|
8 | 8 | generated by [japicmp](https://siom79.github.io/japicmp) are published at |
9 | 9 | [https://apache.github.io/mina-sshd](https://apache.github.io/mina-sshd). |
10 | 10 |
|
11 | | -Version 3 includes all the features and bug fixes of [version 2.16.0](./docs/changes/2.16.0.md) and up to |
12 | | -[commit f9887391](https://github.com/apache/mina-sshd/blob/f9887391/CHANGES.md#planned-for-next-version). |
| 11 | +Version 3 includes all the features and bug fixes of version 2, including the |
| 12 | +[latest ones](https://github.com/apache/mina-sshd/blob/master/CHANGES.md#planned-for-next-version). |
| 13 | + |
| 14 | +* For building Apache MINA SSHD 3.0, **Java >= 24** and Apache **Maven >= 3.9.11** are required. Generated artifacts |
| 15 | + still use Java 8 as minimum runtime requirement. |
13 | 16 |
|
14 | 17 | ## Milestone 1: Pre-Release 3.0.0-M1 |
15 | 18 |
|
16 | 19 | Complete refactoring of the SSH transport protocol. New feature: support for client-side proxies. |
17 | 20 |
|
18 | 21 | * [Change notes for 3.0.0-M1](./docs/changes/3.0.0-M1.md) |
19 | 22 |
|
20 | | -# Milestone 2: Pre-Release 3.0.0-M2 |
| 23 | +## Milestone 2: Pre-Release 3.0.0-M2 |
21 | 24 |
|
22 | 25 | Refactoring of cryptography. New feature: multi-release JARs for `sshd-common` and `sshd-osgi` and using on |
23 | 26 | newer Java versions the already built-in cryptographic algorithms for ChaCha20, ed25519, and ML-KEM. |
24 | 27 |
|
25 | | -* For building Apache MINA SSHD 3.0, Java >= 24 and Apache Maven >= 3.9.11 are required. Generated artifacts |
26 | | - still use Java 8 as minimum runtime requirement. |
| 28 | +* [Change notes for 3.0.0-M2](./docs/changes/3.0.0-M2.md) |
| 29 | + |
| 30 | +# Planned for the Next Milestone Release |
| 31 | + |
27 | 32 |
|
28 | 33 | ## Bug Fixes |
29 | 34 |
|
30 | | -* [GH-502](https://github.com/apache/mina-sshd/issues/502) Don't load security provider classes reflectively |
31 | | - for Bouncy Castle and `net.i2p.crypto:eddsa:0.3.0`. |
32 | 35 |
|
33 | 36 | ## Major Code Re-factoring |
34 | 37 |
|
35 | | -* The classes dealing with serializing or de-serializing public and private keys have been de-generified, |
36 | | - which simplifies them a lot. Previous code from version 2 tried to tie particular public key types and |
37 | | - private key types together via generics, such that it could be statically checked that only matching key |
38 | | - types were used. But that never worked well and in a few crucial places unchecked conversions or raw |
39 | | - types were used anyway, which makes the point moot. Code now just uses `PublicKey` and `PrivateKey` instead |
40 | | - of generic types, and checks at run-time that keys are of the expected kind. |
41 | | -* The way ed25519 keys are handled has been refactored. Duplicate code has been removed, and the handling |
42 | | - has been simplified to make it easier to include support for other eddsa implementations. This brings |
43 | | - additional API breaks, but in code areas that are unlikely to be used in customer code. |
44 | 38 |
|
45 | 39 | ## New Features |
46 | 40 |
|
47 | | -* [GH-585](https://github.com/apache/mina-sshd/issues/585) Support the JDK built-in ed25519 on Java15+ |
48 | | - |
49 | | - With this change `sshd-common` and `sshd-osgi` become MRJARs (multi-release JARs). When run on Java >= 15, |
50 | | - Apache MINA SSHD will use the built-in ed25519 from the SunEC security provider. On Java < 15, ed25519 is |
51 | | - supported if Bouncy Castle or `net.i2p.crypto:eddsa:0.3.0` is present. |
52 | | - |
53 | | - On Java >= 15, Apache MINA SSHD will use the JDK ed25519 even if Bouncy Castle or `net.i2p.crypto:eddsa:0.3.0` |
54 | | - are present. (Including `net.i2p.crypto:eddsa:0.3.0` makes no sense on Java >= 15.) There is a new |
55 | | - [registrar](./docs/security-providers.md) `SunECSecurityProviderRegistrar` with the name "SunECWrapper". It |
56 | | - is by default registered ahead of the Bouncy Castle or net.i2p registrars, and has by default ed25519, |
57 | | - X25519, and X448 enabled if SunEC is registered and has these algorithms. This new registrar can be |
58 | | - configured like any other registrar via system properties; in particular it can also be disabled via system |
59 | | - property `org.apache.sshd.security.provider.SunECWrapper.enabled=false`. |
60 | | - |
61 | | - The sole purpose of this new registrar is to prefer the SunEC implementations of ed25519, X25519, or X448 over |
62 | | - the Bouncy Castle or net.i2p implementations if Bouncy Castle or net.i2p are also available. |
63 | | - |
64 | | -* Use the JDK's built-in ChaCha20 cipher on Java11+ |
65 | | - |
66 | | - With `sshd-common` being a MRJAR, it is finally possible to use the JDK's built-in ChaCha20 cipher for the |
67 | | - chacha20-poly1305@<!-- -->openssh.com cipher on Java >= 11. This brings a substantial speed-up for this |
68 | | - encryption. On Java < 11, Apache MINA SSHD still uses its own implementation written in Java. |
69 | | - |
70 | | - (Note that one cannot use the JDK's "ChaCha20-Poly1305" cipher for SSH; Java implements |
71 | | - [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439), which has a different AEAD tag construction than |
72 | | - the version used in SSH. Since the Poly1305 MAC in Java is not accessible separately (see |
73 | | - [JDK-8253394](https://bugs.openjdk.org/browse/JDK-8253394)), Apache MINA SSHD still has to use its own |
74 | | - implementation for that part.) |
75 | | - |
76 | | -* [GH-803](https://github.com/apache/mina-sshd/issues/803) Support the JDK built-in ML-KEMs on Java24+ |
77 | | - |
78 | | - Use the ML-KEM implementations from SunJCE if run on Java >= 24. For Java < 24, the Bouncy Castle implementations |
79 | | - are used. The SunJCE ML-KEMs are advertised in the `SunJCESecurityProviderRegistrar`. |
80 | | - |
81 | | -* OSGi: the upper bound of the version range for package imports from `org.bouncycastle.*` has been raised from 2.0.0 |
82 | | - to 3.0.0. This enables using BC-FIPS in an OSGi environment. BC-FIPS provides OSGi manifests as of version 2.1.0. |
0 commit comments