google · gbrodman · Mar 9, 2026 · Mar 6, 2026
diff --git a/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java b/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
@@ -70,10 +70,10 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
   /**
    * The list of cipher suites that are currently acceptable to create a successful handshake.
    *
-   * <p>This list includes all of the current TLS1.3 ciphers and a collection of TLS1.2 ciphers with
-   * no known security vulnerabilities. Note that OpenSSL uses a separate nomenclature for the
-   * ciphers internally but the IANA names listed here will be transparently translated by the
-   * OpenSSL provider (if used), so there is no need to include the OpenSSL name variants here. More
+   * <p>This list includes all the current TLS1.3 ciphers and a collection of TLS1.2 ciphers with no
+   * known security vulnerabilities. Note that OpenSSL uses a separate nomenclature for the ciphers
+   * internally but the IANA names listed here will be transparently translated by the OpenSSL
+   * provider (if used), so there is no need to include the OpenSSL name variants here. More
    * information about these cipher suites and their OpenSSL names can be found at ciphersuite.info.
    */
   private static final ImmutableList<String> ALLOWED_TLS_CIPHERS =
@@ -90,6 +90,10 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
           "TLS_AES_128_CCM_SHA256",
           "TLS_AES_128_CCM_8_SHA256");
 
+  /** Thankfully, the JDK supports TLS version 1.3 now. */
+  private static final ImmutableList<String> SUPPORTED_TLS_VERSIONS =
+      ImmutableList.of("TLSv1.3", "TLSv1.2");
+
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
   private final boolean requireClientCert;
   // TODO(jianglai): Always validate client certs (if required).
@@ -99,7 +103,6 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
   // change when the artifacts on GCS changes.
   private final Supplier<PrivateKey> privateKeySupplier;
   private final Supplier<ImmutableList<X509Certificate>> certificatesSupplier;
-  private final ImmutableList<String> supportedSslVersions;
 
   public SslServerInitializer(
       boolean requireClientCert,
@@ -116,12 +119,6 @@ public SslServerInitializer(
     this.sslProvider = sslProvider;
     this.privateKeySupplier = privateKeySupplier;
     this.certificatesSupplier = certificatesSupplier;
-    this.supportedSslVersions =
-        sslProvider == SslProvider.OPENSSL
-            ? ImmutableList.of("TLSv1.3", "TLSv1.2")
-            // JDK support for TLS 1.3 won't be available until 2021-04-20 at the earliest.
-            // See: https://java.com/en/jre-jdk-cryptoroadmap.html
-            : ImmutableList.of("TLSv1.2");
   }
 
   @Override
@@ -133,7 +130,7 @@ protected void initChannel(C channel) throws Exception {
             .sslProvider(sslProvider)
             .trustManager(InsecureTrustManagerFactory.INSTANCE)
             .clientAuth(requireClientCert ? ClientAuth.REQUIRE : ClientAuth.NONE)
-            .protocols(supportedSslVersions)
+            .protocols(SUPPORTED_TLS_VERSIONS)
             .ciphers(ALLOWED_TLS_CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
             .build();