TLSv1/v1.1 No longer works after upgrade, "No appropriate protocol" error

Problem:

Beginning with the April 2021 releases of OpenJDK, TLS 1.0 and TLS 1.1 is disabled by default.

You may see errors such as,

Error: javax.net.ssl.SSLHandshakeException: No appropriate protocol
(protocol is disabled or cipher suites are inappropriate)

Regarding Java 8 and 11, the same change of disabling TLS 1.0 and 1.1 was released with the following packages offered by Azul:

  • Azul Zulu Builds of OpenJDK version 8.54
  • Azul Zulu Builds of OpenJDK version 11.48
  • Azul Zulu Prime Builds of OpenJDK version 21.05.0.0
  • Azul Zulu Prime Builds of OpenJDK version 21.02.200.0

 

Cause:

As part of its program of continuous improvement of Java security, OpenJDK has disabled TLS 1.0 (introduced in 1999) and TLS 1.1 (introduced in 2006), in line with the consensus on standards across the Internet. Information on these changes can be found in the “What’s New” section of the April 2021 Release Notes.

 

Solution:

Method A
Modifying the file java.security inside the JDK install directory:

  1. Edit the file $JAVA_HOME/conf/security/java.security in a text editor. 
  2. Remove the entries TLSv1, and TLSv1.1, from the following line of that file:
    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES,
  3. Restart the application


Method B
Passing a custom java.security file as java command line flag:

  1. Copy the file $JAVA_HOME/conf/security/java.security to a different location, for example /home/ojdk/oldTLS.security
  2. Remove the entries TLSv1, and TLSv1.1, from the following line of the file oldTLS.security:
    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES,
  3. Add -Djava.security.properties=/home/ojdk/oldTLS.security to the java command line in the application start script.
  4. Start the application

 

On Java 8, the java.security file is located in the following directory: $JAVA_HOME/jre/lib/security

Add Comment

Comments

0 comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful