OpenSSL
OpenJDK uses the built-in Java™ cryptographic implementation by default but Eclipse OpenJ9™ also provides some support for the OpenSSL cryptographic library. OpenSSL is an open source cryptographic toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, which is well established and used with many enterprise applications. Because it is a native library, OpenSSL often provides better performance.
OpenSSL is bundled with Eclipse OpenJ9 and is enabled by default. The following algorithms are supported for OpenSSL:
- AES-CBC cipher
- AES-GCM cipher
- ChaCha20 cipher
- ChaCha20-Poly1305 cipher
- ECDH key agreement
- ECDSA signature
- EC key generation
- MD5 message digest
- PBE cipher
- PBKDF2 secret key factory
- RSA cipher
- SHA message digests
- XDH key agreement
- XDH key generation
Note: OpenSSL 3.x and later does not support initialization vector (IV) sizes above 16 Bytes for the GCM algorithm. In earlier OpenSSL versions, you can use such sizes but they might cause unpredictable behavior. This should occur only when users are not using the default OpenSSL library that is bundled with Semeru. If you need to use a larger size, disable OpenSSL support for the GCM algorithm.
OpenSSL support is enabled by default for all supported algorithms. If you want to limit support to specific algorithms, a number of system properties are available for tuning the implementation.
Each algorithm can be disabled individually by setting the following system properties on the command line:
-
To turn off all Digests, set
-Djdk.nativeDigest=false
- To turn off MD5, set
-Djdk.nativeMD5=false
- To turn off SHA-1, set
-Djdk.nativeSHA=false
- To turn off SHA-224, set
-Djdk.nativeSHA224=false
- To turn off SHA-256, set
-Djdk.nativeSHA256=false
- To turn off SHA-384, set
-Djdk.nativeSHA384=false
- To turn off SHA-512, set
-Djdk.nativeSHA512=false
- To turn off SHA-512/224, set
-Djdk.nativeSHA512_224=false
- To turn off SHA-512/256, set
-Djdk.nativeSHA512_256=false
- To turn off MD5, set
-
To turn off ChaCha20 and ChaCha20-Poly1305, set
-Djdk.nativeChaCha20=false
. Note:These algorithms are not supported on Java 8
- To turn off CBC, set
-Djdk.nativeCBC=false
- To turn off ECDH key agreement, set
-Djdk.nativeEC=false
- To turn off ECDSA signature, set
-Djdk.nativeECDSA=false
- To turn off EC key generation, set
-Djdk.nativeECKeyGen=false
- To turn off GCM, set
-Djdk.nativeGCM=false
- To turn of PBE cipher, set
-Djdk.nativePBE=false
- To turn off PBKDF2 (Password based key derivation), set
-Djdk.nativePBKDF2=false
- To turn off RSA, set
-Djdk.nativeRSA=false
To turn off XDH key agreement, set
-Djdk.nativeXDHKeyAgreement=false
- To turn off XDH key generation, set
-Djdk.nativeXDHKeyGen=false
You can turn off all the algorithms by setting the following system property on the command line:
-Djdk.nativeCrypto=false
You can set the jdk.native.openssl.skipBundled
property to true
to skip loading of the OpenSSL libraries that come with OpenJ9. The system will instead attempt to load the libraries from the system path where the libraries are expected to be available. When this value is set to false
, the system will attempt to load the pre-packaged OpenSSL libraries. This option cannot be set in conjunction with jdk.native.openssl.lib
.
You can use the jdk.native.openssl.lib
property to specify user-supplied OpenSSL libraries. This option can be set to a full path name from where you would like to explicitly load the libraries instead of the bundled OpenSSL libraries. This option cannot be set in conjunction with jdk.native.openssl.skipBundled
.
To build a version of OpenJDK with OpenJ9 that includes OpenSSL support, follow the steps in the detailed build instructions:
Note: If you obtain an OpenJDK with OpenJ9 build that includes OpenSSL or build a version yourself that includes OpenSSL support, the following acknowledgments apply in accordance with the license terms:
- This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/).
- This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).