Java TLS versions
TLS Negotiation #
The Java version determines the default TLS version negotiated
The version of TLS used in a connection is negotiated during the TLS handshake, which is the process of establishing a secure connection between the client and server. During the handshake, the client and server exchange messages to agree on the version of TLS to use, the encryption algorithms to use, and other parameters needed for the secure connection.
Typically, the highest version of TLS supported by both the client and server is used for the connection.
The latest version of TLS is version 1.3, which was released in 2018. TLS 1.3 includes several improvements over previous versions, such as better security, improved performance, and reduced latency.
TLS Versions in Java #
In Java, the default (highest) TLS version negotiated by the JDK depends on the version of Java you are using.
Here’s a table that shows the relationship between different versions of Java and the TLS (Transport Layer Security) versions they support:
| Java Version | Supported TLS Versions | Notes |
|---|---|---|
| Java 6 | 1.0, 1.1 | TLS 1.1 added in v111 |
| Java 7 | 1.0, 1.1, 1.2 | |
| Java 8 | 1.0, 1.1, 1.2, 1.3 | TLS 1.3 added in 8u261. TLS 1.0, 1.1 disabled by default in 8u291 |
| Java 9 | 1.0, 1.1, 1.2 | |
| Java 10 | 1.0, 1.1, 1.2 | |
| Java 11 | 1.0, 1.1, 1.2, 1.3 | Bugs in TLS1.3 prior to version 11.0.8. TLS 1.0, 1.1 disabled by default. |
| Java 12 | 1.0, 1.1, 1.2, 1.3 | |
| Java 13 | 1.0, 1.1, 1.2, 1.3 | |
| Java 14 | 1.0, 1.1, 1.2, 1.3 | |
| Java 15 | 1.0, 1.1, 1.2, 1.3 | |
| Java 16 | 1.0, 1.1, 1.2, 1.3 | |
| Java 17 | 1.0, 1.1, 1.2, 1.3 | |
| Java 18 | 1.0, 1.1, 1.2, 1.3 | |
| Java 19 | 1.0, 1.1, 1.2, 1.3 | |
| Java 20 | 1.0, 1.1, 1.2, 1.3 | |
| Java 21 | 1.0, 1.1, 1.2, 1.3 | |
| Java 22 | 1.0, 1.1, 1.2, 1.3 | |
| Java 23 | 1.0, 1.1, 1.2, 1.3 | |
| Java 24 | 1.0, 1.1, 1.2, 1.3 |
Enabling/Disabling TLS Versions #
Java 11 and later versions disable TLS 1.0 and 1.1 by default
Note that for Java 11 and later, TLS 1.0 and 1.1 are disabled by default due to security concerns.
This is setting can be overridden by setting the jdk.tls.disabledAlgorithms system property, which is found in $JAVA_HOME/lib/security/java.security file.
The out-of-the-box setting for jdk.tls.disabledAlgorithms in Java 11 is:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Remove TLSv1 and TLSv1.1 from the list to enable these versions.
Subsequent versions of Java may have different algorithms disabled by default as more security concerns evolve.
Logging the TLS Version Negotiation #
The system property javax.net.debug can be used to log the TLS version negotiation process. Setting this property to ssl:handshake will log the details of the TLS handshake.
This can be useful for debugging connection issues or verifying that the correct version of TLS is being used.
The following code demonstrates how to enable TLS debugging in Java to a site that supports TLS 1.3:
import java.net.HttpURLConnection;
import java.net.URL;
public class TlsCheck {
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.debug", "ssl:handshake");
URL siteUrl = new URL("https://tls13.1d.pw/");
HttpURLConnection connection = (HttpURLConnection) siteUrl.openConnection();
connection.connect();
int responseCode = connection.getResponseCode();
System.out.println("responseCode = " + responseCode);
connection.disconnect();
}
}
Examing the the output, you should see 'Negotiated protocol version: TLSv1.3' in the output:
javax.net.ssl|DEBUG|10|main|2024-08-23 10:49:45.528 BST|ServerHello.java:993|Negotiated protocol version: TLSv1.3
For TLS 1.2, you should see 'Negotiated protocol version: TLSv1.2' in the output. Change the siteUrl variable to a site that supports TLS 1.2 only, such as https://tls-v1-2.badssl.com:1012/ to test.
javax.net.ssl|DEBUG|10|main|2024-08-23 11:02:24.549 BST|ServerHello.java:993|Negotiated protocol version: TLSv1.2