1.57 beta 13 now available (JSSE Provider improvements)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

1.57 beta 13 now available (JSSE Provider improvements)

Peter Dettman-3
Hi All,

A new beta, 1.57b13 is now available for download:
    https://www.bouncycastle.org/betas

Some noteworthy improvements in the "BCJSSE" provider (included in
bctls-jdk15on-157b13.jar):

- SSLContext.getDefault() is now supported, and should have very similar
behaviour to the SunJSSE provider. This includes checking of the
relevant javax.net.ssl.* system properties (see
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization),
and auto-loading of jssecacerts or cacerts as the default trust store.

- An SSLEngine implementation is now available. It has been tested to
work for an Apache Tomcat (8.5.13) NIO connector, specifically the
org.apache.coyote.http11.Http11NioProtocol protocol. A caveat:
server-side currently only works with the BCJSSE KeyManagerFactory, so a
jre/lib/security/java.security entry is needed:
    ssl.KeyManagerFactory.algorithm=PKIX

- SNI enabled for clients. SSL sockets and engines created using a
fully-qualified domain name will pass it as the host_name in a Server
Name Indication extension. As with SunJSSE, this is enabled by default,
but can be disabled by setting the jsse.enableSNIExtension system
property to "false".

- The default enabled cipher suites list was extended and now includes
ECDHE_ECDSA, ECDHE_RSA and RSA key exchanges combined with either CHACHA
or AES ciphers.

- Bug fixes for client authentication and server-side cipher suite
selection.

- Reduction in memory usage/copying for common handshake patterns
(applies to lightweight TLS library also).

Thank you for the valuable feedback we have received so far, and please
keep it coming.

Regards,
Pete Dettman

Reply | Threaded
Open this post in threaded view
|

RE: 1.57 beta 13 now available (JSSE Provider improvements)

William Konitzer
Hi Peter,

Do you know when the 1.57 release might go GA?

Regards,
Will

-----Original Message-----
From: Peter Dettman [mailto:[hidden email]]
Sent: Tuesday, April 11, 2017 11:47 AM
To: [hidden email]; [hidden email]
Subject: 1.57 beta 13 now available (JSSE Provider improvements)

Hi All,

A new beta, 1.57b13 is now available for download:
    https://www.bouncycastle.org/betas

Some noteworthy improvements in the "BCJSSE" provider (included in
bctls-jdk15on-157b13.jar):

- SSLContext.getDefault() is now supported, and should have very similar behaviour to the SunJSSE provider. This includes checking of the relevant javax.net.ssl.* system properties (see http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization),
and auto-loading of jssecacerts or cacerts as the default trust store.

- An SSLEngine implementation is now available. It has been tested to work for an Apache Tomcat (8.5.13) NIO connector, specifically the org.apache.coyote.http11.Http11NioProtocol protocol. A caveat:
server-side currently only works with the BCJSSE KeyManagerFactory, so a jre/lib/security/java.security entry is needed:
    ssl.KeyManagerFactory.algorithm=PKIX

- SNI enabled for clients. SSL sockets and engines created using a fully-qualified domain name will pass it as the host_name in a Server Name Indication extension. As with SunJSSE, this is enabled by default, but can be disabled by setting the jsse.enableSNIExtension system property to "false".

- The default enabled cipher suites list was extended and now includes ECDHE_ECDSA, ECDHE_RSA and RSA key exchanges combined with either CHACHA or AES ciphers.

- Bug fixes for client authentication and server-side cipher suite selection.

- Reduction in memory usage/copying for common handshake patterns (applies to lightweight TLS library also).

Thank you for the valuable feedback we have received so far, and please keep it coming.

Regards,
Pete Dettman