OpenSSL

OpenJDK uses the in-built Java™ cryptographic implementation by default but Eclipse OpenJ9™ also provides some support for the OpenSSL cryptographic library. OpenSSL is an open source cryptographic toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, which is well established and used with many enterprise applications. Because it is a native library, OpenSSL might provide better performance. To use OpenSSL cryptographic acceleration, install OpenSSL 1.0.x, 1.1.x, or 3.x on your system. The OpenSSL V1.0.x, V1.1.x, and V3.x implementations are currently supported for the Digest, CBC, GCM, RSA, ECDH key agreement, PBE, PBKDF2, and EC key generation algorithms. The OpenSSL V1.1.x and V3.x implementations are also supported for the ChaCha20 cipher, ChaCha20-Poly1305 cipher, and ECDSA signature algorithms. The OpenSSL V1.1.1 onwards implementations are supported for the XDH key agreement and XDH key generation algorithms.

On Linux® and AIX® operating systems, the OpenSSL 1.0.x, 1.1.x, or 3.x library is expected to be found on the system path. If you use a package manager to install OpenSSL, the system path will be updated automatically. On Windows™ and MacOS® the OpenSSL 3.x library is bundled. Later levels of some Linux operating systems also bundle OpenSSL 3.x.

If you have multiple versions of OpenSSL on your system, the OpenJ9 VM uses the latest version.

Note: OpenSSL 3.x does not support initialization vector (IV) sizes above 16 Bytes for the GCM algorithm. (In earlier OpenSSL versions, you can use such sizes but they might cause unpredictable behavior.) If you need to use a larger size, disable OpenSSL support for the GCM algorithm.

OpenSSL support is enabled by default for all supported algorithms. If you want to limit support to specific algorithms, a number of system properties are available for tuning the implementation.

Each algorithm can be disabled individually by setting the following system properties on the command line:

• To turn off Digest, set -Djdk.nativeDigest=false
• To turn off ChaCha20 and ChaCha20-Poly1305, set -Djdk.nativeChaCha20=false. Note: These algorithms are not supported on Java 8
• To turn off CBC, set -Djdk.nativeCBC=false
• To turn off ECDH key agreement, set -Djdk.nativeEC=false
• To turn off ECDSA signature, set -Djdk.nativeECDSA=false
• To turn off EC key generation, set -Djdk.nativeECKeyGen=false
• To turn off GCM, set -Djdk.nativeGCM=false
• To turn of PBE cipher, set -Djdk.nativePBE=false
• To turn off PBKDF2 (Password based key derivation), set -Djdk.nativePBKDF2=false
• To turn off RSA, set -Djdk.nativeRSA=false
• To turn off XDH key agreement, set -Djdk.nativeXDHKeyAgreement=false
• To turn off XDH key generation, set -Djdk.nativeXDHKeyGen=false

You can turn off all the algorithms by setting the following system property on the command line:

-Djdk.nativeCrypto=false

To build a version of OpenJDK with OpenJ9 that includes OpenSSL support, follow the steps in our detailed build instructions:

• OpenJDK 8 with OpenJ9.
• OpenJDK 11 with OpenJ9.
• OpenJDK 17 with OpenJ9.

Note: If you obtain an OpenJDK with OpenJ9 build that includes OpenSSL or build a version yourself that includes OpenSSL support, the following acknowledgments apply in accordance with the license terms:

• This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/).
• This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).