Added updates for OpenSSL v3 support #929
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
eclipse-openj9#924 Added support for Open SSL 3.0.x (Linux only) Updated content to mention that OpenSSL 3.0.x is supported for the same algorithms as 1.1.x. Updated that in case of multiple versions of OpenSSL on the system, the OpenJ9 VM uses the latest version. Added a note that that OpenSSL 3.0.x does not support initialization vector (IV) sizes above 16Bytes for the GCM algorithm. [skip ci] Signed-off-by: Sreekala Gopakumar [email protected]
|
Jenkins doc stage |
|
Jenkins doc stage |
doveye
reviewed
Apr 26, 2022
docs/version0.32.md
Outdated
| @@ -58,6 +59,12 @@ For compatibility, the following OpenJDK HotSpot options are now supported by Op | |||
|
|
|||
| You can now use the `SharedClassStatistics` API to get the name, path, and directory of a shared classes cache. Depending on the operating system, you can also get the number of attached VMs for a non-persistent cache. This information is available through the following new methods: `cacheDir()`, `cacheName()`, `cachePath()`, and `numberAttached()`. For more information, see the API documentation. | |||
|
|
|||
| ### Support for OpenSSL 3.0.x | |||
|
|
|||
| OpenSSL 3.0.x is supported but on Linux only. OpenSSL is enabled by default for the CBC, ChaCha20, ChaCha20-Poly1305Digest, GCM, and RSA cryptographic algorithms. | |||
There was a problem hiding this comment.
Could use a link to the detailed info on OpenSSL too, eg "For more information about OpenSSL support, see Cryptographic operations".
pshipton
reviewed
Apr 26, 2022
docs/builds.md
Outdated
| @@ -41,7 +41,8 @@ If you want to build your own binaries of OpenJDK with OpenJ9, a complete set of | |||
|
|
|||
| Note the following: | |||
|
|
|||
| - For the best performance, OpenSSL support should be enabled in the build. In builds that aren't configured with `--enable-openssl-bundling`, the OpenSSL library is expected to be found on the system path. If you want to use OpenSSL cryptographic acceleration, you must install OpenSSL 1.0.2 or 1.1.X on your system. If the library is not found on the system path, the in-built Java crytographic implementation is used instead, which performs less well. | |||
| - For the best performance, OpenSSL support should be enabled in the build. In builds that aren't configured with `--enable-openssl-bundling`, the OpenSSL library is expected to be found on the system path. If you want to use OpenSSL cryptographic acceleration, you must install OpenSSL 1.0.2 or 1.1.X on your system. If the library is not found on the system path, the in-built Java crytographic implementation is used instead, which performs less well. On Linux platform, OpenSSL 3.0.x is supported. | |||
There was a problem hiding this comment.
"On Linux platform" -> platforms
docs/builds.md
Outdated
| @@ -41,7 +41,8 @@ If you want to build your own binaries of OpenJDK with OpenJ9, a complete set of | |||
|
|
|||
| Note the following: | |||
|
|
|||
| - For the best performance, OpenSSL support should be enabled in the build. In builds that aren't configured with `--enable-openssl-bundling`, the OpenSSL library is expected to be found on the system path. If you want to use OpenSSL cryptographic acceleration, you must install OpenSSL 1.0.2 or 1.1.X on your system. If the library is not found on the system path, the in-built Java crytographic implementation is used instead, which performs less well. | |||
| - For the best performance, OpenSSL support should be enabled in the build. In builds that aren't configured with `--enable-openssl-bundling`, the OpenSSL library is expected to be found on the system path. If you want to use OpenSSL cryptographic acceleration, you must install OpenSSL 1.0.2 or 1.1.X on your system. If the library is not found on the system path, the in-built Java crytographic implementation is used instead, which performs less well. On Linux platform, OpenSSL 3.0.x is supported. | |||
| Note that OpenSSL 3.0.x does not support initialization vector (IV) sizes above 16 Bytes for the GCM algorithm. (In earlier OpenSSL versions, you can use such sizes but they might cause unpredictable behavior.) If you need to use a larger size, disable OpenSSL support for the GCM algorithm. | |||
There was a problem hiding this comment.
