JEP 332: Transport Layer Security (TLS) 1.3

OwnerXue-Lei Fan
Created2015/12/12 05:26
Updated2018/04/20 19:11
TypeFeature
StatusCandidate
Componentsecurity-libs / javax.net.ssl
ScopeSE
Discussionsecurity dash dev at openjdk dot java dot net
EffortXL
DurationXL
Priority2
Reviewed byAndrew Gross, Brian Goetz, Sean Mullan
Issue8145252

Summary

Implement version 1.3 of the Transport Layer Security (TLS) Protocol.

Non-Goals

It is not a goal to support version 1.3 of the Datagram Transport Layer Security (DTLS) Protocol. It is also not a goal to support every feature of TLS 1.3; see the Description section for more details on what will be implemented.

Motivation

TLS 1.3 is a major overhaul of the TLS protocol and provides significant security and performance improvements over previous versions. Several early implementations from other vendors are available already. We need to support TLS 1.3 to remain competitive and keep pace with the latest standard.

Description

TLS 1.3 is a new TLS version which supersedes and obsoletes previous versions of TLS including version 1.2 (RFC 5246). It also obsoletes or changes other TLS features such as the OCSP stapling extensions (RFC 6066, RFC 6961), and the session hash and extended master secret extension (RFC 7627).

The Java Secure Socket Extension (JSSE) in the JDK provides a framework and a Java implementation of the SSL, TLS, and DTLS protocols. Currently, the JSSE API and JDK implementation supports SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, DTLS 1.0 and DTLS 1.2.

The primary goal of this JEP is a minimal interoperable and compatible TLS 1.3 implementation. A minimal implementation should support:

No new public APIs are required for the minimal implementation. The following new standard algorithm names are required:

Additionally, the KRB5 cipher suites will be removed from the JDK because they are no longer considered safe to use.

In parallel with this JEP, we will develop cryptographic algorithm support for the following optional TLS 1.3 features:

These features may be included in this JEP if time permits; otherwise they will be targeted and integrated as separate features.

The following significant features will not be implemented as part of this JEP:

TLS 1.3 is not directly compatible with previous versions. Although TLS 1.3 can be implemented with a backward-compatibility mode, there are several compatibility risks when using this mode:

To minimize compatibility risk, this TLS 1.3 implementation will implement and enable the backward-compatibility mode by default. An application can turn off the backward-compatibility mode, and turn TLS 1.3 on or off if desired.

Testing

Tests will be developed or enhanced to validate the following general requirements:

Risks and Assumptions

The TLS 1.3 Internet Draft has undergone many revisions but is not yet a Standard. The most recent draft (28) has been approved by the TLS Working Group and the IESG, and is now in the RFC Editor's Queue. However, it must advance to at least a Proposed Standard and assigned an RFC number before this JEP can be completed.

A third party TLS 1.3 implementation that supports the latest draft is also required for interoperability testing.

Dependencies

TLS 1.3 requires support for the RSASSA-PSS signature algorithms (8146293).