JDK-8235639 : Release Note: Removed SSLv2Hello and SSLv3 From Default Enabled TLS Protocols
- Type: Sub-task
- Component: security-libs
- Sub-Component: javax.net.ssl
- Affected Version: 7u381,8u371,11.0.19-oracle,14
- Priority: P3
- Status: Closed
- Resolution: Delivered
- Submitted: 2019-12-10
- Updated: 2023-01-13
- Resolved: 2020-04-27
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 11 | JDK 14 | JDK 7 | JDK 8 |
|---|---|---|---|
| 11.0.19-oracleResolved | 14Resolved  |
7u381Resolved | 8u371Resolved |
Description
SSLv2Hello and SSLv3 have been removed from the default enabled TLS protocols. After this update, if SSLv3 is removed from the `jdk.tls.disabledAlgorithms` security property, the `SSLSocket.getEnabledProtocols()`, `SSLServerSocket.getEnabledProtocols()`, `SSLEngine.getEnabledProtocols()` and `SSLParameters.getProtocols()` APIs will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list. If a client or server still needs to use the SSLv3 protocol they can do so by enabling it through the `jdk.tls.client.protocols` or `jdk.tls.server.protocols` system properties or with the `SSLSocket.setEnabledProtocols()`, `SSLServerSocket.setEnabledProtocols()` and `SSLEngine.setEnabledProtocols()` APIs.