[8u] RFR : TLSv1.3 protocol support

Alexey Bakhtin alexey at azul.com
Thu Mar 5 20:08:42 UTC 2020 

Hello All,

Could you please review the initial implementation of TLSv1.3 protocol support in JDK8u.
Most of these changes are direct copies of TLS implementation from OpenJDK 11.0.6-ga, but adjusted for JDK 8u.
This is a single patch for all functionality including tests, so it could be easily applied to the current state of jdk8u and tested. If required, the patch can be divided into smaller reviews for different functional parts or features.

There is a difference between JDK11 and JDK8 public API, so it is not possible to implement all TLS related features available in JDK11.
Below is a list of features included/excluded from the proposed 8u TLS 1.3 backport:

1. DTLS support (JEP-219) [2] [3]
    - JDK8 does not have public API required for DTLS implementation
    - All DTLS related code is removed from the 8u TLS 1.3 backport

2. OCSP Stapling implementation (JEP-249) [4] [5]
    - This feature introduces new public API in the  javax.net.ssl.ExtendedSSLSession class
    -  OCSP Stapling can be supported in 8u TLS 1.3 without additional API.
    -  Proposed patch includes OCSP Stapling implementation but it is disabled by default. It can be enabled by “jdk.tls.client.enableStatusRequestExtension” System Property

3. ChaCha20 and Poly1305 CipherSuite support (JEP-329) [6] [7] [8]
    - Chacha20-Poly1305 AEAD cipher suites can be supported in 8u TLS 1.3 without additional public API
    - Chacha20-Poly1305 cipher suite support is not backported to JDK11 so it is not included in the 8u TLS 1.3 backport
    - Support of Chacha20-Poly1305 cipher suites could be added later by separate patch

4. Authenticator on a HttpURLConnection (JDK-8169495) [9]
    - This feature can not be supported in 8u TLS 1.3 backport without additional public API
    - The code for this feature was removed from the 8u TLS 1.3 backport

5. TLS_KRB5 cipher suites (RFC 2712) [10]
    - JDK8 includes support for TLS_KRB5 cipher suites according to RFC2712
    - OpenJDK 11.0.6-ga does not support TLS_KRB5 cipher suites
    - Proposed 8u TLS 1.3 backport DOES NOT support TLS_KRB5 cipher suites
    - Support for TLS_KRB5 cipher suites will be added later as part of this or separate review

Webrev :  http://cr.openjdk.java.net/~dcherepanov/tls1.3/webrev.v1/

[1] https://openjdk.java.net/jeps/332
[2] https://openjdk.java.net/jeps/219
[3] https://bugs.openjdk.java.net/browse/JDK-8043758
[4] https://openjdk.java.net/jeps/249
[5] https://bugs.openjdk.java.net/browse/JDK-8046321
[6] https://openjdk.java.net/jeps/329
[7] https://bugs.openjdk.java.net/browse/JDK-8153028
[8] https://bugs.openjdk.java.net/browse/JDK-8140466
[9] https://bugs.openjdk.java.net/browse/JDK-8169495
[10] https://tools.ietf.org/html/rfc2712


Regards,
Alexey

More information about the jdk8u-dev mailing list