Bug ID: JDK-8239594 jdk.tls.client.protocols is not respected

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 15
15 b19Fixed

ADDITIONAL SYSTEM INFORMATION :
Tested in OpenJDK 13 and also 11.0.6+10.

A DESCRIPTION OF THE PROBLEM :
According to https://www.java.com/en/configure_crypto.html setting the system property jdk.tls.client.protocols should "enable specific TLS protocols on the client, specify them in a comma-separated list within quotation marks; all other supported protocols are then disabled on the client".
But this is not the case.
The property is evaluated according to a breakpoint I set, but it has no effect.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start JShell and execute:

System.setProperty("javax.net.debug", "ssl:handshake:verbose")
System.setProperty("jdk.tls.client.protocols", "TLSv1.2")
java.net.http.HttpClient.newBuilder().build().send(java.net.http.HttpRequest.newBuilder(new java.net.URI("https://tls1.3speaking.url")).GET().build(), java.net.http.HttpResponse.BodyHandlers.ofString()).body()


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
TLS1.2 being used
ACTUAL -
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.229 CET|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
...
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2]
    },
...
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.245 CET|ServerHello.java:871|Consuming ServerHello handshake message (
"ServerHello": {
...
    "supported_versions (43)": {
      "selected version": [TLSv1.3]
...
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.245 CET|ServerHello.java:967|Negotiated protocol version: TLSv1.3


CUSTOMER SUBMITTED WORKAROUND :
Disable TLS1.3 completely in the runtime using jdk.tls.disabledAlgorithms in conf/security/java.security mentioned on the same page.

FREQUENCY : always

URL: https://hg.openjdk.java.net/jdk/jdk/rev/4a39a7ad717f User: pconcannon Date: 2020-04-10 09:06:21 +0000
10-04-2020
Note: In this fix the HttpClient is updated to no longer override any default selected protocols in the SSLContext, in the absence of any SSLParameters explicitly supplied to the HttpClient.builder. As a result, if no SSLParameters are explicitly supplied to the HttpClient.Builder, the java.net.HttpClient no longer enforce the use of TLS version 1.3 when that is supported by the SSL context implementation (or TLS version 1.2 otherwise) regardless of the defaults that might have been selected by the application. Practically this means that the SSL handhsake might fail if the provided context default parameters do not meet the minimal requirements for HTTP (for instance the protocol list doesn't contain any version of TLS), or the selected HTTP version might default to HTTP/1.1 if the client context (or server context) do not allow to negotiate a TLS version higher than TLSv1.1.
09-04-2020
Not directly related, but similar(ish) to JDK-8239595.
29-02-2020
Looks like HttpClientImpl.getDefaultParams() is using the supported protocols, rather than the default ssl context protocols for its configuration. Assign to httpclient for further evaluation.
28-02-2020
JDK 13.0.2: Fail; Connecting with https://www.google.com; Negotiated protocol version: TLSv1.3 JDK 12ea b11: Fail; Connecting with https://www.google.com; Negotiated protocol version: TLSv1.3 JDK 12ea b10: Pass; Connecting with https://www.google.com; Negotiated protocol version: TLSv1.2 JDK 11.0.7: Pass; Connecting with https://www.google.com; Negotiated protocol version: TLSv1.2
21-02-2020