Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Why different behavior for TLS 1.3 in jdk 11 and jdk 15

meandmycodeJul 14 2022

Hi,

I enable java TLS 1.3 using:

systemProperties.put("jdk.tls.client.protocols", "TLSv1.3");

It works fine when I run it with JDK 11.

I can see the following in log:

"supported_versions (43)": {
"versions": [TLSv1.3]
},

Then when I run my tests with JDK 15 and try to setup my client for TLS 1.3.

I can see the following in log:

"supported_versions (43)": {
"versions": [TLSv1.2]
}

Which, AFAIK, means client supports only TLS 1.2

Can anyone explain why this happens in JDK 15? I am really puzzled.

//mike

Log for TLS 1.3 in jdk 15
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:305|No available cipher suite for TLSv1.3
javax.net.ssl|ALL|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SignatureScheme.java:394|Ignore unsupported signature scheme: ed25519
javax.net.ssl|ALL|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SignatureScheme.java:394|Ignore unsupported signature scheme: ed448
javax.net.ssl|ALL|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SignatureScheme.java:413|Ignore disabled signature scheme: rsa_md5
javax.net.ssl|INFO|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|AlpnExtension.java:182|No available application protocols
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SessionTicketExtension.java:408|Stateless resumption supported
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.842 CEST|ClientHello.java:652|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "FC 46 09 1C B5 8B C0 33 D1 51 19 E4 CC F5 A0 CC 4B 8A 28 C0 DE 35 E0 59 6B 46 A2 D8 5F E3 7E A0",
"session id" : "",
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=seroius07825.sero.gic.ericsson.se
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"session_ticket (35)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2]
}
]

Comments
Post Details
Added on Jul 14 2022
0 comments
1,403 views