Hi,
I enable java TLS 1.3 using:
systemProperties.put("jdk.tls.client.protocols", "TLSv1.3");
It works fine when I run it with JDK 11.
I can see the following in log:
"supported_versions (43)": {
"versions": [TLSv1.3]
},
Then when I run my tests with JDK 15 and try to setup my client for TLS 1.3.
I can see the following in log:
"supported_versions (43)": {
"versions": [TLSv1.2]
}
Which, AFAIK, means client supports only TLS 1.2
Can anyone explain why this happens in JDK 15? I am really puzzled.
//mike
Log for TLS 1.3 in jdk 15
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.839 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV for TLSv1.3
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.840 CEST|HandshakeContext.java:305|No available cipher suite for TLSv1.3
javax.net.ssl|ALL|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SignatureScheme.java:394|Ignore unsupported signature scheme: ed25519
javax.net.ssl|ALL|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SignatureScheme.java:394|Ignore unsupported signature scheme: ed448
javax.net.ssl|ALL|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SignatureScheme.java:413|Ignore disabled signature scheme: rsa_md5
javax.net.ssl|INFO|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|AlpnExtension.java:182|No available application protocols
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SessionTicketExtension.java:408|Stateless resumption supported
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.841 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|AE|pool-39-thread-1|2022-07-14 15:05:07.842 CEST|ClientHello.java:652|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "FC 46 09 1C B5 8B C0 33 D1 51 19 E4 CC F5 A0 CC 4B 8A 28 C0 DE 35 E0 59 6B 46 A2 D8 5F E3 7E A0",
"session id" : "",
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=seroius07825.sero.gic.ericsson.se
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"session_ticket (35)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2]
}
]