Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8214443

Remove TLS v1 and v1.1 from SSLContext required algorithms

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P2 P2
    • 12
    • security-libs
    • None
    • behavioral
    • low
    • Hide
      An SE implementation can still choose to implement TLS v1.0 and 1.1, but it is not required. We do not have any near-term plans to remove our implementations of TLS v1.0 and 1.1 from OpenJDK, so the risk is minimal for the OpenJDK implementation. Usage of TLS 1.0 and 1.1 is already low and will continue to decline sharply as leading browsers drop their support for it.
      Show
      An SE implementation can still choose to implement TLS v1.0 and 1.1, but it is not required. We do not have any near-term plans to remove our implementations of TLS v1.0 and 1.1 from OpenJDK, so the risk is minimal for the OpenJDK implementation. Usage of TLS 1.0 and 1.1 is already low and will continue to decline sharply as leading browsers drop their support for it.
    • Java API
    • SE

      Summary

      Remove the requirement that all SE implementations must support TLSv1 and TLSv1.1.

      Problem

      The javax.net.ssl.SSLContext API and the Security Algorithm Implementation Requirements section of the Java Security Standard Algorithm Names requires that all SE implementations support TLSv1 and TLSv1.1. These requirements should be dropped since these versions of the TLS protocol are not as secure as later versions and are in the process of being deprecated and phased out by the IETF and various 3rd party TLS implementations.

      Solution

      Remove the requirement that all SE implementations must support TLSv1 and TLSv1.1 from the SSLContext API and the Java Security Standard Algorithms specification.

      Specification

      1. Remove "TLSv1" and "TLSv1.1" from the SSLContext API:
      diff -r 263c7685a22a src/java.base/share/classes/javax/net/ssl/SSLContext.java
      --- a/src/java.base/share/classes/javax/net/ssl/SSLContext.java Wed Nov 28 13:24:56 2018 +0300
      +++ b/src/java.base/share/classes/javax/net/ssl/SSLContext.java Wed Nov 28 12:57:41 2018 -0500
      @@ -1,5 +1,5 @@
       /*
      - * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
      + * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
        * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
        *
        * This code is free software; you can redistribute it and/or modify it
      @@ -38,18 +38,16 @@
        * secure random bytes.
        *
        * <p> Every implementation of the Java platform is required to support the
      - * following standard {@code SSLContext} protocols:
      + * following standard {@code SSLContext} protocol:
        * <ul>
      - * <li>{@code TLSv1}</li>
      - * <li>{@code TLSv1.1}</li>
        * <li>{@code TLSv1.2}</li>
        * </ul>
      - * These protocols are described in the <a href=
      + * This protocol is described in the <a href=
        * "{@docRoot}/../specs/security/standard-names.html#sslcontext-algorithms">
        * SSLContext section</a> of the
        * Java Security Standard Algorithm Names Specification.
        * Consult the release documentation for your implementation to see if any
      - * other algorithms are supported.
      + * other protocols are supported.
        *
        * @since 1.4
        */

      2. Remove "TLSv1" and "TLSv1.1" from the SSLContext row of the Implementation Requirements section of the Java Security Standard Algorithm Names specification.

            mullan Sean Mullan
            mullan Sean Mullan
            Xuelei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: