Bouncy Castle Crypto Provider Package version 1.65 now available

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bouncy Castle Crypto Provider Package version 1.65 now available

Jon Eaves
Hello everybody,

Release 1.65 is now out.

This release is primarily about the TLS APIs and the BCJSSE provider.
API support has been added for specifying sessions on resumption,
Ed25519/Ed448 is now supported for TLS and additional work has been done
on the handling of SNI and OCSP stapling. Additional work has been done
to improve operation with Java 11+, including a fix for RSA PSS and
support for the XECKey interfaces. Support has been added for LMS/HSS
post-quantum algorithms (RFC 8554) and for SipHash128. In addition some
failures that could occur for specific payload sizes with
ChaCha20Poly1305 have been fixed.

Please also note the JCE certificate in the public access versions of
Oracle Java 6 (6u45) and Oracle Java 7 (7u80) is expiring on the 20th
April this year (2020). Oracle does distribute JVMs for Java 6 (6u131)
and Java 7 (7u121) which includes a newer, and stronger, certificate to
holders of Java Support Contracts.

Further details on other additions and bug fixes can be found in the
release notes at:

https://www.bouncycastle.org/releasenotes.html

Thanks also goes to other people and organisations who have
contributed/donated to the project and you can find the updated list at

https://www.bouncycastle.org/contributors.html

We would also like to thank holders of Crypto Workshop support contracts
as we were again able to fund extra work on this release through time
available from those.

For the actual release and other details go to our latest releases page:

https://www.bouncycastle.org/latest_releases.html

And for those who like living on the bleeding edge, the betas for future
releases can be downloaded from:

https://www.bouncycastle.org/betas/

and changes to the code base can be tracked via:

https://github.com/bcgit

On the FIPS front, work on Java FIPS 2.0.0 has now begun. This release
will incorporate more of the features found in Java 11 and later.
Details on future plans can be found at:

https://www.bouncycastle.org/fips_java_roadmap.html

We are looking to raise money for the NIST recovery fees for our next
certification. If you are interested helping support the Bouncy Castle
project through donation, you can find the details on how to donate via
PayPal or Bitcoin, at:

https://www.bouncycastle.org/donate

The Legion of the Bouncy Castle Inc is a registered Australian
charity based in the State of Victoria, Australia.

If you wish to sponsor specific work on Bouncy Castle, get early access
to the FIPS APIs under development, or get a commercial support contract
for the APIs please contact us at Crypto Workshop
(https://www.cryptoworkshop.com ) details about support can be found at:

https://www.cryptoworkshop.com/support_faq.html

Remember, you can also follow this project on Facebook (
https://www.facebook.com/legionofthebouncycastle ), and/or Twitter (
https://twitter.com/bccrypto ).

Finally, for users of the maven repositories, 1.65 should be appearing
shortly on maven central. The GitHub repository has been updated as well.




Reply | Threaded
Open this post in threaded view
|

RE: [External] [dev-crypto] Bouncy Castle Crypto Provider Package version 1.65 now available

Smith, Bill (Tridium)
Just curious. I know you have been working on TLS 1.3 support for Java 1.8. I don't see it mentioned in the release notes for 1.65. David has mentioned that it's "close". Is there a tentative schedule for TLS 1.3? The reason I ask is that BacnetSC requires TLS 1.3 support and we are trying to plan for adding BacnetSC support to our product.

Keep up the awesome work.

Bill


-----Original Message-----
From: Jon Eaves [mailto:[hidden email]]
Sent: Wednesday, April 1, 2020 12:25 AM
To: [hidden email]; [hidden email]
Subject: [External] [dev-crypto] Bouncy Castle Crypto Provider Package version 1.65 now available

Hello everybody,

Release 1.65 is now out.

This release is primarily about the TLS APIs and the BCJSSE provider.
API support has been added for specifying sessions on resumption,
Ed25519/Ed448 is now supported for TLS and additional work has been done on the handling of SNI and OCSP stapling. Additional work has been done to improve operation with Java 11+, including a fix for RSA PSS and support for the XECKey interfaces. Support has been added for LMS/HSS post-quantum algorithms (RFC 8554) and for SipHash128. In addition some failures that could occur for specific payload sizes with
ChaCha20Poly1305 have been fixed.

Please also note the JCE certificate in the public access versions of Oracle Java 6 (6u45) and Oracle Java 7 (7u80) is expiring on the 20th April this year (2020). Oracle does distribute JVMs for Java 6 (6u131) and Java 7 (7u121) which includes a newer, and stronger, certificate to holders of Java Support Contracts.

Further details on other additions and bug fixes can be found in the release notes at:

https://www.bouncycastle.org/releasenotes.html

Thanks also goes to other people and organisations who have contributed/donated to the project and you can find the updated list at

https://www.bouncycastle.org/contributors.html

We would also like to thank holders of Crypto Workshop support contracts as we were again able to fund extra work on this release through time available from those.

For the actual release and other details go to our latest releases page:

https://www.bouncycastle.org/latest_releases.html

And for those who like living on the bleeding edge, the betas for future releases can be downloaded from:

https://www.bouncycastle.org/betas/

and changes to the code base can be tracked via:

https://github.com/bcgit

On the FIPS front, work on Java FIPS 2.0.0 has now begun. This release will incorporate more of the features found in Java 11 and later.
Details on future plans can be found at:

https://www.bouncycastle.org/fips_java_roadmap.html

We are looking to raise money for the NIST recovery fees for our next certification. If you are interested helping support the Bouncy Castle project through donation, you can find the details on how to donate via PayPal or Bitcoin, at:

https://www.bouncycastle.org/donate

The Legion of the Bouncy Castle Inc is a registered Australian charity based in the State of Victoria, Australia.

