JAVA Toolkit
| home | contact




isasilk versions

 

IAIK-SSL 5.107 Release - 22. November 2017

Class or Package

Bug / Change New Feature

Description and Examples

iaik.security.ssl.ALPNProtocolNameList,
iaik.security.ssl.ALPNProtocolName

NF

Support for application_layer_protocol_negotiation (ALPN) extension added (RFC 7301).

iaik.security.ssl.ClientRSAKeyExchange

C

Improved counter measure against variants of the PKCS#1 attack (Bleichenbacher).

IAIK-SSL 5.106 Maintenance Release - 18. September 2017

Class or Package

Bug / Change New Feature

Description and Examples

iaik.security.ssl.ClientHandShaker,
iaik.security.ssl.SSLClientContext,
iaik.security.ssl.SSLTransport,
iaik.security.ssl.SSLSocketTransport

C

Changed peer host name management to avoid (reverse) DNS lookups where possible.

iaik.security.ssl.IaikProvider,
iaik.security.ssl.SecurityProvider

C

Constructors added allowing to use iSaSiLk without the necessity to
install the JCA Provider within the JCA Security framework.

iaik.security.ssl.SSLContext,
iaik.security.ssl.CipherSuite

B

SSLContext.updateCipherSuites() now also ensures that no AEAD ECC cipher suites are offered if TLS 1.2 is not enabled.

iaik.security.ssl.*

C

Changed System property calls to use System.getProperty() to avoid NPE
problems on Android Systems.

IAIK-JSSE Provider

NF

KeyManager and KeyManagerFactory for pre-shared keys added to provide support for PSK cipher suites

IAIK-SSL 5.105 Maintenance Release - 01. February 2017

Class or Package

Bug / Change New Feature

Description and Examples

demo.DemoUtil

C

getEccSecurityProvider(): explicitly set point encoding to "uncompressed" for ECCelerate (since ECCelerate has changed default point encoding to "compressed" with version 3.0)

iaik.security.ssl.SignatureAlgorithms,
iaik.security.ssl..SignatureAndHashAlgorithmList

C

Changed default signature algorithms list to also contain SHA384withRSA, SHA384withECDSA, SHA384withDSA.

iaik.security.ssl.SSLContext

B

Fixed ids for ECC certificate types CERTTYPE_ECDSA_SIGN, CERTTYPE_RSA_FIXED_ECDH and CERTTYPE_ECDSA_FIXED_ECDH.

iaik.security.ssl.SupportedEllipticCurves

B

Fixed oid for curve sect409r1 (1.3.132.0.37).

iaik.security.ssl.SupportedEllipticCurves

B

Fixed static method getRegisteredCurveByOID (returned null anytime).

iaik.security.ssl.SupportedEllipticCurves

B

Added static method getRegisteredCurveByID.

iaik.security.ssl.SupportedEllipticCurves

NF, C

It is now also possible to specify a curve list on the server side to be merged with the curve list sent by the client. This allows the server to enforce the usage of specific curves only.
The curves may be negotiated in client preference (default) or server preference order. A server-side SupportedEllipticCurves extension maybe set to critical to not negotiate ECC suites if the explicitly configured server curve list has no common curve with the curve list sent by the client.

iaik.protocol.https.Handler,
org.w3c.www.protocol.http.Handler

NF,B

Method openConnection(URL u, Proxy p) now also handles direct connections ( Proxy.NO_PROXY).

w3c_http

B

Fixed possible NullPointerException in HttpManager property copying.

IAIK-SSL 5.104 Maintenance Release - 18. April 2016

Class or Package

Bug / Change New Feature

Description and Examples

iaik.security.ssl.ExtendedMasterSecret

NF

Support for the extended master secret extension as specified in RFC 7627 to calculate the master secret in a way that cryptographically binds it to important session parameters.

iaik.security.ssl.ChainVerifier

C

Method verifyServer: if checkServerName is true and the server_name extension has been negotiated the server certificate name is checked against the server names of the server_name extension, regardless if server_name extension has been specified as critical or not

iaik.security.ssl.IaikProvider

C

Method getTLSServerName(X509Certificate cert) also checks the SubjectAltName extension for GeneralName elements of type iPAddress.
Method getTLSServerName(int nameType, X509Certificate serverCert) is now implemented to not check for iPAddress if the given ServerName nameType is HOST_NAME

iaik.security.ssl.SecurityProvider

C

Method isImplemented() now calls method aeadEncrypt() for GCM Ciphers to check enable AEAD CipherSuites only if they are supported by the enabled JCA provider(s) and if method aeadEncrypt() is implemented.

