Java Security and Cryptography

Re-enable TLSv1 and TLSv1.1

Some legacy systems may still be tied to the older, insecure TLSv1 and TLSv1.1 protocols. Starting with OpenJDK 11.0.11, these protocol versions are disabled by default.

To re-enable, users must perform these steps:

1. In the installation directory of the JDK, navigate to the folder ./conf/security/
2. Open the file java.security
3. Search for the configuration property jdk.tls.disabledAlgorithms
4. Remove the elements TLSv1 and/or TLSv1.1
5. Relaunch the Java application

JCE Provider for JCA and Crypto

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Applications that need to establish secure connections (e.g., HTTPS, SFTP, etc) must run on a Java runtime with a compatible security provider for the Java Cryptography Architecture (JCA). The OpenJDK project contains a default implementation provider - the Java Cryptography Extension (JCE) - in the jdk.crypto.ec.

If your application requires establishing secure connections, make sure the module jdk.crypto.ec is included in the assembled Java runtime, or that a 3rd-party provider (e.g., BouncyCastle) is included.