If you wish to sponsor specific work on Bouncy Castle, get early access to the FIPS APIs under development, or get a commercial support contract for the APIs please contact us at Crypto Workshop (https://www.cryptoworkshop.com ) details about support can be found at:

https://www.cryptoworkshop.com/support_faq.html

Remember, you can also follow this project on Facebook ( https://www.facebook.com/legionofthebouncycastle ), and/or Twitter ( https://twitter.com/bccrypto ).

Finally, for users of the maven repositories, 1.65 should be appearing shortly on maven central. The GitHub repository has been updated as well.




Reply | Threaded
Open this post in threaded view
|

Re: [External] [dev-crypto] Bouncy Castle Crypto Provider Package version 1.65 now available

Peter Dettman-3
Hi Bill,
It's the highest priority new feature, but it's a long slog (much more
work than we initially anticipated). "Close" means that most of the
required internals have been done, and we mostly need to work our way
through the new handshake state machine(s).

At the moment we are aiming for a basic BCJSSE TLS 1.3 client by the end
of April. "Basic" here broadly means without any fancy new features
(early data, half-close sockets, post-handshake auth, etc.), and
probably without PSKs (i.e. session resumption). Essentially you would
take a working TLS 1.2 setup and just enable "TLSv1.3" and it would
negotiate that instead and otherwise behave (externally) as before.

Beyond that we are expecting that fleshing out TLS 1.3 support will be
an ongoing high-priority effort throughout at least this year.

So we're focused on it, but of course it's not the sort of work that
should be rushed.

Regards,
Pete Dettman

On 1/4/20 8:05 pm, Smith, Bill (Tridium) wrote:
> Just curious. I know you have been working on TLS 1.3 support for Java 1.8. I don't see it mentioned in the release notes for 1.65. David has mentioned that it's "close". Is there a tentative schedule for TLS 1.3? The reason I ask is that BacnetSC requires TLS 1.3 support and we are trying to plan for adding BacnetSC support to our product.
>
> Keep up the awesome work.
>
> Bill

Reply | Threaded
Open this post in threaded view
|

Re: [External] [dev-crypto] Bouncy Castle Crypto Provider Package version 1.65 now available

Lothar Kimmeringer-4
In reply to this post by Smith, Bill (Tridium)


Am 01.04.2020 um 15:05 schrieb Smith, Bill (Tridium):
>> Is there a tentative schedule for TLS 1.3? The reason I
> ask is that BacnetSC requires TLS 1.3 support and we are trying to plan for
> adding BacnetSC support to our product.

You should make your product Java 11 capable (Java 14 is out already,
so sooner than later Java 8 will stop being supported). If you really
are forced to use Java 8 you can have a look at
https://github.com/openjsse/openjsse
that replaces the standard JSSE and supports TLSv1.3.

The setup is quite a hassle (I ended up downloaded Azul's JVM that
includes OpenJSSE) and your application will break at funny
places. BTST. In my case I looked at all the failing test cases and
decided to simply make my application Java 11 and 14 capable and
left TLSv1.3 on Java 8 for good.


Cheers, Lothar

Reply | Threaded
Open this post in threaded view
|

RE: [External] [dev-crypto] Bouncy Castle Crypto Provider Package version 1.65 now available

Smith, Bill (Tridium)
Due to the nature of our product and the hardware it runs on, etc. we are committed to supporting Java 8 for a couple more years. We have support contracts with both Oracle and Azul for doing so (there is no JRE 11+ for QNX running on arm). In parallel, newer releases (at some point) will be Java 11+ based, but that kind of change for how our product works is not trivial.

As far as openjsse, I evaluated it this fall and it has a lot of problems negotiating down to TLS 1.2 when talking to an older system. I beat down that path for a little while until David informed me about the TLS 1.3 work in BC. Not trying to knock the openjsse effort, but it is more of a voluntary support model, where, with BC, we have a support contract and get EXCELLENT support from the team. Once ready, I'm confident that any issues that we encounter, we will be able to remedy.

-----Original Message-----
From: Lothar Kimmeringer [mailto:[hidden email]]
Sent: Thursday, April 2, 2020 12:42 PM
To: [hidden email]
Subject: Re: [External] [dev-crypto] Bouncy Castle Crypto Provider Package version 1.65 now available



Am 01.04.2020 um 15:05 schrieb Smith, Bill (Tridium):
>> Is there a tentative schedule for TLS 1.3? The reason I
> ask is that BacnetSC requires TLS 1.3 support and we are trying to
> plan for adding BacnetSC support to our product.

You should make your product Java 11 capable (Java 14 is out already, so sooner than later Java 8 will stop being supported). If you really are forced to use Java 8 you can have a look at https://github.com/openjsse/openjsse
that replaces the standard JSSE and supports TLSv1.3.

The setup is quite a hassle (I ended up downloaded Azul's JVM that includes OpenJSSE) and your application will break at funny places. BTST. In my case I looked at all the failing test cases and decided to simply make my application Java 11 and 14 capable and left TLSv1.3 on Java 8 for good.


Cheers, Lothar