JDK-8235639 : Release Note: Removed SSLv2Hello and SSLv3 From Default Enabled TLS Protocols
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 7u381,8u371,11.0.19-oracle,14
  • Priority: P3
  • Status: Closed
  • Resolution: Delivered
  • Submitted: 2019-12-10
  • Updated: 2023-01-13
  • Resolved: 2020-04-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 14 JDK 7 JDK 8
11.0.19-oracleResolved 14Resolved 7u381Resolved 8u371Resolved
Description
SSLv2Hello and SSLv3 have been removed from the default enabled TLS protocols.

After this update, if SSLv3 is removed from the `jdk.tls.disabledAlgorithms` security property, the `SSLSocket.getEnabledProtocols()`, `SSLServerSocket.getEnabledProtocols()`, `SSLEngine.getEnabledProtocols()` and `SSLParameters.getProtocols()` APIs will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list.

If a client or server still needs to use the SSLv3 protocol they can do so by enabling it through the `jdk.tls.client.protocols` or `jdk.tls.server.protocols` system properties or with the `SSLSocket.setEnabledProtocols()`, `SSLServerSocket.setEnabledProtocols()` and `SSLEngine.setEnabledProtocols()` APIs.