TLSv1.3 support for Cloudstack

[mbertolina]

The required feature described as a wish

Is there a plan to support TLSv1.3 on Cloudstack environment (Management server, agent, SystemVM templates).

Current CLOUDSTACK VERSION: 4.22
Component name: Management server, agent, SystemVM template, APIs.

From what I can see (if I am not wrong), TLSv1.2 is the only version supported.
https://github.com/apache/cloudstack/blob/main/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java#L69

When forcing java runtime environment to use TLSv1.3 only on both management server and host side using update-crypto-policies on RHEL9, cloudstack agent sends TLSv1.2 on the TLS hello message, making TLS session not possible, reporting the following error messages:

#  java -XshowSettings:security:all -version
:
    Security TLS configuration (SunJSSE provider):
        Enabled Protocols:
            TLSv1.3

        Enabled Cipher Suites:
            TLS_AES_256_GCM_SHA384
            TLS_AES_128_GCM_SHA256
            TLS_CHACHA20_POLY1305_SHA256

openjdk version "21.0.10" 2026-01-20 LTS
OpenJDK Runtime Environment (Red_Hat-21.0.10.0.7-1) (build 21.0.10+7-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-21.0.10.0.7-1) (build 21.0.10+7-LTS, mixed mode, sharing)
# 
# tail -f /var/log/cloudstack/agent/agent.log
:
2026-03-06 13:59:04,994 INFO  [utils.nio.Link] (main:[]) (logid:) Conf file found: /etc/cloudstack/agent/agent.properties
2026-03-06 13:59:05,020 ERROR [utils.nio.NioClient] (main:[]) (logid:) IOException while connecting to 108.145.116.84:8250 javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:163)
        at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
        at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:252)
        at java.base/sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:107)
        at com.cloud.utils.nio.NioClient.init(NioClient.java:73)
        at com.cloud.utils.nio.NioConnection.start(NioConnection.java:109)
        at com.cloud.agent.Agent.start(Agent.java:338)
        at com.cloud.agent.AgentShell.launchNewAgent(AgentShell.java:477)
        at com.cloud.agent.AgentShell.launchAgentFromClassInfo(AgentShell.java:454)
        at com.cloud.agent.AgentShell.launchAgent(AgentShell.java:438)
        at com.cloud.agent.AgentShell.start(AgentShell.java:539)
        at com.cloud.agent.AgentShell.main(AgentShell.java:569)

2026-03-06 13:59:05,020 ERROR [utils.nio.NioClient] (main:[]) (logid:) Unable to initialize the threads. javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:163)
        at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
        at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:252)
        at java.base/sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:107)
        at com.cloud.utils.nio.NioClient.init(NioClient.java:73)
        at com.cloud.utils.nio.NioConnection.start(NioConnection.java:109)
        at com.cloud.agent.Agent.start(Agent.java:338)
        at com.cloud.agent.AgentShell.launchNewAgent(AgentShell.java:477)
        at com.cloud.agent.AgentShell.launchAgentFromClassInfo(AgentShell.java:454)
        at com.cloud.agent.AgentShell.launchAgent(AgentShell.java:438)
        at com.cloud.agent.AgentShell.start(AgentShell.java:539)
        at com.cloud.agent.AgentShell.main(AgentShell.java:569)

2026-03-06 13:59:05,020 INFO  [utils.nio.NioClient] (main:[]) (logid:) NioClient connection closed
2026-03-06 13:59:05,020 INFO  [cloud.agent.Agent] (main:[]) (logid:) Attempted to connect to the server, but received an unexpected exception, trying again... com.cloud.utils.exception.NioConnectionException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at com.cloud.utils.nio.NioConnection.start(NioConnection.java:115)
        at com.cloud.agent.Agent.start(Agent.java:338)
        at com.cloud.agent.AgentShell.launchNewAgent(AgentShell.java:477)
        at com.cloud.agent.AgentShell.launchAgentFromClassInfo(AgentShell.java:454)
        at com.cloud.agent.AgentShell.launchAgent(AgentShell.java:438)
        at com.cloud.agent.AgentShell.start(AgentShell.java:539)
        at com.cloud.agent.AgentShell.main(AgentShell.java:569)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:163)
        at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
        at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:252)
        at java.base/sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:107)
        at com.cloud.utils.nio.NioClient.init(NioClient.java:73)
        at com.cloud.utils.nio.NioConnection.start(NioConnection.java:109)
        ... 6 more
#

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[weizhouapache]

@mbertolina
there is a draft PR: #11503