Merge pull request #929 from Sreekala-Gopakumar/924OpenSSL

Added updates for OpenSSL v3 support

docs/builds.md

@@ -41,7 +41,7 @@ If you want to build your own binaries of OpenJDK with OpenJ9, a complete set of
 
 Note the following:
 
-- For the best performance, OpenSSL support should be enabled in the build. In builds that aren't configured with `--enable-openssl-bundling`, the OpenSSL library is expected to be found on the system path. If you want to use OpenSSL cryptographic acceleration, you must install OpenSSL 1.0.2 or 1.1.X on your system. If the library is not found on the system path, the in-built Java crytographic implementation is used instead, which performs less well.  
+- For the best performance, OpenSSL support should be enabled in the build. In builds that aren't configured with `--enable-openssl-bundling`, the OpenSSL library is expected to be found on the system path. If you want to use OpenSSL cryptographic acceleration, you must install OpenSSL 1.0.2, 1.1.X, or 3.0.x (Linux only) on your system. If the library is not found on the system path, the in-built Java crytographic implementation is used instead, which performs less well. 
 - ![Start of content that applies only to Java 8](cr/java8.png) On Linux systems, the `fontconfig.x86_64` package should be installed to avoid a `NullPointerException` error when the AWT font subsystem is initialized.
 - From Eclipse OpenJ9 release 0.16.0 (OpenJDK 13) and release 0.17.0 (OpenJDK 8 and 11), CUDA is now enabled on Windows (x86-64) and Linux (x86-64 and IBM POWER LE) platforms, which allows you to offload certain Java application processing tasks to a general purpose graphics processing unit (GPU). To take advantage of this feature, your system must support NVIDIA Compute Unified Device Architecture (CUDA). The JIT requires the CUDA Toolkit 7.5 and your GPU device must have a minimum compute capability of 3.0.
 

docs/introduction.md

@@ -82,9 +82,13 @@ For cloud services that charge based on memory usage, maintaining a small footpr
 
 OpenJDK uses the in-built Java cryptographic implementation by default. However, native cryptographic implementations
 typically provide better performance. OpenSSL is a native open source cryptographic toolkit for Transport Layer Security (TLS) and
-Secure Sockets Layer (SSL) protocols, which is well established and used with many enterprise applications. The OpenSSL V1.0.x and V1.1.x implementations are currently supported for the Digest, CBC, GCM, and RSA algorithms. The OpenSSL V1.1.x implementation is also supported for the ChaCha20 and ChaCha20-Poly1305 algorithms.
+Secure Sockets Layer (SSL) protocols, which is well established and used with many enterprise applications. The OpenSSL V1.0.x, V1.1.x, and V3.0.x implementations are currently supported for the Digest, CBC, GCM, and RSA algorithms. The OpenSSL V1.1.x and V3.0.x implementations are also supported for the ChaCha20 and ChaCha20-Poly1305 algorithms.
 
-On Linux and AIX platforms, the OpenSSL 1.0.x or 1.1.x library is expected to be found on the system path. If you use a package manager to install OpenSSL, the system path will be updated automatically. On other platforms, the OpenSSL 1.1.x library is typically bundled.
+On Linux and AIX operating systems, the OpenSSL 1.0.x or 1.1.x library is expected to be found on the system path. If you use a package manager to install OpenSSL, the system path will be updated automatically. On other operating systems, the OpenSSL 1.1.x library is typically bundled. Later levels of some Linux operating systems might bundle OpenSSL 3.0.x.
+
+If you have multiple versions of OpenSSL on your system, the OpenJ9 VM uses the latest version.
+
+:fontawesome-solid-pencil-alt:{: .note aria-hidden="true"} **Note:** OpenSSL 3.0.x does not support initialization vector (IV) sizes above 16 Bytes for the GCM algorithm. (In earlier OpenSSL versions, you can use such sizes but they might cause unpredictable behavior.) If you need to use a larger size, disable OpenSSL support for the GCM algorithm.
 
 OpenSSL support is enabled by default for all supported algorithms. If you want to limit support to specific algorithms, a number of
 system properties are available for tuning the implementation.

docs/jitserver.md

@@ -67,7 +67,7 @@ If a JITServer server crashes, the client is forced to perform compilations loca
 
 ## Security
 
-You can encrypt network communication between the client VM and JITServer by using OpenSSL 1.0.x or 1.1.x. To enable encryption, you specify the private key and the certificate at the server and use the certificate at the client. For more information, see [-XX:JITServerSSLCert / -XX:JITServerSSLKey / -XX:JITServerSSLRootCerts](xxjitserversslcert.md).
+You can encrypt network communication between the client VM and JITServer by using OpenSSL 1.0.x or 1.1.x (JITServer technology currently does not support OpenSSL 3.0.x). To enable encryption, you specify the private key and the certificate at the server and use the certificate at the client. For more information, see [-XX:JITServerSSLCert / -XX:JITServerSSLKey / -XX:JITServerSSLRootCerts](xxjitserversslcert.md).
 
 ## Tuning JITServer
 

docs/version0.32.md

@@ -30,6 +30,7 @@ The following new features and notable changes since version 0.30.0 are included
 - [Creation of system dumps on macOS 12](#creation-of-system-dumps-on-macos-12)
 - [Support for OpenJDK HotSpot options](#support-for-openjdk-hotspot-options)
 - [`SharedClassStatistics` API updated](#sharedclassstatistics-api-updated)
+- [Support for OpenSSL 3.0.x](#support-for-openssl-30x)
 - [New `-XX:[+|-]OpenJ9CommandLineEnv` option added](#new-xx-openj9commandlineenv-option-added)
 - [JITServer technology support for Linux on IBM Z® systems](#jitserver-support-for-linux-on-ibm-z-systems)
 - ![Start of content that applies to Java 11 plus](cr/java11plus.png) [Modified default value for `-XX:MaxDirectMemorySize`](#modified-default-value-for-xxmaxdirectmemorysize)
@@ -58,6 +59,10 @@ For compatibility, the following OpenJDK HotSpot options are now supported by Op
 
 You can now use the `SharedClassStatistics` API to get the name, path, and directory of a shared classes cache. Depending on the operating system, you can also get the number of attached VMs for a non-persistent cache. This information is available through the following new methods: `cacheDir()`, `cacheName()`, `cachePath()`, and `numberAttached()`. For more information, see the API documentation.
 
+### Support for OpenSSL 3.0.x
+
+OpenSSL 3.0.x is supported but on Linux only. The JITServer technology feature currently does not support OpenSSL 3.0.x. For more information about OpenSSL support, see [`Cryptographic operations`](introduction.md#cryptographic-operations).
+
 ### New `-XX:[+|-]OpenJ9CommandLineEnv` option added
 
 This option specifies whether the VM captures the command line in the environment variable `OPENJ9_JAVA_COMMAND_LINE`. For more information, see [`-XX:[+|-]OpenJ9CommandLineEnv`](xxopenj9commandlineenv.md).

docs/xxjitserversslcert.md

@@ -42,7 +42,7 @@ The files must all be in `.pem` file format.
 
 ## Explanation
 
-You can encrypt network communication by using OpenSSL 1.0.x or 1.1.x. To enable encryption, specify the private key (`<key>.pem`) and the certificate (`<cert>.pem`) at the server:
+You can encrypt network communication by using OpenSSL 1.0.x or 1.1.x (the JITServer technology feature currently does not support OpenSSL 3.0.x). To enable encryption, specify the private key (`<key>.pem`) and the certificate (`<cert>.pem`) at the server:
 
     -XX:JITServerSSLKey=<key>.pem -XX:JITServerSSLCert=<cert>.pem