Skip to content

Commit

Permalink
OpenSSL v3 is supported on all platforms
Browse files Browse the repository at this point in the history
eclipse-openj9#1171

Updated the related topic and the What's new in version 0.41.0 release.

Closes eclipse-openj9#1171
Signed-off-by: Sreekala Gopakumar <[email protected]>
  • Loading branch information
Sreekala-Gopakumar committed Sep 28, 2023
1 parent ce53cd1 commit 99eb95d
Show file tree
Hide file tree
Showing 5 changed files with 11 additions and 6 deletions.
2 changes: 1 addition & 1 deletion docs/builds.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ If you want to build your own binaries of OpenJDK with OpenJ9, a complete set of

Note the following:

- For the best performance, OpenSSL support should be enabled in the build. In builds that aren't configured with `--enable-openssl-bundling`, the OpenSSL library is expected to be found on the system path. If you want to use OpenSSL cryptographic acceleration, you must install OpenSSL 1.0.2, 1.1.X, or 3.0.x (Linux only) on your system. If the library is not found on the system path, the in-built Java crytographic implementation is used instead, which performs less well.
- For the best performance, OpenSSL support should be enabled in the build. In builds that aren't configured with `--enable-openssl-bundling`, the OpenSSL library is expected to be found on the system path. If you want to use OpenSSL cryptographic acceleration, you must install OpenSSL 1.0.2, 1.1.x, or 3.x on your system. If the library is not found on the system path, the in-built Java crytographic implementation is used instead, which performs less well.
- ![Start of content that applies only to Java 8](cr/java8.png) On Linux systems, the `fontconfig.x86_64` package should be installed to avoid a `NullPointerException` error when the AWT font subsystem is initialized.
- From Eclipse OpenJ9 release 0.16.0 (OpenJDK 13) and release 0.17.0 (OpenJDK 8 and 11), CUDA is now enabled on Windows (x86-64) and Linux (x86-64 and IBM POWER LE) platforms, which allows you to offload certain Java application processing tasks to a general purpose graphics processing unit (GPU). To take advantage of this feature, your system must support NVIDIA Compute Unified Device Architecture (CUDA). The JIT requires the CUDA Toolkit 7.5 and your GPU device must have a minimum compute capability of 3.0.

Expand Down
2 changes: 1 addition & 1 deletion docs/jitserver.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ If a JITServer server crashes, the client is forced to perform compilations loca

## Security

You can encrypt network communication between the client VM and JITServer by using OpenSSL 1.0.x, 1.1.x, or 3.0.x. To enable encryption, you specify the private key and the certificate at the server and use the certificate at the client. For more information, see [-XX:JITServerSSLCert / -XX:JITServerSSLKey / -XX:JITServerSSLRootCerts](xxjitserversslcert.md).
You can encrypt network communication between the client VM and JITServer by using OpenSSL 1.0.x, 1.1.x, or 3.x. To enable encryption, you specify the private key and the certificate at the server and use the certificate at the client. For more information, see [-XX:JITServerSSLCert / -XX:JITServerSSLKey / -XX:JITServerSSLRootCerts](xxjitserversslcert.md).

## Tuning JITServer

Expand Down
6 changes: 3 additions & 3 deletions docs/openssl.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,13 @@

# OpenSSL

OpenJDK uses the in-built Java&trade; cryptographic implementation by default but Eclipse OpenJ9&trade; also provides some support for the OpenSSL cryptographic library. OpenSSL is an open source cryptographic toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, which is well established and used with many enterprise applications. Because it is a native library, OpenSSL might provide better performance. To use OpenSSL cryptographic acceleration, install OpenSSL 1.0.x, 1.1.x, or 3.0.x (Linux&reg; only) on your system. The OpenSSL V1.0.x, V1.1.x, and V3.0.x implementations are currently supported for the Digest, CBC, GCM, RSA, ECDH key agreement, and EC key generation algorithms. The OpenSSL V1.1.x and V3.0.x implementations are also supported for the ChaCha20 and ChaCha20-Poly1305 algorithms. The OpenSSL V1.1.1 onwards implementations are supported for the XDH key agreement and XDH key generation algorithms.
OpenJDK uses the in-built Java&trade; cryptographic implementation by default but Eclipse OpenJ9&trade; also provides some support for the OpenSSL cryptographic library. OpenSSL is an open source cryptographic toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, which is well established and used with many enterprise applications. Because it is a native library, OpenSSL might provide better performance. To use OpenSSL cryptographic acceleration, install OpenSSL 1.0.x, 1.1.x, or 3.x on your system. The OpenSSL V1.0.x, V1.1.x, and V3.x implementations are currently supported for the Digest, CBC, GCM, RSA, ECDH key agreement, and EC key generation algorithms. The OpenSSL V1.1.x and V3.x implementations are also supported for the ChaCha20 and ChaCha20-Poly1305 algorithms. The OpenSSL V1.1.1 onwards implementations are supported for the XDH key agreement and XDH key generation algorithms.

