JDK-8206170 : Release Note: JEP 332: Transport Layer Security (TLS) 1.3
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 11
  • Priority: P3
  • Status: Closed
  • Resolution: Delivered
  • Submitted: 2018-07-02
  • Updated: 2019-07-24
  • Resolved: 2019-07-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11
The JDK 11 release includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446).  For more details including a list of the features that are supported, refer to the *Java Secure Socket Extension (JSSE) Reference Guide* documentation and [JEP 332](http://openjdk.java.net/jeps/332).

For TLS 1.3, the following new standard algorithm names are defined:
1. TLS protocol version name: TLSv1.3
2. SSLContext algorithm name: TLSv1.3
3. TLS cipher suite names for TLS 1.3: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
4. keyType for X509KeyManager: RSASSA-PSS
5. authType for X509TrustManager: RSASSA-PSS

A new Security Property, `jdk.tls.keyLimits`, has been added for TLS 1.3.  When the specified amount of data of a specific algorithm has been processed, a post-handshake Key and IV Update is triggered to derive new keys.

A new System Property, `jdk.tls.server.protocols`, has been added to configure the default enabled protocol suite in server side of SunJSSE provider.

Note that the KRB5 cipher suites implementation has been removed from the JDK because they are no longer considered safe to use.

Note that TLS 1.3 is not directly compatible with previous versions.  Although TLS 1.3 can be implemented with a backward-compatibility mode, there are still several compatibility risks to take into account when upgrading to TLS 1.3:
1. TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions use a duplex-close policy. For applications that depend on the duplex-close policy, there may be compatibility issues when upgrading to TLS 1.3.
2. The signature_algorithms_cert extension requires that pre-defined signature algorithms are used for certificate authentication.  In practice, however, an application may use unsupported signature algorithms.
3. The DSA signature algorithm is not supported in TLS 1.3.  If a server is configured to only use DSA certificates, it cannot upgrade to TLS 1.3.
4. The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 and prior versions.  If an application hard-codes cipher suites which are no longer supported, it may not be able to use TLS 1.3 without modifying the application code.
5. The TLS 1.3 session resumption and key update behaviors are different from TLS 1.2 and prior versions.  The compatibility impact should be minimal, but it could be a risk if an application depends on the handshake details of the TLS protocols.

The System properties, `jdk.tls.client.protocols` and `jdk.tls.server.protocols`, can be used to configure the default enabled protocols accordingly in the SunJSSE provider if needed.