[8u] RFR : TLSv1.3 protocol support

Alexey Bakhtin alexey at azul.com
Fri Mar 6 10:19:15 UTC 2020 

Hello Andrew,

This webrev covers bug fixes from the initial TLSv1.3 implementation (JDK-8196584) till OpenJDK 11.0.6-ga repository state :

8196584: TLS 1.3 Implementation
8206355: SSLSessionImpl.getLocalPrincipal() throws NPE
8207029: Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21
8206929: Check session context for TLS 1.3 session resumption
8207250: setUseClientMode post handshake with the same value as before does not throw IAE
8207223: SSL Handshake failures are reported with more generic SSLException
8207237: SSLSocket#setEnabledCipherSuites is accepting empty string
8208166: Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029
8207009: TLS 1.3 half-close and synchronization issues
8206176: Remove the temporary tls13VN field
8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
8209916: NPE in SupportedGroupsExtension
8210846: TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
8208209: Improve TLS connection stability again
8208350: Disable all DES cipher suites
8209916: NPE in SupportedGroupsExtension
8210846: TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
8210334: TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
8211806: TLS 1.3 handshake server name indication is missing on a session resume
8211883: Disable anon and NULL cipher suites
8209965: The "supported_groups" extension in ServerHellos
8210974: No extensions debug log for ClientHello
8212885: TLS 1.3 resumed session does not retain peer certificate chain
8213202: Possible race condition in TLS 1.3 session resumption
8214688: TLS 1.3 session resumption with hello retry request failed with “illegal_parameter"
8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
8214129: SSL session resumption/SNI with TLS1.2 causes StackOverflowError
8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers
8214339: SSLSocketImpl erroneously wraps SocketException
8210989: RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2
8215443: The use of TransportContext.fatal() leads to bad coding style
8215790: Delegated task created by SSLEngine throws java.nio.BufferUnderflowException
8219389: Delegated task created by SSLEngine throws BufferUnderflowException
8216045: The size of key_exchange may be wrong on FFDHE
8210985: Update the default SSL session cache size to 20480
8221253: TLSv1.3 may generate TLSInnerPlainText longer than 2^14+1 bytes
8148188: Enhance the security libraries to record events of interest
8215281: Use String.isEmpty() when applicable in java.base
8216326: SSLSocket stream close() does not close the associated socket
8218863: Better endpoint checks
8218873: Improve JSSE endpoint checking
8222678: Improve TLS negotiation
8216039: TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange
8223482: Unsupported ciphersuites may be offered by a TLS client
8214098: sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards.
8228825: Enhance ECDSA operations
8218580: endpoint identification algorithm should be case-insensitive
8200381: Typos in javadoc - missing verb "be" and alike
8211866: TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
8212738: Incorrectly named signature scheme ecdsa_secp512r1_sha512
8212752: Typo in SSL log message related to inactive/disabled signature scheme
8214321: Misleading code in SSLCipher
8215524: Finished message validation failure should be decrypt_error alert
8217610: TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
8225766: Curve in certificate should not affect signature scheme when using TLSv1.3
8229728: Implement negotiation parameters
8231780: Better TLS messaging support
8227758: More valid PKIX processing
8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3

Regards
Alexey

> On 6 Mar 2020, at 09:49, Andrew Hughes <gnu.andrew at redhat.com> wrote:
> 
> On 05/03/2020 20:08, Alexey Bakhtin wrote:
>> Hello All,
>> 
>> Could you please review the initial implementation of TLSv1.3 protocol support in JDK8u.
>> Most of these changes are direct copies of TLS implementation from OpenJDK 11.0.6-ga, but adjusted for JDK 8u.
>> This is a single patch for all functionality including tests, so it could be easily applied to the current state of jdk8u and tested. If required, the patch can be divided into smaller reviews for different functional parts or features.
>> 
>> There is a difference between JDK11 and JDK8 public API, so it is not possible to implement all TLS related features available in JDK11.
>> Below is a list of features included/excluded from the proposed 8u TLS 1.3 backport:
>> 
>> 1. DTLS support (JEP-219) [2] [3]
>>    - JDK8 does not have public API required for DTLS implementation
>>    - All DTLS related code is removed from the 8u TLS 1.3 backport
>> 
>> 2. OCSP Stapling implementation (JEP-249) [4] [5]
>>    - This feature introduces new public API in the  javax.net.ssl.ExtendedSSLSession class
>>    -  OCSP Stapling can be supported in 8u TLS 1.3 without additional API.
>>    -  Proposed patch includes OCSP Stapling implementation but it is disabled by default. It can be enabled by “jdk.tls.client.enableStatusRequestExtension” System Property
>> 
>> 3. ChaCha20 and Poly1305 CipherSuite support (JEP-329) [6] [7] [8]
>>    - Chacha20-Poly1305 AEAD cipher suites can be supported in 8u TLS 1.3 without additional public API
>>    - Chacha20-Poly1305 cipher suite support is not backported to JDK11 so it is not included in the 8u TLS 1.3 backport
>>    - Support of Chacha20-Poly1305 cipher suites could be added later by separate patch
>> 
>> 4. Authenticator on a HttpURLConnection (JDK-8169495) [9]
>>    - This feature can not be supported in 8u TLS 1.3 backport without additional public API
>>    - The code for this feature was removed from the 8u TLS 1.3 backport
>> 
>> 5. TLS_KRB5 cipher suites (RFC 2712) [10]
>>    - JDK8 includes support for TLS_KRB5 cipher suites according to RFC2712
>>    - OpenJDK 11.0.6-ga does not support TLS_KRB5 cipher suites
>>    - Proposed 8u TLS 1.3 backport DOES NOT support TLS_KRB5 cipher suites
>>    - Support for TLS_KRB5 cipher suites will be added later as part of this or separate review
>> 
>> Webrev :  http://cr.openjdk.java.net/~dcherepanov/tls1.3/webrev.v1/
>> 
>> [1] https://openjdk.java.net/jeps/332
>> [2] https://openjdk.java.net/jeps/219
>> [3] https://bugs.openjdk.java.net/browse/JDK-8043758
>> [4] https://openjdk.java.net/jeps/249
>> [5] https://bugs.openjdk.java.net/browse/JDK-8046321
>> [6] https://openjdk.java.net/jeps/329
>> [7] https://bugs.openjdk.java.net/browse/JDK-8153028
>> [8] https://bugs.openjdk.java.net/browse/JDK-8140466
>> [9] https://bugs.openjdk.java.net/browse/JDK-8169495
>> [10] https://tools.ietf.org/html/rfc2712
>> 
>> 
>> Regards,
>> Alexey
>> 
> 
> Which bugs are being backported by this webrev?
> 
> Thanks,
> --
> Andrew :)
> 
> Senior Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
> 
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
>

More information about the jdk8u-dev mailing list