Skip to content

The Data Backbone for Intelligent Data Centers. Join the webinar
JavaHiveMQ Release

Critical Java Security Update: TLS_RSA Deprecation in JDK-21.0.10 and JDK-25 Can Cause MQTT Connection Failures

by HiveMQ Team

Recent Java Runtime Environment updates introduce security changes that can cause MQTT connection failures.
If you plan to upgrade to JDK 21.0.10 (released January 20, 2026) or JDK 25 (released September 16, 2025), read this article to understand the impact and prepare your HiveMQ deployment.

What Changed in JDK-21.0.10 and JDK-25

Oracle introduced two critical security updates in recent JDK releases:

  1. TLS_RSA cipher suites are disabled by default
    The JVM now rejects these cipher suites during TLS handshakes due to a lack of forward secrecy.
  2. SHA-1 signatures disabled for TLS 1.2 / DTLS 1.2
    The JVM no longer accepts SHA-1 signatures during handshakes because the algorithm is no longer considered cryptographically secure.

These changes improve platform security but remove compatibility with legacy MQTT clients that depend on RSA key-exchange ciphers.

Important: These changes are introduced by the Java platform vendor Oracle, not by HiveMQ. However, they directly affect how MQTT clients connect to any HiveMQ deployment running on the updated JDK.

How This Affects You

These JDK changes affect all HiveMQ components:

  • HiveMQ Platform
  • HiveMQ Community Edition (CE)
  • HiveMQ Edge
  • HiveMQ Platform Operator for Kubernetes
  • MQTT CLI and other client tools

After upgrading the underlying JDK, connections will fail immediately for MQTT clients using a deprecated RSA cipher suite.

Your HiveMQ TLS configuration remains unchanged, but the JVM refuses the handshake.

Native SSL Users Are Not Affected: HiveMQ deployments configured with Native SSL use the BoringSSL library (currently 2.0.74), not the JDK SSL implementation, and use TLS_ECDHE_RSA cipher suites (unless the cipher suite defaults are explicitly overridden).

Determine if You Are Affected

Follow these steps before updating your Java runtime or Docker image:

  1. Review All Cipher Suites in Use
    Check the cipher suites used for all connections in your MQTT clients, load balancers, and HiveMQ instances.
    Ensure that none of the deprecated TLS_RSA_* cipher suites are in active use.
  2. Monitor Logs After Upgrading
    Even if no deprecated connections are found, monitor for connection problems after upgrading.
    Check for TLS handshake failures, such as SSLHandshakeException with messages like "no cipher suites in common."

Special Note on HiveMQ Edge: The HiveMQ Edge 2026.2 Docker container (released February 9, 2026) ships with JDK 25.0.1. Connection problems are unlikely because clients typically connect to the broker rather than from it. Monitor Edge logs and apply the temporary mitigation if problems occur.

Recommended Action

Update Your Clients

If you identify connections using deprecated cipher suites, update the MQTT client to a newer version that supports non-deprecated cipher suites. For production systems, long-term best practice is to use forward-secret ECDHE-based cipher suites, such as:

  • TLS_ECDHE_RSA_*
  • TLS_ECDHE_ECDSA_*
  • TLS 1.3 ciphers

Modern forward-secret ECDHE-based cipher suites remain fully compatible with all current Java versions and provide significantly improved security.

Apply a Temporary Workaround (If Client Updates Are Not Yet Possible)

If you cannot update all affected clients immediately, choose one of these temporary options:

  • Option 1: Delay the JDK Upgrade
    Remain temporarily on Java 21.0.9 or an equivalent version. Be aware that staying on older patch levels means missing other security fixes.
  • Option 2: Re-enable Disabled Ciphers
    If you must run on Java 21.0.10+ or Java 25, override jdk.tls.disabledAlgorithms property to restore RSA cipher suite support temporarily. To remove TLS_RSA from the list in your java.security file or via system properties, at startup, set (or add to) the JAVA_OPTS environment variable:

Set the JAVA_OPTS environment variable (line breaks added for readability):

JAVA_OPTS="-Djdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, \
  RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, \
  anon, NULL, ECDH"

The example reverts to the JDK-21.0.9 defaults and restores RSA cipher support.

Critical Security Considerations:

  • Re-enabling weaker ciphers removes forward secrecy
  • Use only as a temporary measure with a clear migration deadline
  • Do not re-enable SHA-1 handshake signatures unless clearly necessary and fully risk-assessed

Technical Details

Disabled Cipher Suites

The following TLS_RSA cipher suites (among others) are now blocked in JDK 21.0.10 and JDK 25:

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

Additional Resources

To stay up-to-date on HiveMQ product and Java runtime updates, follow the HiveMQ Product Release Notes.

Questions or concerns? Contact HiveMQ. Our team monitors these updates closely and can help you navigate the migration.

HiveMQ Team

Team HiveMQ shares deep expertise in MQTT, Industrial AI, IoT data streaming, Unified Namespace (UNS), and Industrial IoT protocols. Our blogs explore real-world challenges, practical deployment guidance, and best practices for building modern, reliable, and a secure data backbone on the HiveMQ platform, along with thought leadership shaping the future of the connected world.

We’re on a mission to build the Industrial AI Platform that transforms industrial data into real-time intelligence, actionable insights, and measurable business outcomes.

Our experts are here to support your journey. Have questions? We’re happy to help. Contact us.

HiveMQ logo
HiveMQ Reviews
Review HiveMQ on G2