TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 ciphersuite support/backport for JDK 11 LTS ?
PGNet Dev
pgnet.dev at gmail.com
Thu Aug 15 03:56:12 UTC 2019
anyone have any info on this?
On 7/31/19 5:46 PM, PGNet Dev wrote:
> Although JDK 11 already contains TLSv1.3 protocol support.
>
> TLS 1.3 Implementation
> https://bugs.openjdk.java.net/browse/JDK-8202625
>
> JDK-8145252 : JEP 332: Transport Layer Security (TLS) 1.3
> https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8145252
>
> and, 'related' bugs suggest ChaCha20 cipher support is 'in',
>
> JDK-8153029 : ChaCha20 Cipher Implementation (11 b17, "Fixed")
> https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8140466
>
> JDK-8140466 : ChaCha20 and Poly1305 TLS Cipher Suites
> https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8140466 (12 b12, "Fixed")
>
> TLSv1.3 connections via JDBC, using TSLv1.3 + its ChaCha20 cipher FAILed here,
>
> Error: Unsupported SSL cipher 'TLS_CHACHA20_POLY1305_SHA256'
>
> It appears that JDK 11 release supports only 2 of the 3 default TLSv1.3 ciphersuites,
>
> https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names
>
> ...
> 0x13,0x01 TLS_AES_128_GCM_SHA256 Yes No N/A TLSv1.3 RFC 8446
> 0x13,0x02 TLS_AES_256_GCM_SHA384 Yes No N/A TLSv1.3 RFC 8446
> ...
>
> JDK12 adds ChaCha20 support,
>
> https://docs.oracle.com/en/java/javase/12/docs/specs/security/standard-names.html#jsse-cipher-suite-names
>
> ...
> 0x13,0x01 TLS_AES_128_GCM_SHA256 Yes No N/A TLSv1.3 RFC 8446
> 0x13,0x02 TLS_AES_256_GCM_SHA384 Yes No N/A TLSv1.3 RFC 8446
>>> 0x13,0x03 TLS_CHACHA20_POLY1305_SHA256 No No N/A TLSv1.3 RFC 7905
> ...
>
> TLSv1.2/ChaCha20 connections with BOTH JDK 11 & 12 clients work.
>
> ONLY, TLSv1.3/ChaCha20 connections with JDK 12 client work without error.
>
> Is there a current plan/work to backport TLSv1.3/ChaCha20 support to JDK 11 LTS so it, too, can provide 'full' TLSv1.3 ciphersuite support?
>
More information about the security-dev
mailing list