How do I disable TLS 1.3 when running DS 6.5 with Java 11?
The purpose of this article is to provide information on disabling TLS 1.3 when running DS 6.5 with Java® 11. It is recommended you disable TLS 1.3 in this situation because of known issues with Oracle JDK 11 and OpenJDK 11's implementation of TLS 1.3.
1 reader recommends this article
Overview
Java 11 introduced support for TLS 1.3 and its associated cipher suites; DS 6.5 introduced support for Java 11.
DS has been designed to leverage the latest security features enabled by the JVM; therefore, TLS 1.3 is enabled by default when running DS with Java 11. If a client application is using TLS 1.3, the TLS session will negotiate to use TLS 1.3 by default.
However, Java 11's TLS 1.3 implementation has several issues, for example:
- Known and fixed:
- JDK-8217094 - HttpClient SSL race if a socket IOException is raised before ALPN is available (Fixed in Java 11.04)
- Known and outstanding:
- JDK-8217610 - TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
- JDK-8217611 - PKCS11 module unable to negotiate TLSv1.3 with RSASSA-PSS
Additionally, there is an outstanding known issue with the ChaCha20-Poly1305 algorithm (introduced in Java 9 and TLS 1.2): JDK-8224997 - ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException
Caution
As a result of these issues, ForgeRock strongly recommends that you disable TLS 1.3 when running DS 6.5 with Oracle JDK 11 or OpenJDK 11. Similarly, it is strongly recommended that you do not use ciphers based on the ChaCha20-Poly1305 algorithm (for example, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 etc) for data encryption.
Disabling TLS 1.3 in DS
You can disable TLS 1.3 in DS by explicitly listing the ssl-protocols allowed per connection handler. It is strongly recommended that you restrict the allowed protocols to TLSv1.2 on the following connection handlers: LDAP, LDAPS, HTTPS and the Administrator Connector. For example:
- LDAP:
$ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-connection-handler-prop --handler-name LDAP --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
- LDAPS:
$ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-connection-handler-prop --handler-name LDAPS --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
- HTTPS:
$ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-connection-handler-prop --handler-name HTTPS --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
- Administrator Connector:
$ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-administration-connector-prop --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
See Also
How do I configure LDAPS clients in DS/OpenDJ (All versions)?
Related Training
N/A
Related Issue Tracker IDs
OPENDJ-6499 (Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11)