On 30 September 2025 @ 23:59 UTC we will
- Disable TLS 1.0 / 1.1 on every public FusionReactor endpoint (licence, downloads, Cloud ingestion).
- Replace our Sectigo certificate chain with Let’s Encrypt ISRG Root X1/X2.
If your server already supports TLS 1.2+ and trusts Let’s Encrypt, you’re all set.
However, if you’re stuck with Java 6, Java 7, or early Java 8 (< u101) and can’t switch JVMs, read on – Mitigation #2 allows you to stay on the old runtime while still passing modern TLS handshakes.
Why bother upgrading the old JVM’s TLS?
- Security: TLS 1.0/1.1 are vulnerable to BEAST, POODLE and downgrade attacks.
- Compliance: PCI-DSS, NIST 800-52r2 and most cloud vendors already require TLS 1.2+.
Future-proofing: Microsoft (Windows 11) and Apple (macOS/iOS) are removing TLS 1.0/1.1 entirely; browsers plan even shorter certificate lifetimes, which Let’s Encrypt’s 90-day model already accommodates.
Verify if your JVM is already compatible
Locate the exact JVM your server uses
- Adobe ColdFusion
- Open cfusion/bin/jvm.config
- Copy the full path after java.home=
- Lucee Server
- Open lucee/bin/setenv.sh (Linux) or setenv.bat (Windows)
- Look for LUCEE_JAVA_HOME= or JAVA_HOME=
- Standalone Tomcat
- Open bin/setenv.sh (or setenv.bat)
- Copy the path assigned to JAVA_HOME or JRE_HOME
- Any other Java stack
- On Linux/Unix: `ps -ef | grep java | head -1` → note the …/bin/java path
- On Windows: `where java` (Command Prompt) or `Get-Command java` (PowerShell)
2. Download the 6 kB probe
{some s3 url}
3. Run the probe with that JVM
- <path-from-step 1>/bin/java -jar tls-probe.jar
The probe connects to https://valid-isrgrootx1.letsencrypt.org/and prints the protocol it negotiated.
4. Interpret the result
✓ TLSv1.2 or TLSv1.3 → Your JVM is ready. No action needed.
✗ handshake_failure / TLSv1 / TLSv1.1 → Enable TLS 1.2
✗ PKIX path building failed → Import ISRG Root X1/X2 into cacerts
Step-by-Step: Upgrading an Existing JVM to TLS 1.2 + Let’s Encrypt
The commands below assume Linux. For Windows, swap forward slashes for back-slashes and run keytool from %JAVA_HOME%\bin\. Root password for the default Java keystore is almost always changeit.
1. Fetch the Let’s Encrypt root certificates
Download the two PEM files to the host (or copy via scp):
bash
CopyEdit
wget https://letsencrypt.org/certs/isrgrootx1.pemwget https://letsencrypt.org/certs/isrgrootx2.pem # future-proof
2. Import the roots into cacerts
bash
CopyEdit
sudo keytool -import -alias isrgrootx1 \ -keystore $JAVA_HOME/jre/lib/security/cacerts \ -file isrgrootx1.pem -storepass changeit -noprompt
sudo keytool -import -alias isrgrootx2 \ -keystore $JAVA_HOME/jre/lib/security/cacerts \ -file isrgrootx2.pem -storepass changeit -noprompt
Read-only images? Copy cacerts elsewhere, edit it, then start your JVM with
ini
CopyEdit
-Djavax.net.ssl.trustStore=/opt/custom/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
3. Force TLS 1.2 on Java 7 / early 8
Open $JAVA_HOME/jre/lib/security/java.security and append:
ini
CopyEdit
jdk.tls.client.protocols=TLSv1.2
Alternatively set an environment variable (handy for containers):
bash
CopyEdit
export JAVA_TOOL_OPTIONS="-Djdk.tls.client.protocols=TLSv1.2"
4. Special case: Java 6 (no native TLS 1.2)
- Grab BouncyCastle JSSE (bcprov & bctls jars, version 1.78+).
- Drop them into
$JAVA_HOME/lib/ext/. - Add this line near the top of
java.security(aftersun.security.provider.Sun):
ini
CopyEdit
security.provider.1=org.bouncycastle.jsse.provider.BouncyCastleJsse
BouncyCastle provides a clean TLS 1.2 stack without changing your app code.
5. Rerun the verify step above to test
Common Pitfalls & Fixes
| Symptom | Likely Cause | Fix |
|---|---|---|
| PKIX path building failed | Root not in cacerts or wrong trustStore used | Re-import roots, ensure JVM points to correct trustStore |
| handshake_failure | TLS 1.2 disabled | Confirm jdk.tls.client.protocols=TLSv1.2 picked up (check -D flags) |
| JVM in Docker still fails | Image rebuild overwrote cacerts | Re-apply steps in the Dockerfile or mount custom trustStore |
How long will this take?
- Root import: ~30 seconds
- TLS 1.2 flag: ~1 minute
- BouncyCastle drop-in: ~3 minutes
- Container rebuild / host restart: depends on environment
What if retrofitting still isn’t possible?
Use Manual / Offline Activation:
- In FusionReactor UI click Manual Activation on About ▸ Licence.
- On any machine with internet access https://fusion-reactor.com/manual, paste the code, click Activate, copy the response.
- Paste the response back into your server’s UI and click Activate.
No outbound TLS required afterward.
Perform this step once per host, and you can keep your legacy JVM humming long after September 30, 2025, without missing license renewals or Cloud ingestion.
Need help? support@fusion-reactor.com or live chat on our website.
