mule Runtime 4.4.x [latest patch] supports TLSv1.3, so long as the JDK in use is JDK8 1.8.0_292 or greater, or JDK11 or greater.

** Please check your specific vendors documentation for exact version of JDK release that introduced TLSv1.3 support.

Enabling TLSv1.3 requires an edit to the /conf/tls-default.conf file
 

# Protocols that will be enabled in SSL. If this property is set, SSL sockets will only use protocols
# that are provided in this list and supported by the current security provider.
#enabledProtocols=TLSv1.1,TLSv1.2

# For Java 11+, TLSv1.3 can also be enabled.
enabledProtocols=TLSv1.1,TLSv1.2,TLSv1.3

NOTE, JDK 1.8.0_292 and greater by default will disable TLSv1.0 and TLSv1.1. This is because the default security file for this version and higher has disabled these protocols.

If those older protocols are required by your solutions, you would need to edit the security file:

{JAVA_HOME}/jre/lib/security/java/java.security

And change to similar to this example. Add TLSv1 and or TLSv1.1 as required.

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

If the property security.overridePropertiesFile=true  is set in default java.security, and your mule runtime wrapper.conf contains

wrapper.java.additional.<n>=-Djava.security.properties=/path/to/your/nominated/java.security, please check if the jdk.tls.disabledAlgorithms settings is in the nominated java.security file and edit it there accordingly. 

Certain JDK distribution on Linux gets security.useSystemPropertiesFile=true set in java.security,  in such a scenario, please check if the jdk.tls.disabledAlgorithms setting is in system /etc/crypto-policies/back-ends/java.config and edit it there accordingly.

CloudHub

• Shared Load Balancer supports TLSv1.2
• Dedicated Load Balancer supports TLSv1.0 (need to enable from Runtime Manager), TLSv1.1 (need to enable depending on DLB version), TLSv1.2, and TLSv1.3 (TLSv1.3 support is added from August 18, 2022 release)
• CloudHub Applications supports TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 (TLSv1.3 support is added from August 2, 2022 release)
  • Outbound TLSv1.3 requires additional parameters to be added. Please see How To Enable TLSv1.3 For Outbound Requests In Cloudhub.

CloudHub 2.0

• Client <--> Ingress Load Balancer: TLSv1.2, TLSv1.3
• Ingress Load Balancer <--> Mule App: TLSv1.2
• Mule App <--> External App outside the cluster: TLSv1.1, TLSv1.2, TLSv1.3 (Outbound TLSv1.3 requires additional parameters to be added. Please see https://help.mulesoft.com/s/article/How-To-Enable-TLSv1-3-For-Outbound-Requests-In-Cloudhub)

Runtime Fabric

• Runtime Fabric Inbound Load Balancer supports TLSv1.3
• Runtime Fabric deployed mule applications support TLSv1.3 as of May 2022 patch release for Mule Runtime 4.3 and 4.4.