TLSv1.3 - is it available now in Java 8?

Question

Recently I noticed that some SMTP (mail) clients trying to connect to SMTP server by using STARTTLS command and specifying TLSv1.3 version during handshake.. Currently TLSv1.2 and a few other options is enabled. So, could it be that TLSv1.3 is available now? Or hackers again playing :)?

Answer 1

July 2022 (seven years later):

Sean Mullan (Java Security Tech Lead at Oracle, and lead of OpenJDK Security Group) just announced:

In Oracle's July CPU release (released today), we have enabled TLS 1.3 by default on the client in JDK 8u341.

TLS 1.3 is now enabled by default on both the client and the server on all Oracle Java releases which support TLS 1.3 (8, 11, 17, 18).

Answer 2

It isn't available anywhere. It's not even a proper draft yet, let alone an RFC. Just a wish list as far as I can determine.

EDIT Obviously this was an expiring answer, as TLS 1.3 was always going to become a standard and widely adopted one day. It has now happened and is available in late versions of Java 1.8.

Answer 3

Now that TLSv1.3 is no longer in draft, it's possible to have a final(ish) implementation of it.

TLSv1.3 seems to be in Java 11 and later and I don't see any indication of support being added to any previous versions of Java. Sounds like it's time to start looking seriously as Oracle's faster-release schedule for Java and getting on the bus.

(Please note that this answer was originally submitted in 2018. It is no longer accurate, and answers with most up-to-date information are available with higher rankings.)

Answer 4

TLS 1.3 has now officially been back-ported to Java 8. :)

• Since 8u261-b12 from Oracle JDK: https://www.oracle.com/java/technologies/javase/8u261-relnotes.html
• Since 8u262-b10 from AdoptOpenJDK (Eclipse Adoptium)

Crypto road map: https://java.com/en/jre-jdk-cryptoroadmap.html

Answer 5

For anyone interested and/or looking forward to TLSv1.3 support in Java 8. Azul just recently released JDK 8 build with TLSv.1.3 support available.

https://www.azul.com/press_release/azul-systems-brings-updated-transport-layer-security-to-java-se-8/

OpenJSSE, an open source implementation of TLS 1.3 for Java SE 8, and has included it in the latest releases of its Zulu Community and Zulu Enterprise products. Source code, example use cases and documentation for this essential security standard are available on GitHub under the OpenJSSE project at https://github.com/OpenJSSE/openjsse.

The TLS 1.3 standard was released in August 2018 and is a successor to TLS 1.2 and previous Secure Sockets Layer (SSL) standards that have been part of Internet-based secure communications for many years. TLS 1.3 support has been included in Java since September 2018 as part of Java SE 11, but support has not been provided in earlier versions of Java.

Today, nearly all production Java applications are based upon the earlier Java SE 8 standard, and many developers continue to prefer to deploy software that can make use of the vast number of libraries, applications, and utilities that only work on Java SE 8. Existing Java SE 8 implementations, however, only support TLS up to version 1.2.

Zulu builds of OpenJDK 8 now include the OpenJSSE TLS 1.3 JSSE provider, which can be used to enable TLS 1.3 support with no application or code changes. The OpenJSSE provider included with Zulu 8 can also be used programmatically to code to TLS 1.3 and RSASSA-PSS capabilities not directly available via the Java SE 8 APIs. A release of Azul’s Zing JVM supporting TLS 1.3 with Java 8 will be made generally available by the end of July.