Initially published on April 13, 2021
Description
The Dell BSAFE team announces the release of Dell BSAFE SSL-J 7.0 (SSL-J). This release embeds Dell BSAFE Crypto-J 6.2.5.1 (Crypto-J), which uses the Dell BSAFE Crypto-J Jsafe and JCE Software Module 6.2.5 as its underlying FIPS provider.
Note: The embedded Crypto-J is included to address compatibility issues required to produce SSL-J. A standalone release of Crypto-J will be provided at a later date, if deemed necessary by Dell Technologies.
This release of SSL-J is designed to provide the following new feature:
- Implementation of TLS 1.3 (RFC 8446).
- Property Support for TLS 1.3:
- Support for the following new properties has been added:
com.rsa.ssl.compatibility.tls13.middlebox
com.rsa.ssl.server.forcehrr
com.rsa.ssl.tlsextensions.client.keyshares
com.rsa.ssl.tlsextensions.server.cookie
com.rsa.sslj.supported.signature.schemes
com.rsa.sslj.supported.certificate.signature.schemes
- Support for the previously unsupported property has been added
jdk.tls.keyLimits
- TLS 1.3 support for the following property has been added:
jdk.tls.disabledAlgorithms
- TLS 1.3 and TLS 1.2 support for the previously unsupported property has been added:
jdk.tls.namedGroups
- Implementation of Certificate Authorities extension for TLS 1.3 (RFC 8446).
- Implementation of the Certificate Status Request extension, OCSP Stapling, for TLS 1.2 and TLS 1.3. (RFC 6066 and RFC 8446).
- Support for the following new property has been added:
com.rsa.ssl.client.ocsp.sendnonce
- Support for the following previously unsupported properties has been added:
jdk.tls.client.enableStatusRequestExtension
jdk.tls.server.enableStatusRequestExtension
jdk.tls.stapling.cacheSize
jdk.tls.stapling.cacheLifetime
jdk.tls.stapling.ignoreExtensions
jdk.tls.stapling.responseTimeout
jdk.tls.stapling.responderURI
jdk.tls.stapling.responderOverride
- Implementation of Record Size Limit Extension for TLS 1.2 and TLS 1.3 (RFC 8449).
- Support for the following new properties has been added:
com.rsa.ssl.tlsextensions.client.recordsizelimit.length
com.rsa.ssl.tlsextensions.server.recordsizelimit.length
- Implementation of Session Hash and Extended Master Secret for TLS 1.2 (RFC 7627).
- Support for the previously unsupported property has been added:
jdk.tls.useExtendedMasterSecret
- Configuration of ephemeral key usage limit.
- The com.rsa.ssl.ephemeralkey.usagelimit system property limits the number of times an ephemeral key pair is used for handshakes. By default the limit is 1, ensuring ephemeral key pairs are not re-used.
CAUTION: Careful consideration should be given to the use of this property as any increase in performance comes at the cost of a reduced level of security
This release of SSL-J is designed to include the following changes:
- SSLv3, TLS 1.0 and TLS 1.1 are no longer supported, and implementations have been removed.
- Support for the following properties has been removed:
com.rsa.ssl.server.compatibility.securerenegotiation
com.rsa.ssl.server.compatibility.securerenegotiation.requireupdatedpeer
com.rsa.ssl.client.compatibility.securerenegotiation.requireupdatedpeer
com.rsa.ssl.rsamd5signature
jsse.enableCBCProtection
- Updated support for EC Supported Point Formats Extension, for TLS 1.2, from RFC 4492 to RFC 8422.
- Support for legacy renegotiation has been removed.
This release is designed to remove the following deprecated functionality:
- All SSLJ APIs. Applications must use the public JSSE API and the Certificate API in Crypto-J.
- All Cert-J APIs
- All previously deprecated cipher suites, as indicated in the Enhancements and Resolved Issues
- Previously deprecated APIs. For a complete list of these items, see Removed APIs in the Dell BSAFE SSL-J Developers Guide.
This release is designed to include the following fixes:
- BSFSSLJ-300: Negotiations using Diffie Hellman occasionally result in an ‘invalid padding’ exception (Java 1.7). For more information, see the Oracle Bug Database, JDK-8013059 Third party issue, no SSL-J change required.
- BSFSSLJ-262: TLS clients do not support ECDSA_sign client authentication for ECDH cipher suites. Fixed (static) ECDH cipher suites are no longer supported. Use the supported ephemeral ECDHE cipher suites.
- BSFSSLJ-261: TLS v1.1 server sends a certificate carrying a fixed DH key signed with DSA for a DH_RSA cipher suite. Won't Fix because TLS 1.1 is no longer supported.
- BSFSSLJ-259: JSSE TLSv1.2 ClientHello includes RC4 cipher suites. RC4 cipher suites are no longer supported.
- BSFSSLJ-245: SSL-J fails with “Could not find the OCSP responder certificate specified.” error even with OCSP switched off when using the SSLJ API. Workaround: Comment out all OCSP-related properties (under trustManagers). Won't Fix because the SSLJ API is no longer supported.
For additional documentation, downloads and more, contact
Dell Support.