iaik.security.ssl.ServerName

C

Constructor now throws an IllegalArgumentException if a ServerName of type HOST_NAME shall be created for an ipAddress. If the server_name extension shall be automatically created (by using the default constructor) no server_name extension is sent if the server name is specified as ipAddress when creating the SSLSocket.

iaik.security.ssl.SSLContext

NF

New methods setAllowedProtocolVersions(String minVersion, String maxVersion) and getAllowedProtocolVersionNames() allowing to set/get the allowed protocol version as Strings.

iaik.security.ssl.SSLContext

NF

New static methods getAllSupportedProtocolVersions() and getAllSupportedProtocolVersionNames() returning all SSL/TLS protocol
versions supported by iSaSiLk (except for SSL20 which is not included in the list but client-side supported).

iaik.security.ssl.SSLServerContext

NF

New method setSendEmptySessionID to decide whether the server shall create and send an empty session id if no SessionManager is set. By default a non-empty session is created when no SessionManager is set, too. An empty session id may be used to tell the client that the session will no be cached and therefore cannot be resumed.

iaik.security.ssl.SSLSocketTransport

C

Method engineGetRemotePeerName returns remoteHost_ if it is not null (also when no proxy is set)

w3c_http

NF,C

HttpURLConnection implements method getRequestProperties(), allows to specify a zero (0) content length for method setFixedLengthStreamingMode(0), allows to use an empty content-type header, and throws an exception if output streaming
shall be used without having called con.setDoOutput(true). Flushing of output stream between header- and body emit is done
again to avoid timeout problems in some environments. Fixed getRead/connetTimeout()).  Fixed HttpManager properties management.

IAIK-SSL 5.103 Maintenance Release - 20. January 2016

Class or Package

Bug / Change New Feature

Description and Examples

iaik.security.ssl.SignatureAndHashAlgorithmList, iaik.security.ssl.SignatureAlgorithms

C

Added SHA512withRSA, SHA512withECDSA, SHA512withDSA to default algorithm list.

iaik.security.ssl.SupportedEllipticCurves

C

Default constructor again does not check (does NOT throw an IllegalArgumentException) if default curves are not supported (to avoid elliptic_curves extension parsing problems in non ECC supporting environments).

iaik.security.ssl.SupportedPointFormats

C

Default constructor again does not check (does NOT throw an IllegalArgumentException) if the default point format is not supported (to avoid ec_point_formats extension parsing problems in non ECC supporting environments).

IAIK-SSL 5.102 Release - 23. December 2015

Class or Package

Bug / Change New Feature

Description and Examples

iaik.security.ssl.ChainVerifier

NF

(Extended)KeyUsage check moved to ChainVerifier.

iaik.security.ssl.ChainVerifier

C

ServerNameList - certificate server check also recognize wildcards in server
certificates.

iaik.security.ssl.CipherSuite

C

Tighter check if EC is supported by the installed SecurityProvider to ensure that ECDH(E) suites are not enabled if ECDH is supported by a JCA provider but
no SecurityProvider implementation is available for it.

iaik.security.ssl.ClientHandshaker

C

Turned of OpenSSL 0.9.4 compatibility workaround (needed max version as record
version if SSL 3.0 was enabled).

iaik.security.ssl.IaikEccProvider

C

decodeECPublicKey: ensure to check that the EC point actually lies on the curve as countermeasure against Practical Invalid Curve Attacks on TLS-ECDH; only applies to the old IAIK_ECC library; the new ECC library ECCelerate includes this check by default

iaik.security.ssl.MaxFragmentLength

B

Fixed length - length id conversion.

iaik.security.ssl.SecurityProvider

NF

Method checkCreatedRSAServerKeyExchangeSignature added to decide whether to verify an RSA-CRT key ServerKeyExchange signature immediately after signature creation as countermesaure against RSA-CRT key leaks.

iaik.security.ssl.ServerKeyExchange

C

If IAIK provider <= 5.25 is used verify signature when calculated with RSA-CRT key immediately after signature creation as countermesaure against
RSA-CRT key leaks.

iaik.security.ssl.SSLContext

NF

Extensions can be set and (when applicable) configured via properties file.

iaik.security.ssl.SSLContext,
iaik.security.ssl.SSLServerContext

C

Method updateCipherSuites allows SignatureAlgorithms extension with empty algorithm list for TLS 1.2 if only anonymous suites are enabled.

iaik.security.ssl.SSLClientContext

C

Method addClientCredentials(KeyStore keyStore) now does throw an exception if a KeyStore entry cannot be added; rather the entry is skipped. If debugStream is enabled, debug info is dumped during adding client credentials; method addClientCredentials(KeyAndCert) also checks the ExtendedKeyUsage extension
and certificate type

iaik.security.ssl.SSLServerContext

C

Method addServerCredentials(KeyStore keyStore) now does throw an exception if a KeyStore entry cannot be added; rather the entry is skipped. If debugStream is enabled, debug info is dumped during adding server credentials; method addServerCredentials(KeyAndCert) also checks the ExtendedKeyUsage extension

iaik.security.ssl.ServerNameList

C

By default now ServerNameLists with more than one server name of same type are rejected according RFC 6066. Method setAllowMoreThanOneServerNamesOfSameTypecode>
added allowing to decide if more than one server name of the same type shall be allowed (since it was allowed by RFC 4366).

iaik.security.ssl.SupportedEllipticCurves

C

Default constructor now throws an IllegalArgumentException if default curves are
not supported.

iaik.security.ssl.SupportedPointFormats

C

Default constructor now throws an IllegalArgumentException if default point format is
not supported.

IAIK-SSL 5.101 Release - 23. August 2015

Class or Package

Bug / Change New Feature

Description and Examples

iaik.security.ssl.CipherSuite

C

Changed state of ECDH cipher suites from default to implemented.

iaik.security.ssl.SecurityProvider

NF

Method checkExtendedKeyUsage added.

iaik.security.ssl.SSLClientHandshaker, iaik.security.ssl.SSLServerHandshaker

C

Tighter peer certificate key usage / extended key usage check.

IAIK-SSL 5.1 Release - 20. July 2015

Class or Package

Bug / Change New Feature

Description and Examples

demo.sslserverinfo.SSLServerInfo

B

Fixed check for TLS 1.1 support.

iaik.security.ssl.CipherSuite

C

Changed state of DH(E) cipher suites from default to implemented.

iaik.security.ssl.SecurityProvider

NF

Method checkKeyLength added to check the key length of peer certificates and server RSA/DH(E)/ECDH(E) key exchange messages. By default peer certificates and server key exchange messages are rejected for RSA, DSA, DH keys < 1024 bit and EC keys < 192 bit. The method can be overridden to enforce other key size constraints. The key size check can also be controlled by the "disabledAlgorithms" property in the SSLContext.properties file following the same syntax as used by
the JDK java.security file.

iaik.security.ssl.SessionID

C

Changed default SessionID length to 32 (bytes).

iaik.security.ssl.SSLServerContext

NF

New method setTemporaryParameterScheduling to optionally enable periodic generation of temporary domestic DH parameters.

iaik.security.ssl.TicketKeysManager,
iaik.security.ssl.DefaultTicketKeysManager,

NF

New class that manages the server cipher and mac keys for session ticket protection. Allowing an application to plug in its own TicketKeysManager implementation.

iaik.protocol.https.Handler,
org.w3c.www.protocol.http.Handler

NF

Added support for JDK 1.5 method openConnection(URL u, Proxy p).

w3c_http

C

Removed flushing of output stream between header- and body emit.

IAIK-SSL 5.0 Release - 03. November 2014

Class or Package

Bug / Change New Feature

Description and Examples

*

NF

TLS 1.2 support according to RFC 5246.

*

NF

Support for AES Galois Counter Mode (GCM) Cipher Suites for TLS according to RFC 5288.

*

NF

Support for TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM) according to RFC 5289.

*

NF

Support for Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode according to RFC 5487.

*

NF

Support for ECDHE_PSK Cipher Suites for TLS according to RFC 5489.

*

NF

Support for Camellia Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM), including PSK suites,
 according to RFC 5932/6367.

CipherSuite

NF

TLS 1.2 cipher suites added.

CipherSuite

C

Method isAvaiable first checks if the suite is allowed for
 the enabled protocol versions.

CipherSuite, ServerHandshaker

NF

Implementation of the TLS_FALLBACK_SCSV Signaling Cipher Suite Value according to draft-bmoeller-tls-downgrade-scsv-00 as countermeasure against protocol downgrade attacks on the Transport Layer Security (TLS) protocol trying to enforce a fall back to SSL 3.0, which is vulnerable to a padding-oracle attack if CBC is used ("POODLE" -- Padding Oracle On Downgraded Legacy Encryption attack).

SSLContext

C

Default protocol version interval changed to TLS 1.0 - TLS 1.2.

SSLContext

C

Method updateCipherSuites now throws a NullPointerException if no suites cannot be enabled.

SSLServerContext

C

Use 2048-bit MODP Group by default for domestic DHE parameters (if not got from certificate).

w3c_http.jar

B, C

Tries to prevent "Socket already closed" exceptions if neither chunked encoding has been used nor the server has sent a Content-Length header.

IAIK-SSL 4.6 Release - 17. March 2014

Class or Package

Bug / Change New Feature

Description and Examples

CipherSuite

C

Removed exportable cipher suites from the default cipher suite set.

CipherSuite, KeyExchange...

NF

Added support for TLS 1.0, TLS 1.1 ECDHE_PSK cipher suites according to RFC 5489.

CipherSuite, CipherSuiteList

C, NF

CipherSuite now implements the Comparable interface; refactored sorting algorithm.

ClientHandshaker

C

Aborts the handshake if server has selected an exportable cipher suite for a protocol version of TLS 1.1 or later.

ServerHandshaker

C

Does not select an exportable cipher suite for a protocol version of TLS 1.1 or later.

SecurityProvider,
 IaikEccProvider

B

Method getSignature() uses the provided random for initializing the Signature engine for signing.

SSLContext

C

get/setAllowIdentityChangeDuringRenegotiation: default value set to false.

SSLContext

C

New method setDHModpID to use prime modulus and base generator from a Modular Exponential (MODP) group (RFC 3526) by default for domestic temporary DH parameters.

SupportedEllipticCurves

NF

Added support for Brainpool curves brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
 according to RFC 7027.

JSSE-Wrapper: IAIKSSLSocketFactory, IAIKSSLSocketFactory

C

getSupportedCipherSuites returns plugable suites only when JDK 1.5 is used, otherwise all implemented suites are returned; key type fix

JSSE-Wrapper: IAIKSSLSocketWrapper

C

changed getNeed/WantClientAuth to work with HttpsURLConnection of JDK 7

JSSE-Wrapper: IAIKSSLSocketWrapper

C

JSSE compliant autohandshake behaviour: getInputStream(), getOutputStream() now use special wrapper streams to start the auto handshake not before a write or read call, respectively

JSSE-Wrapper: JSSEClient/JSSEServerConext

C

use KeyManager mainly to set client/server credentials; getClient/ServerCredentials first try to get credentials from the underlying iSaSiLk SSLClient/ServerContext (to support ellitpic curve extensions, parameter and key usage checks...) and then -- if no credentials are available from the underlying context -- ask the key manager

JSSE-Wrapper: IAIKSSLSocketWrapper, IAIKSSLServerSocketWrapper

C

if peer authentication is required deny missing peer certificate regardless of trust manager configuration

IAIK-SSL 4.5 Release - 28. March 2013

Class or Package

Bug / Change New Feature

Description and Examples

*

C

JDK 1.1.x is no longer supported. Supported Java(TM) versions are
 1.2, 1.3, 1.4, 1.5 (5.0), 1.6 (6.0), 1.7 (7.0) and compatible.

ChainVerifier

C

If server name check has been disabled by calling

chainVerifier.setCheckServerName(false); the server certificate
 name(s) is/are checked anyway if a critical ServerNameList
 extension has been set for the SSLClientContext.

ClientHello, ClientHandshaker

C

According TLS spec always suggest maximum supported version in ClientHello (also during a renegotiation when already have negotiated a lower version in the first handshake) to avoid problems with imlementations (e.g. IIS) which checks the RSA premaster
 secret against the suggested version of the initial handshake

demo.ecc.*

C

Adjusted to support the new IAIK ECCelerate(TM) library.

DefaultNoTrustChainVerifier

NF

Alternative ChainVerifier implementation that rejects any certificate
 if no trust anchor is set.

HandShaker

C

If the server has sent an an "unrecognized_name" warning alert the
 handshake will be continued if an un-critical ServerNameList extension has been set for the SSLClientContext.

InputRecord

NF, C

Constant-time unpadding and MAC calculation as countermeasure against the Lucky Thirteen timing attack on cipher suites using block ciphers in CBC mode.

KeyAndCert

C

No more serializable.

OutputRecord

C

Some performance improvements in TLS 1.1 explicit IV handling.

SecurityProvider

NF

Method generateMasterSecret() added.

SecurityProvider

NF

Method validateDHPublicKey() added.

SecurityProvider

C

Method getTLSServerName(X509Certificate) now does not return null, but tries to parse the server name from the commonName (cn) attribute -- if included -- of the subjectDN of the certificate; the SubjectAltName extension is not considered in the general (not provider specific) implementation.

SSLContext, SSLInputStream

NF

New method setInputStreamAvailableMode to allow to configure
 the behaviour of the SSLInputStream.available method for the
 case when the data has not been already decrypted by a preceding read() call.

SSLContext

NF

Now can be also configured via SSLContext.properties file.

SSLContext

NF

New method setUseRecordSplitting to en/disable 1/n-1 record splitting as countermeasure against the Duong/Rizzo BEAST (Browser Exploit Against SSL/TLS) CBC attack on SSL3.0, TLS1.0.

SSLContext

NF

New method addTrustedCertificates(KeyStore keyStore) to add trusted certificates from a KeyStore

SSLClientContext

NF

New method addClientCredentials(KeyStore keyStore, char[] password) to add client credentials from a KeyStore

SSLServerContext

NF

New method addServerCredentials(KeyStore keyStore, char[] password) to add server credentials from a KeyStore

SSLServerContext

NF

New method setIgnoreClientCipherSuitePreferenceOrder 
allowing to select the active cipher suite by server preference order

w3c_http.jar

B,C,NF

check if client/server have sent "connection:close" for keep-alive behaviour; try to close the socket on stream closure for non keep-alive connections, too; reuse connections for POST requests, too; implementation of JDK 1.5 methods setFixedLengthStreamingMode,  setChunkedStreamingMode added; parsing of timeout parameter of http Keep-Alive response header added

IAIK-SSL 4.4 Release - 22. February 2010

Class or Package

Bug / Change New Feature

Description and Examples

*

C, NF

Implementation of the RenegotiationInfo extension according to RFC 5746 to provide secure renegotiation handling (see here)

ClientHandshaker

C

When resuming a session check if session version is compliant to SSLClientContext.allowedVersions (if they have changed)

ClienHello, ServerHello

C

Extensions (if set) are also send and parsed when SSLv3 is used (and not only for TLS as done so far)

Handshaker

C

Refresh SSLContext settings at the beginning of a renegotiation

SecurityProvider

NF

New method continueIfPeerDoesNotSupportSecureRenegotiation to decide whether to continue a handshake if the peer does not support secure renegotiation according to RFC 5746

SSLContext

NF

New methods setAllowLegacyRenegotiation, setUseNoRenegotiationWarnings,

setAllowIdentityChangeDuringRenegotiation to configure the iSaSiLk renegotiation handling

SSLContext

C

Method addPSKCredentials: if already set, do not replace default PSK credentials

SSLContext

C

setExtensions: if extensions are set, they are also sent when SSLv3 is used; extensions are also parsed now when SSLv3 is used (not only for TLS as done do far)

SSLTransport

C

Session is no more closed when sending an alert with warning level (peer may decide whether it want to continue or close the session)

IAIK-SSL 4.31 Release - 06. November 2009

Class or Package

Bug / Change New Feature

Description and Examples

ClientHandshaker

C

Final handshake messages are not packed together with first application data also when resuming a session (to avoid possible problems when using another transport protocol than TCP)

SSLContext

NF

New method setDisableRenegoation allowing to disable renegotiation at all to prevent renegotiation attacks (coumtermeasure until RenegotionInfo extension becomes approved). Before actually disabling renegotiation make sure that it is not required by your application!

 

IAIK-SSL 4.3 Release - 28. September 2009

Class or Package

Bug / Change New Feature

Description and Examples

*

NF

Support for Camellia cipher suites according to RFC 4132 added.

*

C

Where possible Hashtables are replaced by HashMaps to increase
access performance in multithreaded environments; for
JDK 1.1.x a new jdk11x_update.jar version must be used

ClientHandshaker

C

ClientHello debugging contains remote peer name and port.

ChainVerifier

NF

verifyChain: check that different consecutive certificates do not have the same signature value (countermeasure against preimage attacks on the signature hash algorithm)

IAIK-SSL 4.2 Release - 23. December 2008

Class or Package

Bug / Change New Feature

Description and Examples

*

NF

Support for elliptic curve cipher suites according to RFC 4492 (Named Curves) added.

*

NF

Handshalke performance improvements by packaging handshake
 messages and send them together, if possible; configurable via
 SSLContext

*

C

Reorganized debugging to improve performance in non-debug mode.
 Client/ServerHello debugging contains remote peer address.
 KeyExchange debugging contains information about the key, if included.

demo.ecc.*

NF

ECC cipher suite demos

ClientHandshaker

C

Fixed DH client authentication only allowed for DH_ cipher suites

ClientHandshaker

B

Resume, rnegotiate: set max version to active version from previous session

IaikProvider

NF

If used with the unltd version of IAIK-JCE 3.17 or later, iSaSiLk can be used with unlimited
 strength cryptography even if only the default jurisdiction policy files are
 installed

IaikEccProvider

NF

iSaSiLk SecurityProvider for supporting ECC cipher suites according to RFC 4492:

SecurityProvider.setSecurityProvider(new IaikEccProvider());

SecurityProvider

NF, C

New methods for ECC cipher suite support; implemented by IaikEccProvider

ServerHandshaker

C

Fixed DH client authentication only allowed for DH_ cipher suites

SSLContext

NF

New methods setDoNotPackHandshakeMessages,
getDoNotPackHandshakeMessages allowing to switch
 packaging of handshake messages on/off (by default handshake messages
 are packaged together if possible)

SupportedEllipticCurves

NF

Implementation of the elliptic_curves TLS extension as specified by RFC 4492:

// create extension list
ExtensionList extensions = new ExtensionList();
// add SupportedEllipticCurves extension    
SupportedEllipticCurves supportedEllipticCurves = new SupportedEllipticCurves();
extensions.addExtension(supportedEllipticCurves);
// enable exensions
sslContext.setExtensions(extensions);

SupportedPointFormats

NF

Implementation of the ec_point_formats TLS extension as specified by RFC 4492:

// create extension list
ExtensionList extensions = new ExtensionList();
// add SupportedPointFormats extension    
SupportedPointFormats supportedPointFormats = new SupportedPointFormats();
extensions.addExtension(supportedPointFormats);
// enable exensions
sslContext.setExtensions(extensions);

IAIK-SSL 4.1 Release - 21. December 2007

Class or Package

Bug / Change New Feature

Description and Examples

*

NF, C

Support for TLS 1.1 added; by default SSL 3.0, TLS 1.0 and TLS 1.1 are
 enabled; TLS 1.1 can be selected via SSLContext.VERSION_TLS11

CipherSuite

NF

Support for PSK cipher suites with NULL encryption according to RFC 4785

SessionTicket

C

Adapted to RFC 4507 successor draft-salowey-tls-rfc4507bis-01.txt which
 simply puts the ticket into the extension_data field since done so by
 most applications; SHA-256 used for HMAC ticket protection.

SessionTicket

B

Server only sends SessionTicket extension if client has presented
 one; server-sent SessionTicket empty in any case

SSLClientContext

NF, C

New method setUseMaxVersionForRSAPremasterSecret to
 decide whether to send the maximum client version (from the ClientHello)
 within the RSA premaster secret or do send the active negotiated version. The
 protocol requires to send the maximum client version, but many applications
 send the active version. iSaSiLk 4.1 by default sends the maximum client
 version (versions prior 4.1 have sent the active version).

SSLContext

C

TLS 1.1: set/getCacheTerminatedSessions different
 default behaviour between TLS 1.1 and versions prior TLS 1.1.
 Since TLS 1.1 does no more require to invalidate incorrectly
 terminated sessions they are cached by default when TLS 1.1
 is used.

SSLContext

NF

New method setSendRecordOverflowAlert to decide
 if the handshake shall be aborted and a record_overflow
 shall be sent if a record is received with exceeds the maximum
 allowed fragment length, or if the internal buffer shall be
 automatically enlarged and the handshake shall be continued

SSLContext

NF

TLS 1.1: Method updateCipherSuites disables exportable
 cipher suites if the SSLContext has been configured to
 support TLS 1.1 only (TLS 1.1 disallows the use of
 exportable cipher suites)

SSLServeContext

NF

New method setCheckVersionInRSAPremasterSecret to
 decide whether to check version number sent within the RSA
 premaster secret. The protocol requires to send the maximum client
 version, but many applications send the active negotiated version,
 thus iSaSiLk by default does not check the version.

SSLServerContext

C

Method clone clones server credential
 repository

w3c_http.jar

C

Adapted to most recent Jigsaw version, 2.2.6.

IAIK-SSL 4.0 Release - 06. March 2007

Class or Package

Bug / Change New Feature

Description and Examples

ChainVerifier

NF

New method setCacheSize allowing to
 limit the size of the cert cache

CipherSuite

NF

Method isAvailable now also
 inlcudes policy key size limitations checks

CipherSuite

NF

Added static TLS_ variables
 for AES cipher suites (synonymical to their
SSL_ equivalents

ClientHandShaker

C

Local session is invalidated if server has refused a resume request

ExtendedPrintWriter

NF

Extended PrintWriter implementation allowing application to explicitly specify the
 line break to be used (CRLF or LF)

Extension,
 ExtensionList,
 CertificateStatusRequest,
 ClientCertificateURL,
 MaximumFragmentLength,
 ServerNameList,
 TruncatedHMAC,
 TrustedAuthorities

NF

Support for TLS extensions according to RFC 3546;
 Implementations for all standard extensions
status_request, client_certificate_url,
max_fragment_length, server_name,
truncated_hmac, trusted_authorities

KeyAndCertURL

NF

Client credentials to be used with the
client_certificate_url extension

OCSPCertStatusChainVerifier

NF

Client-side ChainVerifier to validate OCSP responses
 sent by the server in return to a status_request
 extension

OutputRecord

C

Record fragmentation also supported during handshake

PreSharedKey, PCSKCredential, PSKManager,...

NF

Support for all pre-shared key (PSK) cipher suites
 defined by RFC 4279

SessionManager

NF

New method setCacheSizeLimit allowing
 to limit the size of the session cache

SessionTicket

NF

Implementation of the session_ticket extension
 according to RFC 4507 (Session Resumption without Server-Side
 State)

SSLContext,
 SSLClientContext,
 SSLServerContext

NF

Additional constructors to allow to supply the cipher suites
 already when creating the SSLContext; may be used for applets
 to avoid reloading attemps of missing classes (e.g. IDEA)
 when checking if enabled cipher suite algorithms are supported

SSLContext

NF

New method setDoNotSendServerCloseNotify allowing to tell
 the server not to send a close_notify alert message on shutdown.
 Some versions of MSIE may not be able to properly deal with close_notify
 alert messages; to avoid such problems a server application may decide to not
 send a close_notify at shutdown. However, please be aware that not sending a
 close_notify may make the client vulnerable for truncation attacks.

SSLException

NF

New methods getAlertCode and getAlertDescription
 allowing to query for alert codes and alert descriptions

SSLCertificateException,
 SSLCertificateRuntimeException

NF

New exceptions extended from SSLException; ChainVerifier.verifyChain
 may throw a SSLRuntimeException which may wrap a certificate related
 problem that is propageted through an CertificateException

Utils

B

fixed getASCIIWriter to always write a CRLF instead of platfrom
 dependent linefeed

Utils

B

Method proxyConnext supports proxy authentication and
 does not use a proxy for host that have been classified as
 "https.nonProxyHosts"

JSSEWrapper

NF

Adapted to work with JDK versions >= 1.5 where it is allowed
 to plug-in JSSE providers again

w3c_http.jar

C

HTTPS library adapted to most recent Jigsaw version (2.2.5);
 several fixes and improvements

 

 
print    tip a friend
back to previous page back  |  top to the top of the page