TLSv1.3 - is it available now in Java 8?

Question

Recently I noticed that some SMTP (mail) clients trying to connect to SMTP server by using STARTTLS command and specifying TLSv1.3 version during handshake.. Currently TLSv1.2 and a few other options is enabled. So, could it be that TLSv1.3 is available now? Or hackers again playing :)?

score 41 · Answer 1 · answered Jul 17 '20 at 14:34

41

TLS 1.3 has now officially been back-ported to Java 8. :)

Since 8u261-b12 from Oracle JDK: https://www.oracle.com/java/technologies/javase/8u261-relnotes.html
Since 8u262-b10 from AdoptOpenJDK (Eclipse Adoptium)

Crypto road map: https://java.com/en/jre-jdk-cryptoroadmap.html

answered Jul 17 '20 at 14:34

Sylvain

446
4
6

2

TLS 1.3 support in Oracle JDK was independently developed by Oracle separated from OpenJDK TLS 1.3 porting efforts, and they had done it early. TLS 1.3 support in OpenJDK is (beside Azul's OpenJSSE) expected to come into 8u272 (October update), and not yet released. – MNEMO Jul 30 '20 at 23:44
1

The OpenJDK 8 backport for build-in TLS 1.3 support was performed by Azul and upstreamed (this is separate from OpenJSSE). It is already included in the Zulu OpenJDK builds since 8u262, and will likely appear in OpenJDK builds starting with 8u272. – Gil Tene Sep 15 '20 at 17:55

score 16 · Answer 2 · answered Jul 19 '19 at 10:32

For anyone interested and/or looking forward to TLSv1.3 support in Java 8. Azul just recently released JDK 8 build with TLSv.1.3 support available.

https://www.azul.com/press_release/azul-systems-brings-updated-transport-layer-security-to-java-se-8/

OpenJSSE, an open source implementation of TLS 1.3 for Java SE 8, and has included it in the latest releases of its Zulu Community and Zulu Enterprise products. Source code, example use cases and documentation for this essential security standard are available on GitHub under the OpenJSSE project at https://github.com/OpenJSSE/openjsse.

The TLS 1.3 standard was released in August 2018 and is a successor to TLS 1.2 and previous Secure Sockets Layer (SSL) standards that have been part of Internet-based secure communications for many years. TLS 1.3 support has been included in Java since September 2018 as part of Java SE 11, but support has not been provided in earlier versions of Java.

Today, nearly all production Java applications are based upon the earlier Java SE 8 standard, and many developers continue to prefer to deploy software that can make use of the vast number of libraries, applications, and utilities that only work on Java SE 8. Existing Java SE 8 implementations, however, only support TLS up to version 1.2.

Zulu builds of OpenJDK 8 now include the OpenJSSE TLS 1.3 JSSE provider, which can be used to enable TLS 1.3 support with no application or code changes. The OpenJSSE provider included with Zulu 8 can also be used programmatically to code to TLS 1.3 and RSASSA-PSS capabilities not directly available via the Java SE 8 APIs. A release of Azul’s Zing JVM supporting TLS 1.3 with Java 8 will be made generally available by the end of July.

As of Zulu builds of OpenJDK 8u262, built-in support for TLS 1.3 (separate from OpenJSSE) is included in 8u. The work has been accepted upstream and will likely be included in other OpenJDK distributions with 8u272 or later. — Gil Tene, Sep 15 '20 at 17:57
https://www.oracle.com/java/technologies/javase/8u261-relnotes.html — Chagai Friedlander, Dec 28 '20 at 08:41

score 8 · Answer 3 · edited May 05 '21 at 19:22

Now that TLSv1.3 is no longer in draft, it's possible to have a final(ish) implementation of it.

TLSv1.3 seems to be in Java 11 and later and I don't see any indication of support being added to any previous versions of Java. Sounds like it's time to start looking seriously as Oracle's faster-release schedule for Java and getting on the bus.

(Please note that this answer was originally submitted in 2018. It is no longer accurate, and answers with most up-to-date information are available with higher rankings.)

score 6 · Answer 4 · answered Jul 24 '22 at 09:10

July 2022 (seven years later):

Sean Mullan (Java Security Tech Lead at Oracle, and lead of OpenJDK Security Group) just announced:

In Oracle's July CPU release (released today), we have enabled TLS 1.3 by default on the client in JDK 8u341.

TLS 1.3 is now enabled by default on both the client and the server on all Oracle Java releases which support TLS 1.3 (8, 11, 17, 18).

user207421 · Accepted Answer · 2021-09-01T05:16:44.613

0

It isn't available anywhere. It's not even a proper draft yet, let alone an RFC. Just a wish list as far as I can determine.

EDIT Obviously this was an expiring answer, as TLS 1.3 was always going to become a standard and widely adopted one day. It has now happened and is available in late versions of Java 1.8.

edited Sep 01 '21 at 05:16

answered Apr 03 '15 at 23:28

user207421

305,947
44
307
483

14

As of the time of writing. Note that this is obviously an expiring answer. – user207421 Jul 20 '18 at 00:01
7

Just in case anyone else finds this answer while looking for Java/TLS information, note that it is now outdated. TLS 1.3 is [RFC 8446](https://tools.ietf.org/html/rfc8446) and becoming widely implemented. – Sam Whited May 06 '20 at 16:09

TLSv1.3 - is it available now in Java 8?

5 Answers5

Linked

Related