This page documents the TLS default settings of OpenJDK 21 and their impact on connections to databases and third-party systems. Read this article if you want to verify, as part of the Java upgrade, whether your remote endpoints support TLS 1.2 or higher.
NOTE
OpenJDK 21 disables TLS 1.0 and TLS 1.1 by default. Connections to systems that support only older TLS versions will fail after the upgrade without additional configuration. Systems that already support TLS 1.2 or TLS 1.3 are not affected.
TLS default settings under OpenJDK 21
Protocol | Status | Note |
|---|---|---|
TLS 1.3 | Enabled | Recommended. Provides improved security and performance. |
TLS 1.2 | Enabled | Compatible with most current systems. |
TLS 1.1 | Disabled | Can be explicitly re-enabled. Not recommended. |
TLS 1.0 | Disabled | Can be explicitly re-enabled. Considered insecure. |
The enabled protocols and cipher suites reflect the OpenJDK 21 defaults and can only be overridden through explicit configuration.
Affected system types
System type | Typical cause | Recommended action |
|---|---|---|
Legacy databases | Support only TLS 1.0 or TLS 1.1 | Update the database version. |
Legacy infrastructure components | Support only TLS 1.0 or TLS 1.1 | Update the infrastructure. |
External third-party systems | Not yet updated to TLS 1.2+ | Contact the third-party system operator. |
Protocol security status
Protocol | Security status | Recommendation |
|---|---|---|
TLS 1.3 | Secure | Prefer |
TLS 1.2 | Secure | Acceptable |
TLS 1.1 | Insecure | Do not use |
TLS 1.0 | Insecure | Do not use |
Configuration options
Update remote endpoints (recommended)
Update affected systems to TLS 1.2 or TLS 1.3. This is the only permanently secure approach.
NOTE
Current JSSE (Java Secure Socket Extension) versions address issues with TLS 1.3 client certificate selection that can occur with older authentication logic.
Temporarily re-enable legacy TLS versions
OpenJDK 21 can be configured to allow TLS 1.0 or TLS 1.1. This weakens transport encryption and exposes the environment to known security risks. It is only permissible as a short-term transitional measure. Affected remote endpoints must be updated promptly.
Back to overview: Java upgrade overview