TLSv1 and TLSv1.1 Disabled by Default in Java after April 2021
The OpenJDK Crypto Roadmap states that TLSv1 and TLSv1.1 will be disabled in OpenJDK releases by default after April 20, 2021. I assume this change also applies to Oracle, and all the JVMs that are derived from OpenJDK.
How are they disabling it? or how can I reenable it if I need to?
One nice feature you may not realize exists is the
java.security file. In Java 11 and up it is located in the folder
conf/security/ under your
JAVA_HOME. This file has a property called
jdk.tls.disabledAlgorithms, right now it looks like this:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL
You can see that this setting is currently used to disable
SSLv3 and a few other ciphers / parameters.
After April 20, 2021 my guess is that they are going to add
TLSv1.1 to this list.
This is good to know, because you can make the change now to test and see if your application is impacted by adding those algorithms to
If it turns out that you do need to still connect to https servers over these weaker protocols, then you could potentially move them out of
jdk.tls.disabledAlgorithms and into the setting
According to the docs:
In some environments, a certain algorithm may be undesirable but it cannot be disabled because of its use in legacy applications. Legacy algorithms may still be supported, but applications should not use them as the security strength of legacy algorithms are usually not strong enough in practice.
During SSL/TLS security parameters negotiation, legacy algorithms will not be negotiated unless there are no other candidates.
This should only be done however if you are not able to upgrade the legacy servers to
TLSv1.3, for example because you don't operate them.
What error message might I get due to this?
Here's one you might see:
Unknown host: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]
You might also get a SSL Handshake Exception
Like this? Follow me ↯Tweet Follow @pfreitag
TLSv1 and TLSv1.1 Disabled by Default in Java after April 2021 was first published on April 15, 2021.
If you like reading about java, tls, or openjdk then you might also like:
- Java versions supporting TLS 1.3
- Travis CI Error when installing oraclejdk8
- How to Resolve Java HTTPS Exceptions