Use of OpenSSL as JCE security provider if available on system

Sean Mullan sean.mullan at oracle.com
Thu Mar 21 14:43:41 UTC 2019 

On 3/15/19 5:46 AM, Steve Groeger wrote:
> Hi all,
> 
> Not sure whether something on this subject has been raised before but I 
> was unable to see anything in the mailing lists.

I don't think it has been discussed in any detail on this alias.

However, there are some other libraries and toolkits that allow OpenSSL 
to be used for the crypto or TLS/SSL with Java applications, so it is 
something that is not unreasonable to inquire about - i.e., whether it 
would be useful to include something like this in the JDK.

> We have been looking at adding support to Java to use the OpenSSL 
> libraries as a JCE security provider if available on the system that a 
> Java application is being run on (or to build and bundle the OpenSSL 
> libraries with the JDK).
> 
> If not found then the security drops back to using the built in security 
> that is part of the existing JDK.
> 
> The use of the OpenSSL libraries can be disabled entirely or specific 
> algorithms can be disabled by use of command line options,
> i.e. Djdk.nativeCrypto=true | false  and  -Djdk.nativeDigest=true | false
> 
> Would this be something that might be useful to be contributed to OpenJDK.

Not sure w/o more information, but from a followup reply, it doesn't 
seem to be a proper fit for the JDK since it is not a separate JCE provider.

But, if we want to explore this further, I think it first makes sense to 
take a step back and focus more on what benefits an OpenSSL provider or 
"native bridge" would provide. I think you would have to make a strong 
case that the benefits outweigh the cost of maintaining a separate 
provider with additional code, etc. There are probably licensing issues 
as well that would need to be explored.

Anyway, happy to explore that in more detail if you like. One suggestion 
is to use the JEP template [1] to provide more detail as it contains the 
type of information that would be useful to start this type of discussion.

Thanks,
Sean

[1] https://openjdk.java.net/jeps/2

> Thanks
> Steve Groeger
> IBM Runtime Technologies
> Hursley, Winchester
> Tel: (44) 1962 816911  Mobex: 279990  Mobile: 07718 517 129
> Fax (44) 1962 816800
> Lotus Notes: Steve Groeger/UK/IBM
> Internet: groeges at uk.ibm.com
> 
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number 
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number 
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

More information about the security-dev mailing list