Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8254713

Disable TLS 1.0 and 1.1

    XMLWordPrintable

Details

    • CSR
    • Resolution: Approved
    • P2
    • 16
    • security-libs
    • None
    • behavioral
    • low
    • Hide
      According to [SSLPulse](https://www.ssllabs.com/ssl-pulse/), as of October 03, 2020, 99% of the 150,000 most popular websites support TLS 1.2, which implies that 1% *only* support a weaker protocol such as TLS 1.0 and/or 1.1.
      If necessary, and at their own risk, users can re-enable TLS 1.0 and 1.1 by adding them back to the jdk.tls.disabledAlgorithms property in the java.security file.
      Show
      According to [SSLPulse]( https://www.ssllabs.com/ssl-pulse/), as of October 03, 2020, 99% of the 150,000 most popular websites support TLS 1.2, which implies that 1% *only* support a weaker protocol such as TLS 1.0 and/or 1.1. If necessary, and at their own risk, users can re-enable TLS 1.0 and 1.1 by adding them back to the jdk.tls.disabledAlgorithms property in the java.security file.
    • System or security property
    • JDK

    Description

      Summary

      Disable the TLS 1.0 and 1.1 protocols by default.

      Problem

      TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).

      TLS 1.0 and 1.1 require and use weak algorithms such as 3DES and SHA-1. They lack support for stronger and more modern algorithms and ciphers that are supported or required in TLS 1.2 and 1.3. They have also been vulnerable to a number of attacks over the years. The Internet Draft "Deprecating TLSv1.0 and TLSv1.1" (which is currently in Last Call for comments) provides more details on the rationale for deprecating these versions of TLS.

      The compatibility risk of this change should be low. According to SSLPulse, as of October 03, 2020, 99% of the 150,000 most popular websites support TLS 1.2, which implies that 1% only support a weaker protocol such as TLS 1.0 and/or 1.1.

      Also, Mozilla and Google have already deprecated TLS 1.0 and 1.1 in the Firefox and Chrome browsers, respectively. Other major web browsers have announced similar plans to disable TLS 1.0 and 1.1 already or in the near future. This should help further reduce the compatibility risk as servers will be forced to upgrade to TLS 1.2 or higher if they want to continue working with these web browser clients.

      Solution

      Add "TLSv1" and "TLSv1.1" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file.

      Specification

      --- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -731,8 +731,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
 #       rsa_pkcs1_sha1, secp224r1
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL

      Attachments

        Issue Links

          csr of

          Enhancement - null JDK-8202343 Disable TLS 1.0 and 1.1

          • P2 - Crashes, loss of data, severe memory leak.
          • Resolved

          Activity

            People

              mullan Sean Mullan
              mullan Sean Mullan
              Xuelei Fan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: