Issue with TLSv1 support in java-1.8.0-openjdk package on Rocky Linux 8

Hello Rocky Linux community,

I’m encountering an issue with TLSv1 support in the java-1.8.0-openjdk package on Rocky Linux 8.10. My application needs to communicate with a server that only supports TLSv1, and I’m unable to enable TLSv1 in the OpenJDK package provided by Rocky Linux.

Environment details:

  • OS Image: dokken/rockylinux-8:latest (Rocky Linux 8.10)
  • Java package: java-1.8.0-openjdk.x86_64 / 1:1.8.0.412.b08-2.el8 / @appstream

Here’s what I’ve observed:

  1. I modified the java.security file to remove TLSv1 and TLSv1.1 from the jdk.tls.disabledAlgorithms list:

    sed -i ‘s/jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA,/jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA,/g’ ./java.security

  2. I’m using the following test code to check supported and enabled protocols:

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;

public class ProtocolTest {
public static void main(String args) throws Exception {
SSLContext context = SSLContext.getInstance(“TLS”);
context.init(null,null,null);
SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
String protocols = socket.getSupportedProtocols();
System.out.println(“Supported Protocols: " + protocols.length);
for(int i = 0; i < protocols.length; i++) {
System.out.println(” " + protocols[i]);
}
protocols = socket.getEnabledProtocols();
System.out.println(“\nEnabled Protocols: " + protocols.length);
for(int i = 0; i < protocols.length; i++) {
System.out.println(” " + protocols[i]);
}
}
}

  1. When I run this test with the java-1.8.0-openjdk package:

    java -Djava.security.properties=./java.security ProtocolTest

    The output shows that TLSv1 and TLSv1.1 are still not enabled:

    Supported Protocols: 6
    TLSv1.3
    TLSv1.2
    TLSv1.1
    TLSv1
    SSLv3
    SSLv2Hello

    Enabled Protocols: 2
    TLSv1.3
    TLSv1.2

  2. However, when I use the temurin-8-jdk package (version 8.0.412.0.0.8-1) with the same modified java.security file, TLSv1 and TLSv1.1 are enabled as expected.

I’ve tried various approaches, including:

  • Using system properties like -Dhttps.protocols and -Djdk.tls.client.protocols
  • Checking for additional security configurations
  • Running with debug options

None of these attempts have been successful in enabling TLSv1 with the java-1.8.0-openjdk package.

My questions are:

  1. Is there any known additional hardening or configuration in the Rocky Linux OpenJDK package that prevents enabling TLSv1, even when removed from the disabled algorithms list?
  2. If so, is there a way to override this and enable TLSv1 support?
  3. If not, could this be a bug or an unintended behavior in the package?

Any insights or guidance on this issue would be greatly appreciated. Thank you for your time and assistance.

Java from Rocky Linux repository honors crypto-policy, a centralized configuration for (most) cryptographic libraries on the host. Crypto-policy settings take precedence over jdk.tls.disabledAlgorithms you manually set, and default crypto policy prohibits TLS v1, but legacy allows it.

The quickest way to get there is to set it to legacy:

update-crypto-policies --set LEGACY

Be aware that:

  • this enables TLSv1 but also weakens crypto (minimal key sizes, etc)
  • is applicable to all crypto libraries covered by crypto-policies, not just in Java client.

If you wanted to limit to TLS v1 and to java only, you could make write a crypto-policy module that only modifies the java configuration.

1 Like

Thanks to you, the problem is solved. Thank you!
Using the above command, it was possible to allow TLSv1 communication without modifying the java.security file.