TLSv1/v1.1 No longer works after upgrade, "No appropriate protocol" error

Problem:

Beginning with the April 2021 releases of OpenJDK, TLS 1.0 and TLS 1.1 is disabled by default.

You may see errors such as,

Error: javax.net.ssl.SSLHandshakeException: No appropriate protocol
(protocol is disabled or cipher suites are inappropriate)

Regarding Java 8 and 11, the same change of disabling TLS 1.0 and 1.1 was released with the following packages offered by Azul:

  • Azul Zulu Builds of OpenJDK version 8.54
  • Azul Zulu Builds of OpenJDK version 11.48
  • Azul Zulu Prime Builds of OpenJDK version 21.05.0.0
  • Azul Zulu Prime Builds of OpenJDK version 21.02.200.0

 

Cause:

As part of its program of continuous improvement of Java security, OpenJDK has disabled TLS 1.0 (introduced in 1999) and TLS 1.1 (introduced in 2006), in line with the consensus on standards across the Internet. Information on these changes can be found in the “What’s New” section of the April 2021 Release Notes.

 

Solution:

The best solution is to modify or upgrade your application so that it does not use the insecure protocols TLS 1.0 or TLS 1.1. If you must have the application operational until you are able to update it, you can use on of the workarounds documented below.

Workarounds:

Method A
Modifying the file java.security inside the JDK install directory:

  1. Edit the file $JAVA_HOME/conf/security/java.security in a text editor. 
  2. Remove the entries TLSv1, and TLSv1.1, from the following line of that file:
    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES,
  3. Restart the application


Method B
Passing a custom java.security file as java command line flag:

  1. Copy the file $JAVA_HOME/conf/security/java.security to a different location, for example /home/ojdk/oldTLS.security
  2. Remove the entries TLSv1, and TLSv1.1, from the following line of the file oldTLS.security:
    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES,
  3. Add -Djava.security.properties=/home/ojdk/oldTLS.security to the java command line in the application start script.
  4. Start the application

 

On Java 8, the java.security file is located in the following directory: $JAVA_HOME/jre/lib/security

Add Comment

Comments

2 comments
  • there are 3 lines. Should all 3 be commented or only the first?

    this way:

    # jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
       DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
       include jdk.disabled.namedCurves
       
    or that way?

    # jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    #   DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    #   include jdk.disabled.namedCurves

    thanks

    0
  • @alejcbox, all 3 lines need to be commented-out, similar to your 2nd example.

    Technically, the ending back-slash is a line-continuation character, indicating that the following line is a continuation of the current line.  So the JVM will treat all 3 lines as 1.  However, you too must treat all 3 lines equally and comment them all out, since only commenting out the first line will present itself as an incomplete configuration and hence be considered a syntactical error.

    I hope this helps. If you have any further issues, please contact support@azul.com

    1

Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful