Java Programming
TLSv1 and TLSv1.1 Protocols are Disabled in Java!
Java Programming
Background
No matter what license (OpenJDK and Oracle JDK) and version (8 or 11 or higher) of JDK you use, both TLSv1 and TLSv1.1 protocols have been disabled by default after April 20, 2021 (as part of the latest patch, released on April 20, 2021). These TLS protocols are no longer considered secure. They are weaker protocols and have been superseded by more secure and modern versions: TLS 1.2 and 1.3.
How it’s been disabled in latest Java?
As stated above, both TLSv1 and TLSv1.1 have now been disabled by default in the latest patch by adding them to the jdk.tls.disabledAlgorithms security property in the java.security configuration file.
Note: In Java 8, the aforementioned security file is located under /usr/lib/jvm/<YOUR JAVA VERSION>/jre/lib/security/. In Java 11 and higher, it’s located in the folder conf/security/ under your JAVA_HOME.
In old Java version it looks like this:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULLIn the latest patch version, it looks like the one below — TLSv1 and TLSv1.1 have been tagged as disabled ones:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL…Still continue to use these weaker protocols (not recommended)
If it turns out that you do need to still connect to https servers over these weaker protocols, then you could potentially move them out of jdk.tls.disabledAlgorithms and into jdk.tls.legacyAlgorithms.