We should refer to the option that does this (disable OpenSSL support for the GCM algorithm).
docs/introduction.md
Outdated
| @@ -86,6 +86,12 @@ Secure Sockets Layer (SSL) protocols, which is well established and used with ma | |||
|
|
|||
| On Linux and AIX platforms, the OpenSSL 1.0.x or 1.1.x library is expected to be found on the system path. If you use a package manager to install OpenSSL, the system path will be updated automatically. On other platforms, the OpenSSL 1.1.x library is typically bundled. | |||
|
|
|||
| If you have multiple versions of OpenSSL on your system, the OpenJ9 VM uses the latest version. | |||
|
|
|||
| On Linux platform, OpenSSL 3.0.x library is supported. | |||
|
|
||
| On Linux platform, OpenSSL 3.0.x library is supported. | ||
|
|
||
| :fontawesome-solid-pencil-alt:{: .note aria-hidden="true"} **Note:** OpenSSL 3.0.x does not support initialization vector (IV) sizes above 16 Bytes for the GCM algorithm. (In earlier OpenSSL versions, you can use such sizes but they might cause unpredictable behavior.) If you need to use a larger size, disable OpenSSL support for the GCM algorithm. |
There was a problem hiding this comment.
We should refer to the option that does this.
docs/jitserver.md
Outdated
| @@ -67,7 +67,7 @@ If a JITServer server crashes, the client is forced to perform compilations loca | |||
|
|
|||
| ## Security | |||
|
|
|||
| You can encrypt network communication between the client VM and JITServer by using OpenSSL 1.0.x or 1.1.x. To enable encryption, you specify the private key and the certificate at the server and use the certificate at the client. For more information, see [-XX:JITServerSSLCert / -XX:JITServerSSLKey / -XX:JITServerSSLRootCerts](xxjitserversslcert.md). | |||
| You can encrypt network communication between the client VM and JITServer by using OpenSSL 1.0.x, 1.1.x or 3.0.x. To enable encryption, you specify the private key and the certificate at the server and use the certificate at the client. For more information, see [-XX:JITServerSSLCert / -XX:JITServerSSLKey / -XX:JITServerSSLRootCerts](xxjitserversslcert.md). | |||
There was a problem hiding this comment.
I don't know that JITserver was updated to support openssl 3. @mpirvu ?
There was a problem hiding this comment.
No, we haven't done anything in that area. I'll test it and get someone to implement support for openssl 3
There was a problem hiding this comment.
Ok. So it sounds like we should change jitserver.md and xxjitserversslcert.md to say that jitserver doesn't support OpenSSL 3.0.x, and change version0.32.md to say that OpenSSL support is added but only on Linux and not for JITServer.
@mpirvu can you please create a docs issue for changing this text in future when JITServer does support OpenSSL 3.
docs/version0.32.md
Outdated
|
|
||
| OpenSSL 3.0.x is supported but on Linux only. OpenSSL is enabled by default for the CBC, ChaCha20, ChaCha20-Poly1305Digest, GCM, and RSA cryptographic algorithms. | ||
|
|
||
| :fontawesome-solid-pencil-alt:{: .note aria-hidden="true"} **Note:** OpenSSL 3.0.x does not support initialization vector (IV) sizes above 16 Bytes for the GCM algorithm. (In earlier OpenSSL versions, you can use such sizes but they might cause unpredictable behavior.) If you need to use a larger size, disable OpenSSL support for the GCM algorithm. |
There was a problem hiding this comment.
We should refer to the option that does this.
eclipse-openj9#924 Added support for Open SSL 3.0.x (Linux only) Updated content to mention that OpenSSL 3.0.x is supported for the same algorithms as 1.1.x. Updated that in case of multiple versions of OpenSSL on the system, the OpenJ9 VM uses the latest version. Added a note that that OpenSSL 3.0.x does not support initialization vector (IV) sizes above 16Bytes for the GCM algorithm. [skip ci] Signed-off-by: Sreekala Gopakumar [email protected]
|
Jenkins doc stage |
|
We tried to squash commits but we can't due to merge commits. "Jenkins doc stage" isn't triggering a build so we can't view the updates in the staging doc either. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#924
Added support for Open SSL 3.0.x (Linux only)
Updated content to mention that OpenSSL 3.0.x is supported for the same algorithms as 1.1.x.
Updated that in case of multiple versions of OpenSSL on the system, the OpenJ9 VM uses the latest version.
Added a note that that OpenSSL 3.0.x does not support initialization vector (IV) sizes above 16Bytes for the GCM algorithm.
[skip ci]
Signed-off-by: Sreekala Gopakumar [email protected]