From 99eb95d226cd485a59ac80579f3b19c0c638cc01 Mon Sep 17 00:00:00 2001 From: Sreekala Gopakumar Date: Wed, 27 Sep 2023 17:40:39 +0530 Subject: [PATCH] OpenSSL v3 is supported on all platforms https://github.com/eclipse-openj9/openj9-docs/issues/1171 Updated the related topic and the What's new in version 0.41.0 release. Closes #1171 Signed-off-by: Sreekala Gopakumar --- docs/builds.md | 2 +- docs/jitserver.md | 2 +- docs/openssl.md | 6 +++--- docs/version0.41.md | 5 +++++ docs/xxjitserversslcert.md | 2 +- 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/builds.md b/docs/builds.md index 57713ca7b3..3b863649bb 100644 --- a/docs/builds.md +++ b/docs/builds.md @@ -40,7 +40,7 @@ If you want to build your own binaries of OpenJDK with OpenJ9, a complete set of Note the following: -- For the best performance, OpenSSL support should be enabled in the build. In builds that aren't configured with `--enable-openssl-bundling`, the OpenSSL library is expected to be found on the system path. If you want to use OpenSSL cryptographic acceleration, you must install OpenSSL 1.0.2, 1.1.X, or 3.0.x (Linux only) on your system. If the library is not found on the system path, the in-built Java crytographic implementation is used instead, which performs less well. +- For the best performance, OpenSSL support should be enabled in the build. In builds that aren't configured with `--enable-openssl-bundling`, the OpenSSL library is expected to be found on the system path. If you want to use OpenSSL cryptographic acceleration, you must install OpenSSL 1.0.2, 1.1.x, or 3.x on your system. If the library is not found on the system path, the in-built Java crytographic implementation is used instead, which performs less well. - ![Start of content that applies only to Java 8](cr/java8.png) On Linux systems, the `fontconfig.x86_64` package should be installed to avoid a `NullPointerException` error when the AWT font subsystem is initialized. - From Eclipse OpenJ9 release 0.16.0 (OpenJDK 13) and release 0.17.0 (OpenJDK 8 and 11), CUDA is now enabled on Windows (x86-64) and Linux (x86-64 and IBM POWER LE) platforms, which allows you to offload certain Java application processing tasks to a general purpose graphics processing unit (GPU). To take advantage of this feature, your system must support NVIDIA Compute Unified Device Architecture (CUDA). The JIT requires the CUDA Toolkit 7.5 and your GPU device must have a minimum compute capability of 3.0. diff --git a/docs/jitserver.md b/docs/jitserver.md index 589473ef64..c6666b81f9 100644 --- a/docs/jitserver.md +++ b/docs/jitserver.md @@ -80,7 +80,7 @@ If a JITServer server crashes, the client is forced to perform compilations loca ## Security -You can encrypt network communication between the client VM and JITServer by using OpenSSL 1.0.x, 1.1.x, or 3.0.x. To enable encryption, you specify the private key and the certificate at the server and use the certificate at the client. For more information, see [-XX:JITServerSSLCert / -XX:JITServerSSLKey / -XX:JITServerSSLRootCerts](xxjitserversslcert.md). +You can encrypt network communication between the client VM and JITServer by using OpenSSL 1.0.x, 1.1.x, or 3.x. To enable encryption, you specify the private key and the certificate at the server and use the certificate at the client. For more information, see [-XX:JITServerSSLCert / -XX:JITServerSSLKey / -XX:JITServerSSLRootCerts](xxjitserversslcert.md). ## Tuning JITServer diff --git a/docs/openssl.md b/docs/openssl.md index ba92cdedaf..c7cead7b89 100644 --- a/docs/openssl.md +++ b/docs/openssl.md @@ -23,13 +23,13 @@ # OpenSSL -OpenJDK uses the in-built Java™ cryptographic implementation by default but Eclipse OpenJ9™ also provides some support for the OpenSSL cryptographic library. OpenSSL is an open source cryptographic toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, which is well established and used with many enterprise applications. Because it is a native library, OpenSSL might provide better performance. To use OpenSSL cryptographic acceleration, install OpenSSL 1.0.x, 1.1.x, or 3.0.x (Linux® only) on your system. The OpenSSL V1.0.x, V1.1.x, and V3.0.x implementations are currently supported for the Digest, CBC, GCM, RSA, ECDH key agreement, and EC key generation algorithms. The OpenSSL V1.1.x and V3.0.x implementations are also supported for the ChaCha20 and ChaCha20-Poly1305 algorithms. The OpenSSL V1.1.1 onwards implementations are supported for the XDH key agreement and XDH key generation algorithms. +OpenJDK