diff --git a/demo/demo-springmvc/springmvc-client/src/main/resources/microservice.yaml b/demo/demo-springmvc/springmvc-client/src/main/resources/microservice.yaml
index 7c18a5aa3b0..d123e21f247 100644
--- a/demo/demo-springmvc/springmvc-client/src/main/resources/microservice.yaml
+++ b/demo/demo-springmvc/springmvc-client/src/main/resources/microservice.yaml
@@ -145,6 +145,9 @@ cse:
     - rest://localhost:8080?sslEnabled=false&urlPrefix=%2Fapi
 
 #########SSL options
+# open jdk 8 now TLSv1.3 not available
+# ssl.protocols: TLSv1.3
+# ssl.ciphers: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
 ssl.protocols: TLSv1.2
 ssl.authPeer: true
 ssl.checkCN.host: false
diff --git a/demo/demo-springmvc/springmvc-server/src/main/resources/microservice.yaml b/demo/demo-springmvc/springmvc-server/src/main/resources/microservice.yaml
index bf81a54905a..5c76a8abdb0 100644
--- a/demo/demo-springmvc/springmvc-server/src/main/resources/microservice.yaml
+++ b/demo/demo-springmvc/springmvc-server/src/main/resources/microservice.yaml
@@ -87,6 +87,9 @@ servicecomb:
     availableZone: my-Zone
   codec.printErrorMessage: true
 #########SSL options
+# open jdk 8 now TLSv1.3 not available
+# ssl.protocols: TLSv1.3
+# ssl.ciphers: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
 ssl.protocols: TLSv1.2
 ssl.authPeer: true
 ssl.checkCN.host: true
diff --git a/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/SSLManager.java b/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/SSLManager.java
index 82c28f724ce..aeb54ffab7f 100644
--- a/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/SSLManager.java
+++ b/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/SSLManager.java
@@ -34,6 +34,8 @@
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509ExtendedTrustManager;
 
+import org.apache.commons.lang.StringUtils;
+
 /**
  * 根据传递的SSLOption构造SSL上下文。请参考JSSE获取相关API的层次参考。
  *
@@ -214,10 +216,14 @@ private static String[] getEnabledCiphers(String[] supported,
     return r;
   }
 
-  public static String[] getEnabledCiphers(String enabledCiphers) {
+  public static String[] getEnabledCiphers(SSLOption sslOption) {
     SSLOption option = new SSLOption();
-    option.setProtocols("TLSv1.2");
-    option.setCiphers(enabledCiphers);
+    if (StringUtils.isNotEmpty(sslOption.getProtocols())) {
+      option.setProtocols(sslOption.getProtocols());
+    } else {
+      option.setProtocols("TLSv1.2");
+    }
+    option.setCiphers(sslOption.getCiphers());
     SSLCustom custom = SSLCustom.defaultSSLCustom();
     SSLSocket socket = createSSLSocket(option, custom);
     return socket.getEnabledCipherSuites();
diff --git a/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLManagerTest.java b/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLManagerTest.java
index 87eee1aac09..71758fa3cff 100644
--- a/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLManagerTest.java
+++ b/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLManagerTest.java
@@ -34,12 +34,12 @@
 import javax.net.ssl.SSLSocketFactory;
 
 import org.junit.Test;
+import org.junit.jupiter.api.Assertions;
 
 import mockit.Expectations;
 import mockit.Mock;
 import mockit.MockUp;
 import mockit.Mocked;
-import org.junit.jupiter.api.Assertions;
 
 public class SSLManagerTest {
   private final String DIR = Thread.currentThread().getContextClassLoader().getResource("").getPath();
@@ -122,12 +122,12 @@ public char[] decode(char[] encrypted) {
     serverSocket.bind(new InetSocketAddress("127.0.0.1", 8886));
     String[] protos = serverSocket.getEnabledCipherSuites();
     String[] protosExpected =
-        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
+        "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
             .split(",");
     Assertions.assertArrayEquals(protos, protosExpected);
     String[] ciphers = serverSocket.getEnabledCipherSuites();
     String[] ciphersExpected =
-        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
+        "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
             .split(",");
     Assertions.assertArrayEquals(ciphers, ciphersExpected);
     Assertions.assertTrue(serverSocket.getNeedClientAuth());
@@ -136,12 +136,12 @@ public char[] decode(char[] encrypted) {
     SSLSocket clientsocket = SSLManager.createSSLSocket(clientoption, custom);
     String[] clientprotos = clientsocket.getEnabledCipherSuites();
     String[] clientprotosExpected =
-        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
+        "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
             .split(",");
     Assertions.assertArrayEquals(clientprotos, clientprotosExpected);
     String[] clientciphers = clientsocket.getEnabledCipherSuites();
     String[] clientciphersExpected =
-        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
+        "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
             .split(",");
     Assertions.assertArrayEquals(clientciphers, clientciphersExpected);
     Assertions.assertFalse(clientsocket.getNeedClientAuth());
@@ -460,7 +460,10 @@ public char[] decode(char[] encrypted) {
 