On Linux and AIX&reg; operating systems, the OpenSSL 1.0.x or 1.1.x library is expected to be found on the system path. If you use a package manager to install OpenSSL, the system path will be updated automatically. On other operating systems, the OpenSSL 1.1.x library is typically bundled. Later levels of some Linux operating systems might bundle OpenSSL 3.0.x.
On all operating systems, the OpenSSL 1.0.x, 1.1.x, or 3.x library is expected to be found on the system path. If you use a package manager to install OpenSSL, the system path will be updated automatically.

If you have multiple versions of OpenSSL on your system, the OpenJ9 VM uses the latest version.

:fontawesome-solid-pencil:{: .note aria-hidden="true"} **Note:** OpenSSL 3.0.x does not support initialization vector (IV) sizes above 16 Bytes for the GCM algorithm. (In earlier OpenSSL versions, you can use such sizes but they might cause unpredictable behavior.) If you need to use a larger size, disable OpenSSL support for the GCM algorithm.
:fontawesome-solid-pencil:{: .note aria-hidden="true"} **Note:** OpenSSL 3.x does not support initialization vector (IV) sizes above 16 Bytes for the GCM algorithm. (In earlier OpenSSL versions, you can use such sizes but they might cause unpredictable behavior.) If you need to use a larger size, disable OpenSSL support for the GCM algorithm.

OpenSSL support is enabled by default for all supported algorithms. If you want to limit support to specific algorithms, a number of system properties are available for tuning the implementation.

Expand Down
5 changes: 5 additions & 0 deletions docs/version0.41.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ The following new features and notable changes since version 0.40.0 are included
- [Change in behavior of `-Xshareclasses:readonly`](#change-in-behavior-of-xshareclassesreadonly)
- [New `-XX:[+|-]EnableDynamicAgentLoading` option added](#new-xx-enabledynamicagentloading-option-added)
- [New `-XX:[+|-]UseZlibNX` option added](#new-xx-usezlibnx-option-added)
- [Support for OpenSSL 3.x](#support-for-openssl-3x)

## Features and changes

Expand Down Expand Up @@ -77,6 +78,10 @@ For more information, see [`-XX:[+|-]EnableDynamicAgentLoading`](xxenabledynamic

AIX&reg; system adds the `zlibnx` library directory path in the `LIBPATH` environment variable by default, if it is available in the system. You can control the loading of the `zlibnx` library by using the [`-XX:[+|-]UseZlibNX`](xxusezlibnx.md) option.

### Support for OpenSSL 3.x

OpenSSL 3.x is now supported on all operating systems. For more information about OpenSSL support, see [`Cryptographic operations`](introduction.md#cryptographic-operations).

## Known problems and full release information

To see known problems and a complete list of changes between Eclipse OpenJ9 v0.40.0 and v0.41.0 releases, see the [Release notes](https://github.com/eclipse-openj9/openj9/blob/master/doc/release-notes/0.41/0.41.md).
Expand Down
2 changes: 1 addition & 1 deletion docs/xxjitserversslcert.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ The files must all be in `.pem` file format.

## Explanation

You can encrypt network communication by using OpenSSL 1.0.x, 1.1.x, or 3.0.x. To enable encryption, specify the private key (`<key>.pem`) and the certificate (`<cert>.pem`) at the server:
You can encrypt network communication by using OpenSSL 1.0.x, 1.1.x, or 3.x. To enable encryption, specify the private key (`<key>.pem`) and the certificate (`<cert>.pem`) at the server:

-XX:JITServerSSLKey=<key>.pem -XX:JITServerSSLCert=<cert>.pem

Expand Down

0 comments on commit 99eb95d

Please sign in to comment.