Start of changes for service refresh 6 fix pack 25

Limiting the amount of data that algorithms can encrypt with a set of keys

You can specify a limit on the amount of data an algorithm can encrypt with a specific set of keys by using the jdk.tls.keyLimits security property.

When this limit is reached, a KeyUpdate post-handshake message is sent, which requests that the current set of keys be updated. This security property is only for symmetrical ciphers with TLS 1.3.

The syntax for this property is as follows:

jdk.tls.keyLimits=KeyLimit { , KeyLimit }

KeyLimit:
AlgorithmNameKeyUpdateLength

AlgorithmName: A full algorithm transformation
Length: The amount of encrypted data in a session before a KeyUpdate message is sent. This value can be an integer value in bytes or as a power of two, for example, 2^37.

For example, the following setting specifies that a KeyUpdate message is sent after the algorithm AES/GCM/NoPadding has encrypted 237 bytes:

jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37

End of changes for service refresh 6 fix pack 25