JDK-8280507 : Disable DTLS 1.0
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 8-pool,11-pool,17-pool,19-pool,20
  • Submitted: 2022-01-23
  • Updated: 2024-03-13
  • Resolved: 2022-10-31
Related Reports
CSR :  
JDK-8256660 - Disable DTLS 1.0
CSR :  
JDK-8327808 - Disable DTLS 1.0
CSR :  
JDK-8326021 - Disable DTLS 1.0
CSR :  
JDK-8326020 - Disable DTLS 1.0
Description
Summary
-------

Disable DTLS 1.0.

Problem
-------

DTLS 1.0 has weakened over time and lacks support for stronger cipher suites. DTLS 1.0 correlates with version 1.1 of TLS which has already been [disabled by default](https://bugs.openjdk.org/browse/JDK-8202343) in JDK 16. The IETF has deprecated this version of DTLS (along with TLS 1.0 and 1.1) in [RFC 8996](https://www.rfc-editor.org/rfc/rfc8996.html).

Solution
--------

Disable DTLS 1.0 by default, by adding "DTLSv1.0" to the `jdk.tls.disabledAlgorithms` security property in the `java.security` configuration file. This will cause attempts to use DTLSv1.0 to fail with an `SSLHandshakeException`. Users can, at their own risk, re-enable the version by removing "DTLSv1.0" from the `jdk.tls.disabledAlgorithms` security property.

Specification
-------------
Change to the `java.security` file:
```
- jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
-     DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
+ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
+     MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
```
Comments
Moving to Approved.
31-10-2022
We have plans to backport this to previous JDK releases, so I added fix versions for those releases.
31-10-2022