Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8217993

Configurable extensions with system properties

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 17
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      No compatibility impact unless the System Properties are configured. Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to established if a mandatory extension is disabled. Please don't disable mandatory extensions, and don't use this feature unless you clearly understand the impact.
      Show
      No compatibility impact unless the System Properties are configured. Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to established if a mandatory extension is disabled. Please don't disable mandatory extensions, and don't use this feature unless you clearly understand the impact.
    • Scope:
      JDK

      Description

      Summary

      Propose to support configurable extensions with system properties.

      Problem

      The TLS protocols are designed to tolerate unknown TLS extensions. However, although it is not common, there are a few TLS implementations that cannot handle unknown extensions properly. As a result, unexpected interoperability issues can arise when new extensions are introduced in JDK. The interoperability impact could be mitigated If applications can customize the extensions if needed.

      Applications may not be able to update the source code. It is more convenient if applications can customize the default extensions with system properties.

      Solution

      Add two system properties to configure the default extensions in either client or server side of TLS connections. This enhancement may backport to JDK 8u and 11u.

      Specification

      Two new System Properties will be added. The System Property, "jdk.tls.client.disableExtensions", is used to block extensions used in client side. The System Property, "jdk.tls.server.disableExtensions", is used to block extensions used in server side. If an extension is disabled, it will be neither produced or processed in the handshake messages.

      The property string is a list of comma separated standard TLS extension names. The syntax of the property string can be described as this Java BNF-style:

      DisableExtensions:
              ('"' TLSExtensionNames '"') | TLSExtensionNames 
      TLSExtensionNames:
              TLSExtensionName { , TLSExtensionName }
      TLSExtensionName:
              (see below)

      The extension name, TLSExtensionName, is registered in the IANA documentation (for example, server_name, status_request and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown/unsupported/misspelled/duplicated TLSExtensionName tokens will be ignored.

      Note that previously we had introduced a few extension System Properties, for example "jsse.enableMFLNExtension", "jsse.enableSNIExtension" and "jsse.enableSNIExtension", to switch on/off TLS extensions. An extension will not be enabled if it is disabled, even it could be enabled by setting the corresponding extension System Property.

      Documentation

      The new added System Properties will be described in the JSSE Reference Guide, and release notes.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              xuelei Xue-Lei Fan
              Reporter:
              webbuggrp Webbug Group
              Reviewed By:
              Jamil Nimeh
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: