Skip to content

TLS Deprecation Guide

As of 2025, support for TLS 1.0 and 1.1 has been deprecated across many platforms and JVMs. FusionReactor requires a modern TLS connection to activate and communicate securely.

The TLS Probe helps you test whether your system can successfully establish a secure HTTPS connection, and it shows the encryption method (cipher suite) being used.

Running the TLS Probe

  1. Download the tls-probe.jar file here.
  2. From a command line or terminal in the folder containing the JAR file, run:
java -jar tls-probe.jar

Understanding the results

✅ Successful connection

Example output:

✓ TLS_AES_128_GCM_SHA256

!Screenshot

This means your system successfully connected over HTTPS. The text shown is the TLS cipher suite (the encryption method used for the connection).

Note

On some consoles, the checkmark () may appear as a question mark (?) due to font or encoding differences. This does not affect the result.

❌ Failed connection

If the connection cannot be established (e.g. unsupported TLS version, network restrictions, configuration issues), the probe will display a Java error trace instead of a cipher suite.

Example:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: no cipher suites in common

!Screenshot

This means the TLS handshake failed and no secure connection was established.

Fixing TLS failures

If your system fails the TLS probe, you have three main options:

Path Pros Cons Typical Time
1. Upgrade the JVM (recommended) Future-proof, faster, fewer CVEs May require application re-testing ~30 min
2. Retrofit your current JVM No code changes Must repeat per host; still legacy ~10 min
3. Manual / Offline activation Works even on very old Java (5+) No auto-renew; manual process per server ~5 min

Path 1 – Upgrade the JVM (Preferred)

  1. Install Java 8u121+, 11, 17, or 21.
  2. Point your service to use the new JVM.
  3. Restart your Application Server.

Done.

Path 2 – Retrofit your current JVM

  1. Download ISRG Root X1 and X2 certificates from Let’s Encrypt.

  2. Import the roots into your JVM keystore:

    keytool -import -alias isrgrootx1 -keystore $JAVA_HOME/jre/lib/security/cacerts \
       -file isrgrootx1.pem -storepass changeit -noprompt

keytool -import -alias isrgrootx2 -keystore $JAVA_HOME/jre/lib/security/cacerts \
       -file isrgrootx2.pem -storepass changeit -noprompt

  3. Force TLS 1.2 (for Java 7 / early 8) by adding this line to:

    $JAVA_HOME/jre/lib/security/java.security

    jdk.tls.client.protocols=TLSv1.2

  4. For Java 6 only, install BouncyCastle JSSE:

  5. Copy bcprov and bctls JARs to $JAVA_HOME/lib/ext

  6. Add this to java.security:

    security.provider.1=org.bouncycastle.jsse.provider.BouncyCastleJsse

Learn more

Retrofitting your existing Java JVM

Path 3 – Manual / Offline Activation

Use this if you cannot enable TLS 1.2 or add Let’s Encrypt roots.

Note

Not available for FusionReactor Cloud licenses due to internet connection requirements.

  1. In the FusionReactor On-Premise UI, go to About → Manual Activation.
  2. Copy the activation code.
  3. On an internet-connected machine, open https://fusion-reactor.com/manual.
  4. Paste the activation code and click Activate.
  5. Copy the generated activation key.
  6. Back in the FusionReactor UI, paste the activation key and click Activate.

Learn more

Goodbye TLS 1.0/1.1: How to keep your FusionReactor install secure in 2025 and beyond