How to Configure the Default SSL/TLS Version Used by Your Java Applications
Introduction
In the most recent JDK releases, including 8u341 and later, TLSv1.3 and TLSv1.2 are offered by default (via the TLS ClientHello handshake initialization routine). Such a configuration should work fine for the majority of TLS applications. If an application has issues with the default TLS versions in use (for environment or interoperability reasons, for example) the JDK offers configuration options via APIs and system properties to manage the default SSL/TLS versions used by Java applications.
Using the Security API
The Java Security API offers options for which protocol versions to have
TLS use. Check out the
javax/net/ssl/SSLSocket.html#setEnabledProtocols(java.lang.String),
javax/net/ssl/SSLServerSocket.html#setEnabledProtocols(java.lang.String)
and javax/net/ssl/SSLEngine.html#setEnabledProtocols(java.lang.String)
APIs in the documentation for your JDK version for examples of how such
configuration requests are managed:
Using System Properties
The JDK offers system properties to control the default TLS protocol
versions in use. jdk.tls.client.protocols controls the client side end
points. jdk.tls.server.protocols controls the server side end points.
The application must be configured to use the default TLS protocol
version for this method to work.
If an application is using the HttpsURLConnection or
URL.openStream() APIs, you can control the TLS protocol version via
the https.protocols system property. Note that this property has a
narrower impact on applications: it’s targeted specifically at
application code making use of the JDK HttpsURLConnection or
URL.openStream() APIs.
Example:
-Dhttps.protocols="TLSv1.3,TLSv1.2"These property options are documented in the Java Secure Socket Extension (JSSE) Reference Guides:
Last reviewed on Sat Feb 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time)