Dell BSAFE SSL-J 7.0 Release Advisory

Summary: The Dell BSAFE team announces the release of Dell BSAFE SSL-J 7.0, adding support for TLS 1.3 using FIPS 140 validated cryptography.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Initially published on April 13, 2021

Description

The Dell BSAFE team announces the release of Dell BSAFE SSL-J 7.0 (SSL-J). This release embeds Dell BSAFE Crypto-J 6.2.5.1 (Crypto-J), which uses the Dell BSAFE Crypto-J Jsafe and JCE Software Module 6.2.5 as its underlying FIPS provider. 

Note: The embedded Crypto-J is included to address compatibility issues required to produce SSL-J. A standalone release of Crypto-J will be provided at a later date, if deemed necessary by Dell Technologies.
 

This release of SSL-J is designed to provide the following new feature:

  • Implementation of TLS 1.3 (RFC 8446).
  • Property Support for TLS 1.3:
    • Support for the following new properties has been added:
           com.rsa.ssl.compatibility.tls13.middlebox
           com.rsa.ssl.server.forcehrr
           com.rsa.ssl.tlsextensions.client.keyshares
           com.rsa.ssl.tlsextensions.server.cookie
           com.rsa.sslj.supported.signature.schemes
           com.rsa.sslj.supported.certificate.signature.schemes
  • ​Support for the previously unsupported property has been added
           jdk.tls.keyLimits
  • TLS 1.3 support for the following property has been added:
           jdk.tls.disabledAlgorithms
  • TLS 1.3 and TLS 1.2 support for the previously unsupported property has been added:
           jdk.tls.namedGroups
  • Implementation of Certificate Authorities extension for TLS 1.3 (RFC 8446).
  • Implementation of the Certificate Status Request extension, OCSP Stapling, for TLS 1.2 and TLS 1.3. (RFC 6066 and RFC 8446).
    • Support for the following new property has been added:
           com.rsa.ssl.client.ocsp.sendnonce
  • Support for the following previously unsupported properties has been added:
           jdk.tls.client.enableStatusRequestExtension
           jdk.tls.server.enableStatusRequestExtension
           jdk.tls.stapling.cacheSize
           jdk.tls.stapling.cacheLifetime
           jdk.tls.stapling.ignoreExtensions
           jdk.tls.stapling.responseTimeout
           jdk.tls.stapling.responderURI
           jdk.tls.stapling.responderOverride
  • Implementation of Record Size Limit Extension for TLS 1.2 and TLS 1.3 (RFC 8449).
    • Support for the following new properties has been added:
           com.rsa.ssl.tlsextensions.client.recordsizelimit.length
           com.rsa.ssl.tlsextensions.server.recordsizelimit.length
  • Implementation of Session Hash and Extended Master Secret for TLS 1.2 (RFC 7627).
    • Support for the previously unsupported property has been added:
           jdk.tls.useExtendedMasterSecret
  • Configuration of ephemeral key usage limit.
    • The com.rsa.ssl.ephemeralkey.usagelimit system property limits the number of times an ephemeral key pair is used for handshakes. By default the limit is 1, ensuring ephemeral key pairs are not re-used.
CAUTION: Careful consideration should be given to the use of this property as any increase in performance comes at the cost of a reduced level of security


This release of SSL-J is designed to include the following changes:

  • SSLv3, TLS 1.0 and TLS 1.1 are no longer supported, and implementations have been removed.
  • Support for the following properties has been removed:
      com.rsa.ssl.server.compatibility.securerenegotiation
      com.rsa.ssl.server.compatibility.securerenegotiation.requireupdatedpeer
      com.rsa.ssl.client.compatibility.securerenegotiation.requireupdatedpeer
      com.rsa.ssl.rsamd5signature
      jsse.enableCBCProtection
  • Updated support for EC Supported Point Formats Extension, for TLS 1.2, from RFC 4492 to RFC 8422.
  • Support for legacy renegotiation has been removed.

This release is designed to remove the following deprecated functionality:

  • All SSLJ APIs. Applications must use the public JSSE API and the Certificate API in Crypto-J.
  • All Cert-J APIs
  • All previously deprecated cipher suites, as indicated in the Enhancements and Resolved Issues
  • Previously deprecated APIs. For a complete list of these items, see Removed APIs in the Dell BSAFE SSL-J Developers Guide.

This release is designed to include the following fixes:

  • BSFSSLJ-300: Negotiations using Diffie Hellman occasionally result in an ‘invalid padding’ exception (Java 1.7). For more information, see the Oracle Bug Database, JDK-8013059 Third party issue, no SSL-J change required.
  • BSFSSLJ-262: TLS clients do not support ECDSA_sign client authentication for ECDH cipher suites. Fixed (static) ECDH cipher suites are no longer supported. Use the supported ephemeral ECDHE cipher suites.
  • BSFSSLJ-261: TLS v1.1 server sends a certificate carrying a fixed DH key signed with DSA for a DH_RSA cipher suite. Won't Fix because TLS 1.1 is no longer supported.
  • BSFSSLJ-259: JSSE TLSv1.2 ClientHello includes RC4 cipher suites. RC4 cipher suites are no longer supported.
  • BSFSSLJ-245: SSL-J fails with “Could not find the OCSP responder certificate specified.” error even with OCSP switched off when using the SSLJ API. Workaround: Comment out all OCSP-related properties (under trustManagers). Won't Fix because the SSLJ API is no longer supported.

For additional documentation, downloads and more, contact Dell Support.

Products

BSAFE SSL-J
Article Properties
Article Number: 000185251
Article Type: How To
Last Modified: 16 Dec 2022
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.