Disable the ability to handshake with TLS 1.0 , 1.1

[za3ter2p]

TLS 1.0 , 1.1 support is deprecated and considered not recommended to support on server TLS level and browser level.

you can test browser through these websites for e.g:

https://browserleaks.com/ssl

https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

[za3ter2p]

Also additional improvement is to remove all weak SHA-1 ciphers support from ECDHE , RSA...etc

[hrj]

Good ideas.

Somewhat related: I would like to remove the okHttp dependency and use HttpClient introduced in Java 11. We initially added okHttp for the HTTP2 support, but that is now officially supported by JRE itself.

PRs and discussions welcome.

[itsreallylit]

How about creating a properties file that lists the disabled ciphers and TLSv1?

https://stackoverflow.com/questions/41181696/disabling-tlsv1-0-in-java8

If the properties file approach is acceptable, what's an approved location for the properties file?

[hrj]

If the properties file approach is acceptable, what's an approved location for the properties file?

I haven't been working with the code in a while, so can't point you to a definite location right now. But if you make a PR for it, I will gladly review and merge it.