Hello Rocky Linux community,
I’m encountering an issue with TLSv1 support in the java-1.8.0-openjdk package on Rocky Linux 8.10. My application needs to communicate with a server that only supports TLSv1, and I’m unable to enable TLSv1 in the OpenJDK package provided by Rocky Linux.
Environment details:
- OS Image: dokken/rockylinux-8:latest (Rocky Linux 8.10)
- Java package: java-1.8.0-openjdk.x86_64 / 1:1.8.0.412.b08-2.el8 / @appstream
Here’s what I’ve observed:
-
I modified the java.security file to remove TLSv1 and TLSv1.1 from the jdk.tls.disabledAlgorithms list:
sed -i ‘s/jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA,/jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA,/g’ ./java.security
-
I’m using the following test code to check supported and enabled protocols:
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
public class ProtocolTest {
public static void main(String args) throws Exception {
SSLContext context = SSLContext.getInstance(“TLS”);
context.init(null,null,null);
SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
String protocols = socket.getSupportedProtocols();
System.out.println(“Supported Protocols: " + protocols.length);
for(int i = 0; i < protocols.length; i++) {
System.out.println(” " + protocols[i]);
}
protocols = socket.getEnabledProtocols();
System.out.println(“\nEnabled Protocols: " + protocols.length);
for(int i = 0; i < protocols.length; i++) {
System.out.println(” " + protocols[i]);
}
}
}
-
When I run this test with the java-1.8.0-openjdk package:
java -Djava.security.properties=./java.security ProtocolTest
The output shows that TLSv1 and TLSv1.1 are still not enabled:
Supported Protocols: 6
TLSv1.3
TLSv1.2
TLSv1.1
TLSv1
SSLv3
SSLv2HelloEnabled Protocols: 2
TLSv1.3
TLSv1.2 -
However, when I use the temurin-8-jdk package (version 8.0.412.0.0.8-1) with the same modified java.security file, TLSv1 and TLSv1.1 are enabled as expected.
I’ve tried various approaches, including:
- Using system properties like -Dhttps.protocols and -Djdk.tls.client.protocols
- Checking for additional security configurations
- Running with debug options
None of these attempts have been successful in enabling TLSv1 with the java-1.8.0-openjdk package.
My questions are:
- Is there any known additional hardening or configuration in the Rocky Linux OpenJDK package that prevents enabling TLSv1, even when removed from the disabled algorithms list?
- If so, is there a way to override this and enable TLSv1 support?
- If not, could this be a bug or an unintended behavior in the package?
Any insights or guidance on this issue would be greatly appreciated. Thank you for your time and assistance.