After upgrading Java Buildpack to v4.38 or above, Java app fails to connect to some external service over TLS1.0/1.1, with error message as below. 

javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]

Since Java buildpack v4.38, OpenJDK versions  are updated to 1.8.0_292, 11.0.11_9 and 16.0.1_9, these versions of Java now disable TLS 1.0 & 1.1 by default. If the peer only support TLS v1.0 or 1.1, TLS handshake will fail with above error message. 

TLS 1.0 and 1.1 require and use weak algorithms such as 3DES and SHA-1. They lack support for stronger and more modern algorithms and ciphers that are supported or required in TLS 1.2 and 1.3. They have also been vulnerable to a number of attacks over the years. 

The recommendation is to upgrade TLS version on peer side to v1.2 or above. In this case the peer side TLS can't be upgraded immediately,  and only for temporary workaround, please follow steps:

1. Download offline Java buildpack prior to v4.38.
2. `cf create-buildpack` to add the buildpack on TAS at the lowest position. 
3. Specify the buildpack with `cf push -p` or in deployment manifest for the impacted app.