JDK-8214443 : Remove TLS v1 and v1.1 from SSLContext required algorithms
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P2
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 12
  • Submitted: 2018-11-28
  • Updated: 2018-11-29
  • Resolved: 2018-11-29
Related Reports
CSR :  
JDK-8214140 - Remove TLS v1 and v1.1 from SSLContext required algorithms
Description
Summary
-------

Remove the requirement that all SE implementations must support TLSv1 and TLSv1.1.

Problem
-------

The `javax.net.ssl.SSLContext` API and the Security Algorithm Implementation Requirements section of the Java Security Standard Algorithm Names requires that all SE implementations support TLSv1 and TLSv1.1. These requirements should be dropped since these versions of the TLS protocol are not as secure as later versions and are in the process of being deprecated and phased out by the IETF and various 3rd party TLS implementations.

Solution
--------

Remove the requirement that all SE implementations must support TLSv1 and TLSv1.1 from the `SSLContext` API and the Java Security Standard Algorithms specification.

Specification
-------------
1. Remove "TLSv1" and "TLSv1.1" from the `SSLContext` API:

```
diff -r 263c7685a22a src/java.base/share/classes/javax/net/ssl/SSLContext.java
--- a/src/java.base/share/classes/javax/net/ssl/SSLContext.java Wed Nov 28 13:24:56 2018 +0300
+++ b/src/java.base/share/classes/javax/net/ssl/SSLContext.java Wed Nov 28 12:57:41 2018 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -38,18 +38,16 @@
  * secure random bytes.
  *
  * <p> Every implementation of the Java platform is required to support the
- * following standard {@code SSLContext} protocols:
+ * following standard {@code SSLContext} protocol:
  * <ul>
- * <li>{@code TLSv1}</li>
- * <li>{@code TLSv1.1}</li>
  * <li>{@code TLSv1.2}</li>
  * </ul>
- * These protocols are described in the <a href=
+ * This protocol is described in the <a href=
  * "{@docRoot}/../specs/security/standard-names.html#sslcontext-algorithms">
  * SSLContext section</a> of the
  * Java Security Standard Algorithm Names Specification.
  * Consult the release documentation for your implementation to see if any
- * other algorithms are supported.
+ * other protocols are supported.
  *
  * @since 1.4
  */
```
2. Remove "TLSv1" and "TLSv1.1" from the `SSLContext` row of the Implementation Requirements section of the Java Security Standard Algorithm Names specification.
Comments
Moving to Approved.
29-11-2018