- An SSLEngine implementation is now available. It has been tested to
work for an Apache Tomcat (8.5.13) NIO connector, specifically the
org.apache.coyote.http11.Http11NioProtocol protocol. A caveat:
server-side currently only works with the BCJSSE KeyManagerFactory, so a
jre/lib/security/java.security entry is needed:
- SNI enabled for clients. SSL sockets and engines created using a
fully-qualified domain name will pass it as the host_name in a Server
Name Indication extension. As with SunJSSE, this is enabled by default,
but can be disabled by setting the jsse.enableSNIExtension system
property to "false".
- The default enabled cipher suites list was extended and now includes
ECDHE_ECDSA, ECDHE_RSA and RSA key exchanges combined with either CHACHA
or AES ciphers.
- Bug fixes for client authentication and server-side cipher suite
- Reduction in memory usage/copying for common handshake patterns
(applies to lightweight TLS library also).
Thank you for the valuable feedback we have received so far, and please
keep it coming.