On Mon, 15 Dec 2025 10:57:13 GMT, Daniel Jeliński <[email protected]> wrote:
>> TLS 1.3 changed the way it generates the FFDHE shared secret. In TLS 1.2, >> the leading zeroes in the shared secret were stripped, and in TLS 1.3 the >> leading zeroes are preserved. >> >> Thanks to the recent work in >> [JDK-8189441](https://bugs.openjdk.org/browse/JDK-8189441), we now have a >> new algorithm name `Generic` that can be used to generate a shared secret >> with the leading zeroes preserved. >> >> This PR changes the TLS 1.3 handshake to use the new algorithm name. >> >> I didn't add any tests to verify the correctness of the handshake. This can >> be verified using tlsfuzzer, see JBS for details. >> >> Tier1-3 tests continue to pass. > > Daniel Jeliński has updated the pull request with a new target base due to a > merge or a rebase. The pull request now contains five commits: > > - Merge branch 'master' into tls13-ffdhe > - Revert PKCS11 changes > - Update copyright, add bug IDs > - Fix PKCS11 DH key derivation > - Keep leading zeroes in tls13 Things to consider: - Without this change, roughly 1 in 256 handshakes using FFDHE where the peer is not JSSE-based will fail - With this change, roughly 1 in 256 handshakes using FFDHE where the peer is an older JSSE version will fail - JSSE only uses FFDHE as a last resort when ECDHE is not available - This change will need to be backported together with [JDK-8189441](https://bugs.openjdk.org/browse/JDK-8189441), or not at all ------------- PR Comment: https://git.openjdk.org/jdk/pull/27343#issuecomment-3655025202
