Java 1.6 and TLS 1.1

Question

(note: this is related to this question)

We know that with the non-free Java 1.6_111 update, Java 1.6 can support TLS 1.1 with HTTPS. My question is: should I compile my program with Java 6 111 or just use java 6 111 with the -Dhttps.protocols=TLSv1.1 switch?

Note: I've tried the latter and it doesn't seem to work.

Thanks.

JDK 6 and 7 have both passed the end of their support lives. Everyone should be using JDK 8. — duffymo, Jul 12 '16 at 19:50
Yep, I know I should use Java 8, but for some time I'm stuck with Java 1.6 (we're upgrading our application, but it's a slow process). Can someone answer the question? — friol, Jul 12 '16 at 20:56

score 1 · Answer 1 · answered Jul 13 '16 at 00:02

Is your code (including libraries you call) is using something like new URL("https://xxx").connect() and NOT SSLSocket or SSLEngine directly? Only the former use the https. properties.

If using JSSE level, I don't pay for extended support and so don't have the code (or source, which IIRC for 6 didn't include crypto anyway), but the release notes only talk about selection by explicit call to .setEnabledProtocols (in code). The release notes for 115 b32 additionally say

The new jdk.tls.client.protocols System Property may also be used to control the protocols in use for a TLS connection. (JDK-8151183)

and 'new' suggests this does not work in 111, but you could try it.

If you do make the code change to call .setEnabledProtocols the method itself already existed, only the argument value changed, so you can compile against any JDK6 and run on 6u111. (But if you unit-test and/or debug on the compile system, you presumably do need 6u111 for those.)

Java 1.6 and TLS 1.1

1 Answers1