JDK-8202343 : Disable TLS 1.0 and 1.1
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2018-04-26
  • Updated: 2022-01-05
  • Resolved: 2020-11-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 15 JDK 16 JDK 7 JDK 8 Other
11.0.11-oracleFixed 13.0.8Fixed 15.0.3Fixed 16 b26Fixed 7u301Fixed 8u291Fixed openjdk7uFixed
Related Reports
CSR :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8215734 :  
JDK-8230628 :  
JDK-8256490 :  
Description
Disable TLS 1.0 and 1.1 by default. These versions of TLS have weakened over time and lack support for stronger, more modern algorithms. The IETF is in the process of deprecating these versions, see https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/ for the latest Internet draft.

Disabling DTLS 1.0 should also be considered but under a different bugid.
Comments
Fix request (15u) Please, approve thhis backport into 15u. All other JDK versions are removing TLSv1.0 and TLSv1.1 for this release. Approval: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-March/005279.html JDK-8256682 should be approved and pushed with it (but not JDK-8257083, as 15u does not have JDK-8243029)
11-03-2021

Fix request (8u) I'd like to have this fix approved for 8u. As said in the ticket description, it's important to disable (by default) TLS protocol versions that are now considered weak. The existing JDK-8 CSR (JDK-8257122) applies to OpenJDK 8u as well. The 11u patch does not apply cleanly but a backport has been review-approved here: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-January/013363.html
27-01-2021

8u RFR: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-January/013341.html
21-01-2021

Fix Request (OpenJDK 11u): Please approve backporting this to OpenJDK 11u. It's an Oracle JDK 11 parity patch. It didn't apply clean so I've posted it for review. Reviewed by Christoph Langer. The noted TCK issue should get worked-around by explicitly re-enabling TLS 1.0 and TLS 1.1 in java.security. Testing jdk_security (no regressions noted). The intention is to push this together with follow-up fixes JDK-8257083 and JDK-8256682. RFR: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-December/004459.html CSR: https://bugs.openjdk.java.net/browse/JDK-8257122 webrev: https://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8202343/01/webrev/
14-01-2021

Changeset: 3a4b90f0 Author: Sean Mullan <mullan@openjdk.org> Date: 2020-11-19 14:15:57 +0000 URL: https://github.com/openjdk/jdk/commit/3a4b90f0
19-11-2020

The four leading browser vendors (Mozilla, Google, Microsoft, Apple) have all made announcements to deprecate both TLS 1.0 and 1.1 at around the same time in first half of 2020: Mozilla: https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/: "In March of 2020, Firefox will disable support for TLS 1.0 and TLS 1.1." Google: https://security.googleblog.com/2018/10/modernizing-transport-security.html: "Google Chrome will deprecate TLS 1.0 and TLS 1.1 in Chrome 72. Sites using these versions will begin to see deprecation warnings in the DevTools console in that release. TLS 1.0 and 1.1 will be disabled altogether in Chrome 81. This will affect users on early release channels starting January 2020." Microsoft: https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/: "Today, we’re announcing our intent to disable Transport Layer Security (TLS) 1.0 and 1.1 by default in supported versions of Microsoft Edge and Internet Explorer 11 in the first half of 2020." Apple: https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/: "Therefore, we are deprecating support for TLS 1.0 and 1.1. Complete support will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020."
30-10-2018