Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000185251

Dell BSAFE SSL-J 7.0 Release Advisory

Summary: The Dell BSAFE team announces the release of Dell BSAFE SSL-J 7.0, adding support for TLS 1.3 using FIPS 140 validated cryptography.

Article Content

Instructions

Initially published on April 13, 2021

Description

The Dell BSAFE team announces the release of Dell BSAFE SSL-J 7.0 (SSL-J). This release embeds Dell BSAFE Crypto-J 6.2.5.1 (Crypto-J), which uses the Dell BSAFE Crypto-J Jsafe and JCE Software Module 6.2.5 as its underlying FIPS provider. 

Note: The embedded Crypto-J is included to address compatibility issues required to produce SSL-J. A standalone release of Crypto-J will be provided at a later date, if deemed necessary by Dell Technologies.
 

This release of SSL-J is designed to provide the following new feature:

  • Implementation of TLS 1.3 (RFC 8446).
  • Property Support for TLS 1.3:
    • Support for the following new properties has been added:
           com.rsa.ssl.compatibility.tls13.middlebox
           com.rsa.ssl.server.forcehrr
           com.rsa.ssl.tlsextensions.client.keyshares
           com.rsa.ssl.tlsextensions.server.cookie
           com.rsa.sslj.supported.signature.schemes
           com.rsa.sslj.supported.certificate.signature.schemes
  • ​Support for the previously unsupported property has been added
           jdk.tls.keyLimits
  • TLS 1.3 support for the following property has been added:
           jdk.tls.disabledAlgorithms
  • TLS 1.3 and TLS 1.2 support for the previously unsupported property has been added:
           jdk.tls.namedGroups
  • Implementation of Certificate Authorities extension for TLS 1.3 (RFC 8446).
  • Implementation of the Certificate Status Request extension, OCSP Stapling, for TLS 1.2 and TLS 1.3. (RFC 6066 and RFC 8446).
    • Support for the following new property has been added:
           com.rsa.ssl.client.ocsp.sendnonce
  • Support for the following previously unsupported properties has been added:
           jdk.tls.client.enableStatusRequestExtension
           jdk.tls.server.enableStatusRequestExtension
           jdk.tls.stapling.cacheSize
           jdk.tls.stapling.cacheLifetime
           jdk.tls.stapling.ignoreExtensions
           jdk.tls.stapling.responseTimeout
           jdk.tls.stapling.responderURI
           jdk.tls.stapling.responderOverride
  • Implementation of Record Size Limit Extension for TLS 1.2 and TLS 1.3 (RFC 8449).
    • Support for the following new properties has been added:
           com.rsa.ssl.tlsextensions.client.recordsizelimit.length
           com.rsa.ssl.tlsextensions.server.recordsizelimit.length
  • Implementation of Session Hash and Extended Master Secret for TLS 1.2 (RFC 7627).
    • Support for the previously unsupported property has been added:
           jdk.tls.useExtendedMasterSecret
  • Configuration of ephemeral key usage limit.
    • The com.rsa.ssl.ephemeralkey.usagelimit system property limits the number of times an ephemeral key pair is used for handshakes. By default the limit is 1, ensuring ephemeral key pairs are not re-used.
CAUTION: Careful consideration should be given to the use of this property as any increase in performance comes at the cost of a reduced level of security


This release of SSL-J is designed to include the following changes:

  • SSLv3, TLS 1.0 and TLS 1.1 are no longer supported, and implementations have been removed.
  • Support for the following properties has been removed:
      com.rsa.ssl.server.compatibility.securerenegotiation
      com.rsa.ssl.server.compatibility.securerenegotiation.requireupdatedpeer
      com.rsa.ssl.client.compatibility.securerenegotiation.requireupdatedpeer
      com.rsa.ssl.rsamd5signature
      jsse.enableCBCProtection
  • Updated support for EC Supported Point Formats Extension, for TLS 1.2, from RFC 4492 to RFC 8422.
  • Support for legacy renegotiation has been removed.

This release is designed to remove the following deprecated functionality:

  • All SSLJ APIs. Applications must use the public JSSE API and the Certificate API in Crypto-J.
  • All Cert-J APIs
  • All previously deprecated cipher suites, as indicated in the Enhancements and Resolved Issues
  • Previously deprecated APIs. For a complete list of these items, see Removed APIs in the Dell BSAFE SSL-J Developers Guide.

This release is designed to include the following fixes:

  • BSFSSLJ-300: Negotiations using Diffie Hellman occasionally result in an ‘invalid padding’ exception (Java 1.7). For more information, see the Oracle Bug Database, JDK-8013059 Third party issue, no SSL-J change required.
  • BSFSSLJ-262: TLS clients do not support ECDSA_sign client authentication for ECDH cipher suites. Fixed (static) ECDH cipher suites are no longer supported. Use the supported ephemeral ECDHE cipher suites.
  • BSFSSLJ-261: TLS v1.1 server sends a certificate carrying a fixed DH key signed with DSA for a DH_RSA cipher suite. Won't Fix because TLS 1.1 is no longer supported.
  • BSFSSLJ-259: JSSE TLSv1.2 ClientHello includes RC4 cipher suites. RC4 cipher suites are no longer supported.
  • BSFSSLJ-245: SSL-J fails with “Could not find the OCSP responder certificate specified.” error even with OCSP switched off when using the SSLJ API. Workaround: Comment out all OCSP-related properties (under trustManagers). Won't Fix because the SSLJ API is no longer supported.

For additional documentation, downloads and more, contact Dell Support.

Article Properties

Product

BSAFE SSL-J

Last Published Date

16 Dec 2022

Version

3

Article Type

How To

Back to Top