What New Security Features Does JDK 20 Offer? Encryption, TLS, and JFR Highlights
JDK 20, released in March 2023, introduces a suite of security enhancements—including new exception constructors, expanded algorithm service attributes, stricter defaults for DTLS 1.0 and ECDH suites, performance‑boosting intrinsics for ChaCha20, Poly1305, MD5 and ECC, as well as new Java Flight Recorder events for tracking security properties—providing developers with stronger defaults and better observability.
JDK 20 Security Enhancements Overview
JDK 20 was released on March 21 2023. This article lists the most interesting and useful security‑related improvements, grouped by encryption, TLS and other categories.
General Security Improvements
Added InvalidParameterException constructor with cause (JDK‑8296226). The new constructor allows throwing an exception with a cause directly, e.g.:
throw new InvalidParameterException(new NullPointerException());or
throw new InvalidParameterException("parameter is null", new NullPointerException());Standard algorithm name service attributes added (JDK‑8297161). Four new attributes – SupportedKeyClasses, SupportedKeyFormats, SupportedModes and SupportedPaddings – are now defined as standard service properties.
Loading java.security file now throws InternalError (JDK‑8155246). If the security configuration cannot be loaded, the JVM aborts with an InternalError instead of silently using defaults.
Encryption Performance Improvements
ChaCha20 intrinsic functions for x86_64 and aarch64 (JDK‑8247645). Enabled by default; can be disabled with -XX:-UseChaCha20Intrinsics.
Poly1305 intrinsic for ByteBuffer (JDK‑8297379). Now works with CipherSpi.engineUpdate methods.
MD5 intrinsic for x86_64 (JDK‑8296548). Significant speedup on supported CPUs.
Secp256r1 EC point‑multiplication improvement (JDK‑8295011). Uses pre‑computed tables for faster operations.
General ECC math improvements (JDK‑8294997). Faster BigInteger and curve point calculations in SunEC.
TLS‑Related Improvements
DTLS 1.0 is disabled by default (RFC 8996).
ECDH cipher suites are disabled by default (JDK‑8279164) because they lack forward secrecy.
New API to set and get named groups for TLS/DTLS: SSLParameters.setNamedGroups and SSLParameters.getNamedGroups (JDK‑8281236).
Example:
SSLParameters params = new SSLParameters();
params.setNamedGroups(new String[] { "x25519", "secp256r1" });Tooling Improvements
Java Flight Recorder now records an initial‑security‑property event ( jdk.InitialSecurityProperty) and a security‑provider‑service event ( jdk.SecurityProviderService) to capture the security configuration and provider usage.
Source: Sean Mullan, https://seanjmullan.org/blog/2023/03/22/jdk20
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Java Backend Technology
Focus on Java-related technologies: SSM, Spring ecosystem, microservices, MySQL, MyCat, clustering, distributed systems, middleware, Linux, networking, multithreading. Occasionally cover DevOps tools like Jenkins, Nexus, Docker, and ELK. Also share technical insights from time to time, committed to Java full-stack development!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.