[8u] RFR : TLSv1.3 protocol support

Martin Balao mbalao at redhat.com
Tue Jun 16 14:50:07 UTC 2020


On 6/16/20 2:12 AM, Alexey Bakhtin wrote:
> It seems two more issues are missed in the list :
> JDK-8161973 : PKIXRevocationChecker.getSoftFailExceptions() not working

Is that part of Step 1? If I remember correctly, 8161973 will be an
independent backport after Step 1.

> JDK-8242294: JSSE Client does not throw SSLException when an alert occurs during handshaking
> 

Good catch. I'll add it to the list of bugs to be backported later (not
in Step 1).

Updated lists below. Let me know if anything else.

Regards,
Martin.-


--

Step 1 (8245468) COVERED - 11.0.7
..............................

 * JDK-8196584: TLS 1.3 Implementation
 * JDK-8212885: TLS 1.3 resumed session does not retain peer certificate
chain
 * JDK-8211806: TLS 1.3 handshake server name indication is missing on a
session resume
 * JDK-8207009: TLS 1.3 half-close and synchronization issues
 * JDK-8211866: TLS 1.3 CertificateRequest message sometimes offers
disallowed signature algorithms
 * JDK-8210334: TLS 1.3 server fails if ClientHello doesn't have
pre_shared_key and psk_key_exchange_modes
 * JDK-8214688: TLS 1.3 session resumption with hello retry request
failed with "illegal_parameter"
 * JDK-8210846: TLSv.1.3 interop problems with OpenSSL 1.1.1 when used
on the client side with mutual auth
 * JDK-8217610: TLSv1.3 fail with ClassException when EC keys are stored
in PKCS11
 * JDK-8221253: TLSv1.3 may generate TLSInnerPlainText longer than
2^14+1 bytes
 * JDK-8216045: The size of key_exchange may be wrong on FFDHE
 * JDK-8209965: The "supported_groups" extension in ServerHellos
 * JDK-8214098: sun.security.ssl.HandshakeHash.T12HandshakeHash
constructor check backwards.
 * JDK-8208166: Still unable to use custom SSLEngine with default
TrustManagerFactory after JDK-8207029
 * JDK-8214339: SSLSocketImpl erroneously wraps SocketException
 * JDK-8207237: SSLSocket#setEnabledCipherSuites is accepting empty string
 * JDK-8216326: SSLSocket stream close() does not close the associated
socket
 * JDK-8206355: SSLSessionImpl.getLocalPrincipal() throws NPE
 * JDK-8207317: SSLEngine negotiation fail exception behavior changed
from fail-fast to fail-lazy
 * JDK-8145854: SSLContextImpl.statusResponseManager should be generated
if required
 * JDK-8214129: SSL session resumption/SNI with TLS1.2 causes
StackOverflowError
 * JDK-8207223: SSL Handshake failures are reported with more generic
SSLException
 * JDK-8210989: RSASSA-PSS certificate cannot be selected for client
auth on TLSv1.2
 * JDK-8165275: Replace the reflective call to the implUpdate method in
HandshakeMessage::digestKey
 * JDK-8206176: Remove the temporary tls13VN field
 * JDK-8213202: Possible race condition in TLS 1.3 session resumption
 * JDK-8213782: NullPointerException in
sun.security.ssl.OutputRecord.changeWriteCiphers
 * JDK-8209916: NPE in SupportedGroupsExtension
 * JDK-8210974: No extensions debug log for ClientHello
 * JDK-8214321: Misleading code in SSLCipher
 * JDK-8236039: JSSE Client does not accept status_request extension in
CertificateRequest messages for TLS 1.3
 * JDK-8028518: Increase the priorities of GCM cipher suites
 * JDK-8212738: Incorrectly named signature scheme ecdsa_secp512r1_sha512
 * JDK-8215524: Finished message validation failure should be
decrypt_error alert
 * JDK-8221270: Duplicated synchronized keywords in SSLSocketImpl
 * JDK-8215790: Delegated task created by SSLEngine throws
java.nio.BufferUnderflowException
 * JDK-8219389: Delegated task created by SSLEngine throws
BufferUnderflowException
 * JDK-8225766: Curve in certificate should not affect signature scheme
when using TLSv1.3
 * JDK-8206929: Check session context for TLS 1.3 session resumption
 * JDK-8229733: TLS message handling improvements
 * JDK-8207029: Unable to use custom SSLEngine with default
TrustManagerFactory after updating to JDK 11 b21
 * JDK-8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after
removing sunec.dll
 * JDK-8223482: Unsupported ciphersuites may be offered by a TLS client
 * JDK-4919790: Errors in alert ssl message does not reflect the actual
certificate status
 * JDK-8218889: Improperly use of the Optional API

MISSING 11.0.8 - important
..............................

 * JDK-8239798: SSLSocket closes socket both socket endpoints on a
SocketTimeoutException
 * JDK-8223940: Private key not supported by chosen signature algorithm
 * JDK-8211339: NPE during SSL handshake caused by HostnameChecker
 * JDK-8242141: New System Properties to configure the TLS signature schemes
 * JDK-8215711: Missing key_share extension for (EC)DHE key exchange
should alert missing_extension
 * JDK-8237474: Default SSLEngine should create in server role
 * JDK-8234728: Some security tests should support TLSv1.3
 * JDK-8234725: sun/security/ssl/SSLContextImpl tests support TLSv1.3
 * JDK-8205653:
test/jdk/sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java and
RmiSslBootstrapTest.sh fail with handshake_failure
 * JDK-8209333: Socket reset issue for TLS 1.3 socket close
 * JDK-8228757: Fail fast if the handshake type is unknown
 * JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions
 * JDK-8235311: Tag mismatch may alert bad_record_mac
 * JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3
 * JDK-8235874: The ordering of Cipher Suites is not maintained provided
through "jdk.tls.client.cipherSuites" and "jdk.tls.server.cipherSuites"
system property.
 * JDK-8205111: Develop new Test to verify different key types for
supported TLS protocols.
 * JDK-8235183: Remove the "HACK CODE" in comment
 * JDK-8242294: JSSE Client does not throw SSLException when an alert
occurs during handshaking

MISSING 11.0.8 - not SSL strictly but related
..............................

 * JDK-7092821: java.security.Provider.getService() is synchronized and
became scalability bottleneck
 * JDK-8148188: Enhance the security libraries to record events of interest



More information about the jdk8u-dev mailing list