-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
low
-
-
System or security property
-
JDK
Summary
Disable DTLS 1.0.
Problem
DTLS 1.0 has weakened over time and lacks support for stronger cipher suites. DTLS 1.0 correlates with version 1.1 of TLS which has already been disabled by default in JDK 16. The IETF has deprecated this version of DTLS (along with TLS 1.0 and 1.1) in RFC 8996.
Solution
Disable DTLS 1.0 by default, by adding "DTLSv1.0" to the jdk.tls.disabledAlgorithms
security property in the java.security
configuration file. This will cause attempts to use DTLSv1.0 to fail with an SSLHandshakeException
. Users can, at their own risk, re-enable the version by removing "DTLSv1.0" from the jdk.tls.disabledAlgorithms
security property.
Specification
Change to the java.security
file:
- jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
- DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
+ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
+ MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
- csr of
-
JDK-8256660 Disable DTLS 1.0
- Resolved
-
JDK-8326020 Disable DTLS 1.0
- Resolved
-
JDK-8326021 Disable DTLS 1.0
- Resolved
-
JDK-8327808 Disable DTLS 1.0
- Resolved