How To

How do I disable TLS 1.3 when running DS 6.5 with Java 11?

Last updated Aug 27, 2019

The purpose of this article is to provide information on disabling TLS 1.3 when running DS 6.5 with Java® 11. It is recommended you disable TLS 1.3 in this situation because of known issues with Oracle JDK 11 and OpenJDK 11's implementation of TLS 1.3.


1 reader recommends this article

Overview

Java 11 introduced support for TLS 1.3 and its associated cipher suites; DS 6.5 introduced support for Java 11.

DS has been designed to leverage the latest security features enabled by the JVM; therefore, TLS 1.3 is enabled by default when running DS with Java 11. If a client application is using TLS 1.3, the TLS session will negotiate to use TLS 1.3 by default.

However, Java 11's TLS 1.3 implementation has several issues, for example:

  • Known and fixed:
    • JDK-8217094 - HttpClient SSL race if a socket IOException is raised before ALPN is available (Fixed in Java 11.04)
  • Known and outstanding:
    • JDK-8217610 - TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
    • JDK-8217611 - PKCS11 module unable to negotiate TLSv1.3 with RSASSA-PSS

Additionally, there is an outstanding known issue with the ChaCha20-Poly1305 algorithm (introduced in Java 9 and TLS 1.2): JDK-8224997 - ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException 

Caution

As a result of these issues, ForgeRock strongly recommends that you disable TLS 1.3 when running DS 6.5 with Oracle JDK 11 or OpenJDK 11. Similarly, it is strongly recommended that you do not use ciphers based on the ChaCha20-Poly1305 algorithm (for example, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 etc​​​​) for data encryption.

Disabling TLS 1.3 in DS

You can disable TLS 1.3 in DS by explicitly listing the ssl-protocols allowed per connection handler. It is strongly recommended that you restrict the allowed protocols to TLSv1.2 on the following connection handlers: LDAP, LDAPS, HTTPS and the Administrator Connector. For example:

  • LDAP:
    $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-connection-handler-prop --handler-name LDAP --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
  • LDAPS:
    $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-connection-handler-prop --handler-name LDAPS --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
  • HTTPS:
    $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-connection-handler-prop --handler-name HTTPS --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
    
  • Administrator Connector:
    $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-administration-connector-prop --set ssl-protocol:TLSv1.2 --trustAll --no-prompt

See Also

How do I configure LDAPS clients in DS/OpenDJ (All versions)?

SSL in DS/OpenDJ

Administration Guide › LDAP Client Access Over SSL

Administration Guide › TLS Protocols and Cipher Suites

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-6557 (IDM Password Sync plugin induces 100% CPU in Apache Http Components when used with JDK 11)

OPENDJ-6499 (Query on rest2ldap over ssl gets stuck after few curl requests using TLSv1.3 on JDK11)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...