JDK-8171279 : Support X25519 and X448 in TLS
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: openjdk8u272,11,13
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2016-12-15
  • Updated: 2021-11-30
  • Resolved: 2019-06-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14
11.0.10-oracleFixed 13 b25Fixed 14Fixed
Related Reports
CSR :  
JDK-8224520 - Support X25519 and X448 in TLS
Duplicate :  
JDK-8217709 - TLS 1.3 server always answer Hello Retry Request (on chrome)
Relates :  
JDK-8260300 - Restrict TLS signature schemes in 8u
Relates :  
JDK-8234467 - Some TLSv1.3 handshakes fail with a decode_error rather than negotiating to 1.2
Relates :  
JDK-8145252 - JEP 332: Transport Layer Security (TLS) 1.3
Relates :  
JDK-8224650 - Add tests to support X25519 and X448 in TLS
Relates :  
JDK-8178429 - SSLHandshakeException "Unsupported curveId: 29"
Relates :  
JDK-8171277 - Elliptic Curves for Security in Crypto
Relates :  
JDK-8257607 - Support BC JCE provider in SunJSSE for EdDSA and XDH
Sub Tasks
JDK-8225764 :  
Release Note: Support for X25519 and X448 in TLS - Closed
Description
Support X25519 and X448 EC curves for Diffie-Hellman in the JSSE implementation for TLS.  

The original scope of this RFE was to implement for TLSv1.3 only, since TLS 1.2 and earlier are organized very differently w.r.t. key agreement. But it appears that there could be interoperability issues if TLS 1.2/1.1/1 aren't supported (see comment below).
Comments
Fix request (11u) I would like to downport this for parity with 11.0.10-oracle. I had to do quite some adaptions: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-October/003903.html http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-November/004084.html
09-11-2020
Fixed on TLSv1->1.3. One comment from the review thread: https://mail.openjdk.java.net/pipermail/security-dev/2019-June/020147.html RFC 8422 (Appendix B) deprecated/removed the TLS_ECDH_* ciphersuites. Our KeyManager APIs currently do not allow for selecting specific curve entries. I've made a best effort for supporting client-side ECDH, but we won't support server-side ECDH at this point. TBD if we'll add support as API changes will be necessary, and not be worth the time if no one should/will be using ECDH.
13-06-2019
URL: http://hg.openjdk.java.net/jdk/jdk/rev/946f7f2d321c User: wetmore Date: 2019-06-13 02:00:37 +0000
13-06-2019
I think this RFE must support RFC 8422 and add x25519/x448 to TLSv1/1.1/1.2. If you send a client hello with TLSv1.2/1.3 enabled with x25519/x448 as supported groups, and the server comes back with TLSv1.2 and x25519, the connection will fail.
21-05-2019
We may want this feature in JDK 12.
10-07-2018