How do I disable TLS 1.3 when running DS 6.5, 6.5.1 or 6.5.2 with Java 11.0.5 and earlier, or Java 1.8.0_272 and later?

Overview

Java 11

Java 11 introduced support for TLS 1.3 and its associated cipher suites; DS 6.5 introduced support for Java 11.

DS has been designed to leverage the latest security features enabled by the JVM; therefore, TLS 1.3 is enabled by default when running DS with Java 11. If a client application is using TLS 1.3, the TLS session will negotiate to use TLS 1.3 by default.

However, Java 11's TLS 1.3 implementation has several issues in earlier versions. For example:

• JDK-8217094 - HttpClient SSL race if a socket IOException is raised before ALPN is available (Fixed in Java 11.0.4)
• JDK-8217610 - TLSv1.3 fail with ClassException when EC keys are stored in PKCS11 (Fixed in Java 11.0.6)
• JDK-8217611 - PKCS11 module unable to negotiate TLSv1.3 with RSASSA-PSS (Fixed in Java 11.0.6)

There are also known issues in DS 6.5, 6.5.1 and 6.5.2 (fixed in DS 6.5.3):

• OPENDJ-6557 (IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11)
• OPENDJ-6499 (Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11)
• OPENDJ-6394 (Update grizzly to resolve TLSv1.3 issues on Java 11)

And a known issue in DS 7.x, which prevents deployment keys working correctly if you have instances with mixed Java versions and one (or more) of them are using a pre-11.0.6 version of Java: OPENDJ-8506 (Deployment key produces different keys after JVM update).

And finally, there is a known issue with the ChaCha20-Poly1305 algorithm (introduced in Java 9 and TLS 1.2): JDK-8224997 - ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException, which is fixed in Java 11.0.8. 

Java 8  

Java 1.8.0_272 implements TLS 1.3 by default. If you are using a pre-DS 6.5.3 version, you should either upgrade to DS 6.5.3 or later, or disable TLS 1.3 as described in the following section.

Disabling TLS 1.3 in DS

You can disable TLS 1.3 in DS by explicitly setting the ssl-protocols allowed per connection handler. It is strongly recommended that you restrict the allowed protocols to TLSv1.2 on the following connection handlers: LDAP, LDAPS, HTTPS and the Administrator Connector. For example:

• LDAP: $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-connection-handler-prop --handler-name LDAP --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
• LDAPS: $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-connection-handler-prop --handler-name LDAPS --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
• HTTPS: $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-connection-handler-prop --handler-name HTTPS --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
• Administrator Connector: $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-administration-connector-prop --set ssl-protocol:TLSv1.2 --trustAll --no-prompt

See Also

How do I disable TLS 1.0 and TLS 1.1 in DS (All versions)?

How do I configure LDAPS clients in DS 5.x and 6.x?

SSL in DS

LDAP Client Access Over SSL

TLS Protocols and Cipher Suites

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-8506 (Deployment key produces different keys after JVM update)

OPENDJ-6557 (IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11)

OPENDJ-6499 (Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11)

OPENDJ-6394 (Update grizzly to resolve TLSv1.3 issues on Java 11)