-
CSR
-
Resolution: Approved
-
P2
-
None
-
behavioral
-
low
-
-
Java API
-
SE
Summary
Remove the requirement that all SE implementations must support TLSv1 and TLSv1.1.
Problem
The javax.net.ssl.SSLContext
API and the Security Algorithm Implementation Requirements section of the Java Security Standard Algorithm Names requires that all SE implementations support TLSv1 and TLSv1.1. These requirements should be dropped since these versions of the TLS protocol are not as secure as later versions and are in the process of being deprecated and phased out by the IETF and various 3rd party TLS implementations.
Solution
Remove the requirement that all SE implementations must support TLSv1 and TLSv1.1 from the SSLContext
API and the Java Security Standard Algorithms specification.
Specification
- Remove "TLSv1" and "TLSv1.1" from the
SSLContext
API:
diff -r 263c7685a22a src/java.base/share/classes/javax/net/ssl/SSLContext.java
--- a/src/java.base/share/classes/javax/net/ssl/SSLContext.java Wed Nov 28 13:24:56 2018 +0300
+++ b/src/java.base/share/classes/javax/net/ssl/SSLContext.java Wed Nov 28 12:57:41 2018 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -38,18 +38,16 @@
* secure random bytes.
*
* <p> Every implementation of the Java platform is required to support the
- * following standard {@code SSLContext} protocols:
+ * following standard {@code SSLContext} protocol:
* <ul>
- * <li>{@code TLSv1}</li>
- * <li>{@code TLSv1.1}</li>
* <li>{@code TLSv1.2}</li>
* </ul>
- * These protocols are described in the <a href=
+ * This protocol is described in the <a href=
* "{@docRoot}/../specs/security/standard-names.html#sslcontext-algorithms">
* SSLContext section</a> of the
* Java Security Standard Algorithm Names Specification.
* Consult the release documentation for your implementation to see if any
- * other algorithms are supported.
+ * other protocols are supported.
*
* @since 1.4
*/
2. Remove "TLSv1" and "TLSv1.1" from the SSLContext
row of the Implementation Requirements section of the Java Security Standard Algorithm Names specification.
- csr of
-
JDK-8214140 Remove TLS v1 and v1.1 from SSLContext required algorithms
-
- Resolved
-
- relates to
-
JDK-8283795 Add TLSv1.3 and CNSA 1.0 algorithms to implementation requirements
-
- Resolved
-