javajava-17tls1.3

How to make Java application prefer TLS 1.3 over TLS 1.2?


An external system has a requirement that anyone accessing it should prefer TLS 1.3. How can I make my Java desktop application prefer TLS 1.3? I'm at Java 17, and TLS < 1.2 is disabled using jdk.tls.disabledAlgorithms.

From a search it seems that jdk.tls.client.protocols might be the desired system property, but is it somehow in "preferred order"? E.g., if I try the following:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
jdk.tls.client.protocols=TLSv1.3,TLSv1.2

Will this now try 1.3 before trying 1.2? Is this verifiable somehow? Is it at all necessary, or will this somehow mimic some default behavior of Java 17 or above?


Solution

  • I'm not sure this is really programming or development, but:

    There is no 'before'. The TLS handshake compares the supported versions from the two endpoints and uses the highest version supported by both. Yes, supporting 1.3 and 1.2, only, is the default in 16 up, also 11.0.11 and 8u291 up i.e. since spring 2021.

    To verify, turn on tracing with sysprop javax.net.debug=ssl:handshake (at least, add more if you want) or capture externally with wireshark, tcpdump/snoop, or similar, and look at supported_versions extension in ClientHello, ServerHello, and if applicable HelloRetryRequest. (This will also confirm if the external system agreed to 1.3.)

    Also note: jdk.tls.client.protocols is a system property but jdk.tls.disabledAlgorithms in java.security is a security property; these are different things and not set the same way.