Upgrade from OpenJDK 11.0.7 to 11.0.11 causes SSLHandshakeException: No Appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Question

I have a Java application that connects to an IMAP store and checks for messages. This runs on an Ubuntu 20.04.2 LTS focal on AWS. It is running on Java 11 (OpenJDK).

All was working fine, until on the 21st April 2021, the Java version was automatically updated to OpenJDK 11.0.11. At this point, after restarting the application I was getting these exceptions:

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:170)
        at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:98)
        at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:221)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:433)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
        at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549)
        at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:354)
        at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:237)
        at com.sun.mail.iap.Protocol.<init>(Protocol.java:116)
        at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:115)
        at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:685)
        at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:636)
        ... 24 more

I just downgraded back to OpenJDK 11.0.7 2020-04-14, and everything worked back to normal.

Did something major happen between versions 11.0.7 and 11.0.11 to the java.security policies or supported ciphers?

Any way to fix this issue apart from holding the version on 11.0.7?

Answer 1

OpenJDK 11.0.11 (changelog) addressed issue JDK-8202343, disabling support for TLS versions 1.0 and 1.1 by default:

TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).

These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms security property in the java.security configuration file.

It is likely that your mail.imap.ssl.protocols property setting (thanks to dave_thompson_085 for mentioning this) and/or the IMAP server you are trying to connect to has TLS 1.0 or 1.1 enabled, but not any newer, currently recommended version.