TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 ciphersuite support/backport for JDK 11 LTS ?
PGNet Dev
pgnet.dev at gmail.com
Thu Aug 1 00:46:57 UTC 2019
Although JDK 11 already contains TLSv1.3 protocol support.
TLS 1.3 Implementation
https://bugs.openjdk.java.net/browse/JDK-8202625
JDK-8145252 : JEP 332: Transport Layer Security (TLS) 1.3
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8145252
and, 'related' bugs suggest ChaCha20 cipher support is 'in',
JDK-8153029 : ChaCha20 Cipher Implementation (11 b17, "Fixed")
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8140466
JDK-8140466 : ChaCha20 and Poly1305 TLS Cipher Suites
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8140466 (12 b12, "Fixed")
TLSv1.3 connections via JDBC, using TSLv1.3 + its ChaCha20 cipher FAILed here,
Error: Unsupported SSL cipher 'TLS_CHACHA20_POLY1305_SHA256'
It appears that JDK 11 release supports only 2 of the 3 default TLSv1.3 ciphersuites,
https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names
...
0x13,0x01 TLS_AES_128_GCM_SHA256 Yes No N/A TLSv1.3 RFC 8446
0x13,0x02 TLS_AES_256_GCM_SHA384 Yes No N/A TLSv1.3 RFC 8446
...
JDK12 adds ChaCha20 support,
https://docs.oracle.com/en/java/javase/12/docs/specs/security/standard-names.html#jsse-cipher-suite-names
...
0x13,0x01 TLS_AES_128_GCM_SHA256 Yes No N/A TLSv1.3 RFC 8446
0x13,0x02 TLS_AES_256_GCM_SHA384 Yes No N/A TLSv1.3 RFC 8446
>> 0x13,0x03 TLS_CHACHA20_POLY1305_SHA256 No No N/A TLSv1.3 RFC 7905
...
TLSv1.2/ChaCha20 connections with BOTH JDK 11 & 12 clients work.
ONLY, TLSv1.3/ChaCha20 connections with JDK 12 client work without error.
Is there a current plan/work to backport TLSv1.3/ChaCha20 support to JDK 11 LTS so it, too, can provide 'full' TLSv1.3 ciphersuite support?
More information about the security-dev
mailing list