uses the in-built Java™ cryptographic implementation by default but Eclipse OpenJ9™ also provides some support for the OpenSSL cryptographic library. OpenSSL is an open source cryptographic toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, which is well established and used with many enterprise applications. Because it is a native library, OpenSSL might provide better performance. To use OpenSSL cryptographic acceleration, install OpenSSL 1.0.x, 1.1.x, or 3.x on your system. The OpenSSL V1.0.x, V1.1.x, and V3.x implementations are currently supported for the Digest, CBC, GCM, RSA, ECDH key agreement, and EC key generation algorithms. The OpenSSL V1.1.x and V3.x implementations are also supported for the ChaCha20 and ChaCha20-Poly1305 algorithms. The OpenSSL V1.1.1 onwards implementations are supported for the XDH key agreement and XDH key generation algorithms. -On Linux and AIX® operating systems, the OpenSSL 1.0.x or 1.1.x library is expected to be found on the system path. If you use a package manager to install OpenSSL, the system path will be updated automatically. On other operating systems, the OpenSSL 1.1.x library is typically bundled. Later levels of some Linux operating systems might bundle OpenSSL 3.0.x. +On all operating systems, the OpenSSL 1.0.x, 1.1.x, or 3.x library is expected to be found on the system path. If you use a package manager to install OpenSSL, the system path will be updated automatically. If you have multiple versions of OpenSSL on your system, the OpenJ9 VM uses the latest version. -:fontawesome-solid-pencil:{: .note aria-hidden="true"} **Note:** OpenSSL 3.0.x does not support initialization vector (IV) sizes above 16 Bytes for the GCM algorithm. (In earlier OpenSSL versions, you can use such sizes but they might cause unpredictable behavior.) If you need to use a larger size, disable OpenSSL support for the GCM algorithm. +:fontawesome-solid-pencil:{: .note aria-hidden="true"} **Note:** OpenSSL 3.x does not support initialization vector (IV) sizes above 16 Bytes for the GCM algorithm. (In earlier OpenSSL versions, you can use such sizes but they might cause unpredictable behavior.) If you need to use a larger size, disable OpenSSL support for the GCM algorithm. OpenSSL support is enabled by default for all supported algorithms. If you want to limit support to specific algorithms, a number of system properties are available for tuning the implementation. diff --git a/docs/version0.41.md b/docs/version0.41.md index 9aecda91b6..b2aca22c05 100644 --- a/docs/version0.41.md +++ b/docs/version0.41.md @@ -32,6 +32,7 @@ The following new features and notable changes since version 0.40.0 are included - [Change in behavior of `-Xshareclasses:readonly`](#change-in-behavior-of-xshareclassesreadonly) - [New `-XX:[+|-]EnableDynamicAgentLoading` option added](#new-xx-enabledynamicagentloading-option-added) - [New `-XX:[+|-]UseZlibNX` option added](#new-xx-usezlibnx-option-added) +- [Support for OpenSSL 3.x](#support-for-openssl-3x) ## Features and changes @@ -77,6 +78,10 @@ For more information, see [`-XX:[+|-]EnableDynamicAgentLoading`](xxenabledynamic AIX® system adds the `zlibnx` library directory path in the `LIBPATH` environment variable by default, if it is available in the system. You can control the loading of the `zlibnx` library by using the [`-XX:[+|-]UseZlibNX`](xxusezlibnx.md) option. +### Support for OpenSSL 3.x + +OpenSSL 3.x is now supported on all operating systems. For more information about OpenSSL support, see [`Cryptographic operations`](introduction.md#cryptographic-operations). + ## Known problems and full release information To see known problems and a complete list of changes between Eclipse OpenJ9 v0.40.0 and v0.41.0 releases, see the [Release notes](https://github.com/eclipse-openj9/openj9/blob/master/doc/release-notes/0.41/0.41.md). diff --git a/docs/xxjitserversslcert.md b/docs/xxjitserversslcert.md index e35fbd4ee9..4b53338e9d 100644 --- a/docs/xxjitserversslcert.md +++ b/docs/xxjitserversslcert.md @@ -41,7 +41,7 @@ The files must all be in `.pem` file format. ## Explanation -You can encrypt network communication by using OpenSSL 1.0.x, 1.1.x, or 3.0.x. To enable encryption, specify the private key (`.pem`) and the certificate (`.pem`) at the server: +You can encrypt network communication by using OpenSSL 1.0.x, 1.1.x, or 3.x. To enable encryption, specify the private key (`.pem`) and the certificate (`.pem`) at the server: -XX:JITServerSSLKey=.pem -XX:JITServerSSLCert=.pem