[8u] RFR : TLSv1.3 protocol support

Andrew Hughes gnu.andrew at redhat.com
Fri Mar 6 06:49:18 UTC 2020 

On 05/03/2020 20:08, Alexey Bakhtin wrote:
> Hello All,
> 
> Could you please review the initial implementation of TLSv1.3 protocol support in JDK8u.
> Most of these changes are direct copies of TLS implementation from OpenJDK 11.0.6-ga, but adjusted for JDK 8u.
> This is a single patch for all functionality including tests, so it could be easily applied to the current state of jdk8u and tested. If required, the patch can be divided into smaller reviews for different functional parts or features.
> 
> There is a difference between JDK11 and JDK8 public API, so it is not possible to implement all TLS related features available in JDK11.
> Below is a list of features included/excluded from the proposed 8u TLS 1.3 backport:
> 
> 1. DTLS support (JEP-219) [2] [3]
>     - JDK8 does not have public API required for DTLS implementation
>     - All DTLS related code is removed from the 8u TLS 1.3 backport
> 
> 2. OCSP Stapling implementation (JEP-249) [4] [5]
>     - This feature introduces new public API in the  javax.net.ssl.ExtendedSSLSession class
>     -  OCSP Stapling can be supported in 8u TLS 1.3 without additional API.
>     -  Proposed patch includes OCSP Stapling implementation but it is disabled by default. It can be enabled by “jdk.tls.client.enableStatusRequestExtension” System Property
> 
> 3. ChaCha20 and Poly1305 CipherSuite support (JEP-329) [6] [7] [8]
>     - Chacha20-Poly1305 AEAD cipher suites can be supported in 8u TLS 1.3 without additional public API
>     - Chacha20-Poly1305 cipher suite support is not backported to JDK11 so it is not included in the 8u TLS 1.3 backport
>     - Support of Chacha20-Poly1305 cipher suites could be added later by separate patch
> 
> 4. Authenticator on a HttpURLConnection (JDK-8169495) [9]
>     - This feature can not be supported in 8u TLS 1.3 backport without additional public API
>     - The code for this feature was removed from the 8u TLS 1.3 backport
> 
> 5. TLS_KRB5 cipher suites (RFC 2712) [10]
>     - JDK8 includes support for TLS_KRB5 cipher suites according to RFC2712
>     - OpenJDK 11.0.6-ga does not support TLS_KRB5 cipher suites
>     - Proposed 8u TLS 1.3 backport DOES NOT support TLS_KRB5 cipher suites
>     - Support for TLS_KRB5 cipher suites will be added later as part of this or separate review
> 
> Webrev :  http://cr.openjdk.java.net/~dcherepanov/tls1.3/webrev.v1/
> 
> [1] https://openjdk.java.net/jeps/332
> [2] https://openjdk.java.net/jeps/219
> [3] https://bugs.openjdk.java.net/browse/JDK-8043758
> [4] https://openjdk.java.net/jeps/249
> [5] https://bugs.openjdk.java.net/browse/JDK-8046321
> [6] https://openjdk.java.net/jeps/329
> [7] https://bugs.openjdk.java.net/browse/JDK-8153028
> [8] https://bugs.openjdk.java.net/browse/JDK-8140466
> [9] https://bugs.openjdk.java.net/browse/JDK-8169495
> [10] https://tools.ietf.org/html/rfc2712
> 
> 
> Regards,
> Alexey
> 

Which bugs are being backported by this webrev?

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk8u-dev mailing list