I'm just gathering some information about SSL/TSL within java, as we are using netty without even knowing what TLS protocol we are using currently. Our application runs on Java7, so a SSLSocket will run with TLS1 by default and SSL3 is not even activated. That I know now.
Assuming my client runs on Java8 (that uses by default TLS1.2) the target server only supports TLS1.1, is JSSE now using an automatic fallback routing to negotiate a connection with TLS1.1? Or do I have to implement this specifically? If yes, where would I have to do that?
I couldn't find a clear point for that in the JSSE documentation.
is JSSE now using an automatic fallback ...?
It doesn't have to.
A TLS client sends the highest version of the TLS protocol it can support. The server replies with the TLS version it wants to use, which is the lower of the highest version the server supports and the version sent by the client. If the client supports that version, the handshake proceeds. So it is actually the server that does the fallback.
This is all specified in RFC 2246. It is not peculiar to Java.