1.57 beta 13 now available (JSSE Provider improvements)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

1.57 beta 13 now available (JSSE Provider improvements)

Peter Dettman-3
Hi All,

A new beta, 1.57b13 is now available for download:
    https://www.bouncycastle.org/betas

Some noteworthy improvements in the "BCJSSE" provider (included in
bctls-jdk15on-157b13.jar):

- SSLContext.getDefault() is now supported, and should have very similar
behaviour to the SunJSSE provider. This includes checking of the
relevant javax.net.ssl.* system properties (see
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization),
and auto-loading of jssecacerts or cacerts as the default trust store.

- An SSLEngine implementation is now available. It has been tested to
work for an Apache Tomcat (8.5.13) NIO connector, specifically the
org.apache.coyote.http11.Http11NioProtocol protocol. A caveat:
server-side currently only works with the BCJSSE KeyManagerFactory, so a
jre/lib/security/java.security entry is needed:
    ssl.KeyManagerFactory.algorithm=PKIX

- SNI enabled for clients. SSL sockets and engines created using a
fully-qualified domain name will pass it as the host_name in a Server
Name Indication extension. As with SunJSSE, this is enabled by default,
but can be disabled by setting the jsse.enableSNIExtension system
property to "false".

- The default enabled cipher suites list was extended and now includes
ECDHE_ECDSA, ECDHE_RSA and RSA key exchanges combined with either CHACHA
or AES ciphers.

- Bug fixes for client authentication and server-side cipher suite
selection.

- Reduction in memory usage/copying for common handshake patterns
(applies to lightweight TLS library also).

Thank you for the valuable feedback we have received so far, and please
keep it coming.

Regards,
Pete Dettman