Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8217993

Configurable extensions with system properties

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 17
    • security-libs
    • None
    • behavioral
    • minimal
    • Hide
      No compatibility impact unless the System Properties are configured. Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to established if a mandatory extension is disabled. Please don't disable mandatory extensions, and don't use this feature unless you clearly understand the impact.
      Show
      No compatibility impact unless the System Properties are configured. Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to established if a mandatory extension is disabled. Please don't disable mandatory extensions, and don't use this feature unless you clearly understand the impact.
    • JDK

      Summary

      Propose to support configurable extensions with system properties.

      Problem

      The TLS protocols are designed to tolerate unknown TLS extensions. However, although it is not common, there are a few TLS implementations that cannot handle unknown extensions properly. As a result, unexpected interoperability issues can arise when new extensions are introduced in JDK. The interoperability impact could be mitigated If applications can customize the extensions if needed.

      Applications may not be able to update the source code. It is more convenient if applications can customize the default extensions with system properties.

      Solution

      Add two system properties to configure the default extensions in either client or server side of TLS connections. This enhancement may backport to JDK 8u and 11u.

      Specification

      Two new System Properties will be added. The System Property, "jdk.tls.client.disableExtensions", is used to block extensions used in client side. The System Property, "jdk.tls.server.disableExtensions", is used to block extensions used in server side. If an extension is disabled, it will be neither produced or processed in the handshake messages.

      The property string is a list of comma separated standard TLS extension names. The syntax of the property string can be described as this Java BNF-style:

      DisableExtensions:
        ('"' TLSExtensionNames '"') | TLSExtensionNames 
TLSExtensionNames:
        TLSExtensionName { , TLSExtensionName }
TLSExtensionName:
        (see below)

      The extension name, TLSExtensionName, is registered in the IANA documentation (for example, server_name, status_request and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown/unsupported/misspelled/duplicated TLSExtensionName tokens will be ignored.

      Note that previously we had introduced a few extension System Properties, for example "jsse.enableMFLNExtension", "jsse.enableSNIExtension" and "jsse.enableSNIExtension", to switch on/off TLS extensions. An extension will not be enabled if it is disabled, even it could be enabled by setting the corresponding extension System Property.

      Documentation

      The new added System Properties will be described in the JSSE Reference Guide, and release notes.

            xuelei Xuelei Fan
            webbuggrp Webbug Group
            Jamil Nimeh
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: