Defer disabling TLS 1.0/1.1 by default?

Mathiske, Bernd mathiske at
Fri Apr 2 20:21:51 UTC 2021

We have recently been made aware of increasing concerns by customers that disabling TLS 1.0/1.1 in the upcoming round of OpenJDK updates on April 20, as is the plan of record, could still cause outages. So we are considering keeping TLS 1.0/1.1 enabled by default in Amazon Corretto for now.

Can this default configuration change be deferred in general? 

Are there any concerns regarding Amazon Corretto keeping TLS 1.0/1.1 enabled by default? 

Should we offer an alternate build that conforms with disabling by default and have the two lines converge again at a later date?

My understanding is that in principle TLS 1.2/1.3 is not more secure than 1.0/1.1 and therefore we are not looking at a security fix here, correct?

We are aware that the default setting can be manually changed by every user, but considering automated intake of binary artifacts we anticipate that this will not always be applied and disruptions will still occur.

(sent to jdk-updates-dev@,  jdk8u-dev@, and security-dev@)


More information about the security-dev mailing list