JDK-8272218 : Configurable extensions with system properties
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 8-pool,11-pool
  • Submitted: 2021-08-10
  • Updated: 2021-09-18
  • Resolved: 2021-08-18
Related Reports
CSR :  
JDK-8269213 - Configurable extensions with system properties
CSR :  
JDK-8269212 - Configurable extensions with system properties
Relates :  
JDK-8217993 - Configurable extensions with system properties
Description
Summary
-------
Backport the JDK-8217633 enhancement to Oracle JDK 8u/11u releases. Propose to support TLS configurable extensions via introduction of implementation specific JDK system properties.

Problem
-------
The TLS protocols are designed to tolerate unknown TLS extensions.  However, although it is not common, there are a few TLS implementations that cannot handle unknown extensions properly.  As a result, unexpected interoperability issues can arise when new extensions are introduced in JDK.  The interoperability impact could be mitigated If applications can customize the extensions if needed.

Applications may not be able to update the source code.  It is more convenient if applications can customize the default extensions with system properties.

Solution
--------
Add two system properties to configure the default extensions in either client or server side of TLS connections. This is an identical port of the JDK 17 enhancement to JDK 8u/11u Oracle releases.

Specification
-------------
Two new implementation specific System Properties will be added. The System Property, "jdk.tls.client.disableExtensions", is used to disable extensions used in client side.   The System Property, "jdk.tls.server.disableExtensions", is used to disable extensions used in server side.  If an extension is disabled, it will be neither produced nor processed in the handshake messages.

The property string is a list of comma separated standard TLS extension names. The syntax of the property string can be described as this Java BNF-style:

    DisableExtensions:
            ('"' TLSExtensionNames '"') | TLSExtensionNames 
    TLSExtensionNames:
            TLSExtensionName { , TLSExtensionName }
    TLSExtensionName:
            (see below)

The extension name, TLSExtensionName, is registered in [the IANA documentation](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml) (for example, server_name, status_request and signature_algorithms_cert).  Note that the extension names are case sensitive.  Unknown/unsupported/misspelled/duplicated TLSExtensionName tokens will be ignored.

Note that previously we had introduced a few extension System Properties, for example "jsse.enableMFLNExtension" and "jsse.enableSNIExtension", to switch on/off TLS extensions. An extension will not be enabled if it is disabled, even it could be enabled by setting the corresponding extension System Property.

Documentation
-------------
The new System Properties will be described in the JSSE Reference Guide, and release noted.
Comments
Moving to Approved.
18-08-2021
Thanks [~jnimeh] - Adjustments made
10-08-2021
Last paragraph in the specification section - looks like you have jsse.enableSNIExtension listed twice. Was that third example property supposed to be something different? Other than that it looks like the original CSR (which also had the duplicate). Might also be good to have a refers-to link to either JDK-8217663 or JDK-8217993 (its CSR). You refer to it in the text, but a link also might be a nice convenience.
10-08-2021