{ "id": "java/ssl-exception-no-appropriate-protocol", "signature": "javax.net.ssl.SSLException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)", "signature_zh": "javax.net.ssl.SSLException:没有合适的协议(协议被禁用或密码套件不合适)", "regex": "javax\\.net\\.ssl\\.SSLException: No appropriate protocol \\(protocol is disabled or cipher suites are inappropriate\\)", "domain": "java", "category": "network_error", "subcategory": null, "root_cause": "This error occurs when the client and server cannot agree on a TLS protocol version, often because older protocols like TLSv1 or TLSv1.1 have been disabled by default in Java 11+ (jdk.tls.disabledAlgorithms) and the server only supports those deprecated versions.", "root_cause_type": "generic", "root_cause_zh": "当客户端和服务器无法就TLS协议版本达成一致时发生,通常是因为Java 11+默认禁用了TLSv1或TLSv1.1等旧协议(通过jdk.tls.disabledAlgorithms),而服务器只支持这些已弃用的版本。", "versions": [ { "version": "Java 11", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Java 17", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Java 21", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "OpenJDK 11.0.20", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "OpenJDK 17.0.8", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "Setting the system property -Dhttps.protocols=TLSv1.2,TLSv1.3 globally", "why_fails": "This only sets the client's preferred protocols but does not override the disabled algorithm list; if the server only offers TLSv1.1, the connection still fails.", "fail_rate": 0.6, "condition": "", "sources": [] }, { "action": "Upgrading the server to support TLSv1.2 without client-side changes", "why_fails": "The error is client-side; if the server cannot be upgraded (e.g., legacy mainframe), the client must explicitly enable the deprecated protocol.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "Ignoring the error and retrying the connection indefinitely", "why_fails": "The protocol mismatch is a configuration issue; retrying will not resolve the underlying incompatibility.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Add the system property -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 to the JVM startup arguments to explicitly enable the deprecated protocol (e.g., TLSv1.1) that the server supports.", "success_rate": 0.85, "how": "Add the system property -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 to the JVM startup arguments to explicitly enable the deprecated protocol (e.g., TLSv1.1) that the server supports.", "condition": "", "sources": [] }, { "action": "Modify the java.security file (located at $JAVA_HOME/conf/security/java.security) to remove 'TLSv1, TLSv1.1' from the jdk.tls.disabledAlgorithms property, then restart the application.", "success_rate": 0.9, "how": "Modify the java.security file (located at $JAVA_HOME/conf/security/java.security) to remove 'TLSv1, TLSv1.1' from the jdk.tls.disabledAlgorithms property, then restart the application.", "condition": "", "sources": [] }, { "action": "For Apache HttpClient, set the SSLContext to use a custom SSLParameters that enables TLSv1.1: `SSLContext sslContext = SSLContext.getInstance(\"TLSv1.1\"); sslContext.init(null, trustAllCerts, new SecureRandom());`", "success_rate": 0.8, "how": "For Apache HttpClient, set the SSLContext to use a custom SSLParameters that enables TLSv1.1: `SSLContext sslContext = SSLContext.getInstance(\"TLSv1.1\"); sslContext.init(null, trustAllCerts, new SecureRandom());`", "condition": "", "sources": [] } ], "workarounds_zh": [ "Add the system property -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 to the JVM startup arguments to explicitly enable the deprecated protocol (e.g., TLSv1.1) that the server supports.", "Modify the java.security file (located at $JAVA_HOME/conf/security/java.security) to remove 'TLSv1, TLSv1.1' from the jdk.tls.disabledAlgorithms property, then restart the application.", "For Apache HttpClient, set the SSLContext to use a custom SSLParameters that enables TLSv1.1: `SSLContext sslContext = SSLContext.getInstance(\"TLSv1.1\"); sslContext.init(null, trustAllCerts, new SecureRandom());`" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-6F2F5B1A-9B9C-4E3E-9A5A-5B5C5D5E5F5A", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.8, "resolvable": "true", "first_seen": "2023-06-15", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }