Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8220212

Add new keytool -showinfo -tls command for displaying TLS configuration information

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 13
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      No compatibility risk. New command.
    • Interface Kind:
      add/remove/modify command line option
    • Scope:
      JDK

      Description

      Summary

      Add a new keytool -showinfo -tls command to display TLS configuration information.

      Problem

      TLS configuration information (including the enabled cipher suites, their order, and the enabled protocols, etc) is very useful to both users and administrators and can vary depending on what JDK release or update is installed on the system and if any changes have been made to the java.security file to restrict cipher suites or protocols. Previously we had been documenting the enabled suites and protocols in the JSSE security guide, but that has been proven to be a moving target and difficult to keep up-to-date as additional weak cipher suites have been restricted, often in update releases. Thus, showing the information in keytool seems to be the best solution.

      While keytool has been historically a tool managing keys and certificates, we think it can also be a home for this new function because (1) TLS is very close to key/cert and users of TLS and keytool are mostly the same, (2) it's the only security-related tool in java.base and we think it's not worth creating a separate new tool for the new function.

      Solution

      Add a new keytool command -showinfo to display security-related information of the current JDK. Use an option to decide what kind of information to print out. The first such an option is -tls which will display the TLS configuration.

      Specification

      keytool -help will show a new command:

      -showinfo      Displays security-related information

      and keytool -help -showinfo will show its available options:

      keytool -showinfo [OPTION]...
      
      Displays security-related information
      
      Options:
      
       -tls     Displays TLS configuration information
       -v       verbose output

      The exact output format of keytool -showinfo -tls is not specified here and could evolve in future releases.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              mullan Sean Mullan
              Reviewed By:
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: