SslBundles provides a way to configure SslOptions that should be applied when establishing an SSL connection. Starting with Java 20, SSLParameters can now be configured with key exchange named groups names. It would be nice if these could be set on SslBundles to be applied to the different HTTP client and Servers.
In the context of PQC this would give the ability to configure Post-Quantum Hybrid Key Exchange groups for TLS 1.3.
This is described in draft JEP
Bouncy Castle has already added support for Post-Quantum Hybrid Key Exchange in their JSSE provider. This can be seen in this sample repo
This enhancement would rely on the underlying clients and servers supporting setting SSLParameters, which I am currently evaluating to understand which already support this and which do not.
Here is an example of what setting this on the JDK client would look like:
private SSLParameters asSslParameters(SslBundle sslBundle) {
SslOptions options = sslBundle.getOptions();
SSLParameters parameters = new SSLParameters();
parameters.setCipherSuites(options.getCiphers());
parameters.setNamedGroups(options.getNamedGroups());
parameters.setProtocols(options.getEnabledProtocols());
return parameters;
}
Comment From: matthew-js-porter
HTTP Client
| Client | Supported? | Example / Issue |
|---|---|---|
| JDK | No. supports setting SSLParameters but namedGroups is not honored | Issue & Example |
| Netty | No. | Example |
| Jetty | Yes. | Example |
| ~~Simple~~ | No. No SSLOptions supported | . |
| HttpComponents | Yes. But I will open an issue for a better way to configure it. | Example |
Cassandra
| Supported? | Example / Issue |
|---|---|
| No. | TBD. |
Redis
| Connection Factory | Supported? | Example / Issue |
|---|---|---|
| Lettuce. | TBD. | TBD. |
| Jedis. | TBD. | TBD. |
~~### Couchbase~~ | Supported? | Example / Issue | | ------ | -----------------------| | No. | No. No SSLOptions supported. |
Elasticsearch Client
| Supported? | Example / Issue |
|---|---|
| TBD. | TBD. |
~~### Mongo~~ | Supported? | Example / Issue | | ------ | -----------------------| | No. | No. No SSLOptions supported. |
Kafka
| Supported? | Example / Issue |
|---|---|
| TBD. | TBD. |
Server
| Client | Supported? | Example / Issue |
|---|---|---|
| Tomcat | No. | Issue & Example |
| Netty | No. | Example |
| Jetty | Yes. | Example |
| Undertow | TBD. | TBD |