wolfSSL JNI/JSSE 1.14.0 is now available for download! This release contains a number of bug fixes, changes and new features to help better support usage from applications and 3rd party frameworks that consume wolfJSSE internally.
wolfSSL JNI/JSSE allows for easy use of the native wolfSSL SSL/TLS library from Java. The thin JNI wrapper can be used for direct JNI calls into native wolfSSL, or the JSSE provider (wolfJSSE) can be registered as a Java Security provider for seamless integration underneath the Java Security API. wolfSSL JNI/JSSE provides TLS 1.3 support and can also support running on top of wolfCrypt FIPS 140-2 and 140-3 validated modules.
Changes in this release are summarized below, but please see ChangeLog.md for a full list. Watch for individual future blogs on some of these topics as well for a more in depth description.
New JNI and JSSE Functionality:
- Addition of a new WKS KeyStore type to better facilitate FIPS compliance where needed
- Performance and scalability improvement with the use of native poll() set as default over select()
- Support for using RSA-PSS based certificates in TLS connections
- Addition of LDAPS endpoint identification verification to X509ExtendedTrustManager
- Two new JNI wrapped methods for native “wolfSSL_SessionIsSetup()” and “wolfSSL_SESSION_dup()”
JSSE System/Security Property Support:
- wolfjsse.debugFormat=JSON – a new System property to support outputting debug logs in JSON format, which can be more friendly for some log collection mechanisms
- wolfjsse.clientSessionCache.disabled – a new Security property to disable the Java client-side session cache, which will prevent session resumption from occurring
JSSE Changes:
- Native memory leak fixes, related to calls to wolfSSL_get_peer_certificate()
- Optimizations to allow for easier and more efficient garbage collection
- SSLEngine fixes for session storage, unwrap() FINISHED state transitions, HandshakeStatus when receiving TLS 1.3 session tickets after the handshake, correctly closing inbound on ALPN protocol name errors, and closure when fatal alerts are received
- SSLSocket fixes for end of stream handling in InputStream read() calls
- Fixes to throw expected or correct exceptions for several cases
- SSLSession getPeerCertificates() returns correct X509Certificate array
- Fixes around SSLSocket closure in a few different use cases
- Client-side session resumption is now keyed on the cipher suite and protocol in addition to host and port
- Build compatibility has been fixed with the older Android API 24, removing method calls not available in that SDK version
- A potential deadlock on close() between SSLSocket and the associated InputStream read() or OutputStream write() calls has been fixed
Exchange Changes:
- The Host String has been added into the HTTP GET request in the example ClientJSSE when used with the “-g” command line option
- JNI-only threaded client/server example applications have been added which can be helpful for seeing or debugging session resumption at the JNI-only level
- A basic RMI example client and server have been added, which can useful for reference and testing wolfJSSE over RMI
Testing Changes:
- Facebook Infer is now run on all GitHub pull requests using GitHub Actions
- TLS 1.0 and 1.1 JUnit tests are now run even if those protocols are disabled in the system “java.security” file, as long as native wolfSSL support has been compiled in
- Android Gradle builds are now tested on all GitHub pull requests using GitHub Actions
wolfSSL JNI/JSSE 1.14.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfSSL JNI/JSSE User Manual can be found here. For any questions, or to get help using wolfSSL products in your projects, contact us at support@wolfssl.com.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now