FIPS 140.2 enabled TLS server rejects clients sending SSLv3 as record version in ClientHello

Christian Schaefer christian.schaefer at
Mon Oct 14 08:41:25 UTC 2019

Hi all,

We have TLS connection issues when the server (openjdk version "1.8.0_222") runs in FIPS 140.2 mode. The error thrown on the server is:

" Unsupported record version SSLv3" (which originates from:

This error only happens when the server JRE runs in FIPS 140.2 mode. This is because of the following code in class

    // minimum version we implement (SSL 3.0)
    final static ProtocolVersion MIN = FIPS ? TLS10 : SSL30;

Our server *only* allows TLS 1.2 as TLS protocol version, however, If I have the correct understanding of the TLS 1.2 specification enforcing a record version of (at least ) TLS10 seems to violate the specification (

   [...] Thus, TLS servers compliant with this specification MUST accept any value {03,XX} as
   the record layer version number for ClientHello. [...]

(Appendix E.  Backward Compatibility - E.1.  Compatibility with TLS 1.0/1.1 and SSL 3.0)

Is this something which should be fixed in the JRE? Or is the behavior of the client wrong?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list