   @Test
   public void testGetSupportedCiphers() {
-    String[] ciphers = SSLManager.getEnabledCiphers("TLS_RSA_WITH_AES_128_GCM_SHA256");
+    SSLOption option = new SSLOption();
+    option.setCiphers("TLS_RSA_WITH_AES_128_GCM_SHA256");
+    option.setProtocols("TLSv1.2");
+    String[] ciphers = SSLManager.getEnabledCiphers(option);
     Assertions.assertEquals(ciphers[0], "TLS_RSA_WITH_AES_128_GCM_SHA256");
   }
 }
diff --git a/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLOptionTest.java b/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLOptionTest.java
index 31334409e0d..67ae3828499 100644
--- a/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLOptionTest.java
+++ b/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLOptionTest.java
@@ -59,12 +59,12 @@ public void testSSLOption() {
 
     String protocols = option.getProtocols();
     option.setProtocols(protocols);
-    Assertions.assertEquals("TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello", protocols);
+    Assertions.assertEquals("TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello", protocols);
 
     String ciphers = option.getCiphers();
     option.setCiphers(ciphers);
     Assertions.assertEquals(
-        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SH"
+        "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SH"
             +
             "A,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA",
         ciphers);
diff --git a/foundations/foundation-ssl/src/test/resources/client.ssl.properties b/foundations/foundation-ssl/src/test/resources/client.ssl.properties
index 82209e75c81..4d25cd495bb 100644
--- a/foundations/foundation-ssl/src/test/resources/client.ssl.properties
+++ b/foundations/foundation-ssl/src/test/resources/client.ssl.properties
@@ -16,8 +16,8 @@
 #
 
 #########SSL options
-ssl.protocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
-ssl.ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
+ssl.protocols=TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
+ssl.ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
 ssl.authPeer=true
 ssl.checkCN.host=false
 ssl.checkCN.white=true
diff --git a/foundations/foundation-ssl/src/test/resources/server.ssl.properties b/foundations/foundation-ssl/src/test/resources/server.ssl.properties
index 7adfb36bd4f..aec677c2387 100644
--- a/foundations/foundation-ssl/src/test/resources/server.ssl.properties
+++ b/foundations/foundation-ssl/src/test/resources/server.ssl.properties
@@ -16,8 +16,8 @@
 #
 
 #########SSL options
-ssl.protocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
-ssl.ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
+ssl.protocols=TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
+ssl.ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
 ssl.authPeer=true
 ssl.checkCN.host=true
 ssl.checkCN.white=true
diff --git a/foundations/foundation-vertx/src/main/java/org/apache/servicecomb/foundation/vertx/VertxTLSBuilder.java b/foundations/foundation-vertx/src/main/java/org/apache/servicecomb/foundation/vertx/VertxTLSBuilder.java
index 8fa1e89c1a2..fae651c4512 100644
--- a/foundations/foundation-vertx/src/main/java/org/apache/servicecomb/foundation/vertx/VertxTLSBuilder.java
+++ b/foundations/foundation-vertx/src/main/java/org/apache/servicecomb/foundation/vertx/VertxTLSBuilder.java
@@ -154,7 +154,7 @@ private static TCPSSLOptions buildTCPSSLOptions(SSLOption sslOption, SSLCustom s
     tcpClientOptions
         .setEnabledSecureTransportProtocols(new HashSet<>(Arrays.asList(sslOption.getProtocols().split(","))));
 
-    for (String cipher : SSLManager.getEnabledCiphers(sslOption.getCiphers())) {
+    for (String cipher : SSLManager.getEnabledCiphers(sslOption)) {
       tcpClientOptions.addEnabledCipherSuite(cipher);
     }