JDK 13 has been released! As with my JDK 12 blog, I have gathered up a list of the most interesting and useful security enhancements in this release. And as before, I have grouped them into appropriate categories (crypto, TLS, etc) which should make it easier to find out what has changed in each specific area. The JDK 13 Release Notes also contains details on these and other enhancements.

The SunPKCS11 provider has been updated to PKCS#11 v2.40 . This update adds support for additional PKCS#11 mechanisms, attributes, key types and adds support for several new algorithms:

On Windows, the SunMSCAPI JCE provider has been enhanced to support CNG . The provider can now load RSA and EC keys in CNG format from Windows keystores. The provider also now supports elliptic curve Signature algorithms ( SHA1withECDSA , SHA256withECDSA , etc.).

javax.security.cert APIs marked for removal The deprecated javax.security.cert APIs have been marked for removal and are subject to removal in a future release. These APIs exist only to support applications written against early versions of the Java Secure Socket Extension (JSSE), prior to its inclusion in JDK 1.4. Applications should use the java.security.cert package instead. Issue: https://bugs.openjdk.java.net/browse/JDK-8160247

X25519 and X448 Diffie-Hellman elliptic curve support The SunJSSE provider has been enhanced to support the x25519 and x448 elliptic curve named groups with x25519 being the highest preferred group. These curves are supported for TLS versions 1.0, 1.1, 1.2, and 1.3. The default list of named groups is now: x25519, secp256r1, secp384r1, secp521r1, x448, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 This order can be overridden using the jdk.tls.namedGroups system property. Issue: https://bugs.openjdk.java.net/browse/JDK-8171279

Stateless Server The SunJSSE provider now supports stateless sessions, which can significantly improve the performance and scalability of a TLS server under large workloads. For this release, the feature is not yet enabled by default. On the client side, it can be enabled by setting the jdk.tls.client.enableSessionTicketExtension system property to “true” and on the server side, by setting the jdk.tls.server.enableSessionTicketExtension system property to “true”. Issue: https://bugs.openjdk.java.net/browse/JDK-8211018

Enabled cipher suites order changed to improve security The order of the default list of enabled TLS cipher suites has been modified with several changes to improve security. See the CSR for full details. Issue: https://bugs.openjdk.java.net/browse/JDK-8163326