JDK-8029661 : Support TLS v1.2 algorithm in SunPKCS11 provider
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2013-12-06
  • Updated: 2019-03-19
  • Resolved: 2018-09-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 8 Other
11.0.3-oracleFixed 12 b12Fixed 8u192Fixed openjdk7uFixed
Related Reports
Blocks :  
Duplicate :  
Relates :  
Relates :  
Relates :  
See the comment in SunPKCS11.java.  Need to consider whether we can support SunTls12Prf, SunTls12RsaPremasterSecret, etc. in SunPKCS11 in the future.

         * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the
         * PRF calculations.  As of 2010, there is no PKCS11-level
         * support for TLS 1.2 PRF calculations, and no known OS's have
         * an internal variant we could use.  Therefore for TLS 1.2, we
         * are updating JSSE to request different provider algorithms
         * (e.g. "SunTls12Prf"), and currently only SunJCE has these
         * TLS 1.2 algorithms.
         * If we reused the names such as "SunTlsPrf", the PKCS11
         * providers would need be updated to fail correctly when
         * presented with the wrong version number (via
         * Provider.Service.supportsParameters()), and we would also
         * need to add the appropriate supportsParamters() checks into
         * KeyGenerators (not currently there).
         * In the future, if PKCS11 support is added, we will restructure
         * this.

*Only maintained release with TLSv1.2 (6 doesn't have it, as far as I recall)

Fix request This is low-risk, adding missing TLSv1.2 support in the PKCS11 provider, and now is in OpenJDK 7 & 8. It would be odd for 11 to be the only maintained release without it.

Patch proposed on security-dev: http://mail.openjdk.java.net/pipermail/security-dev/2017-November/016446.html

Assigning to myself on behalf of mbalao@redhat.com .