This Heads-Up is part of the regular communication sent to the projects involved; it covers that JDK 27 EA Builds now include post-quantum hybrid key exchange for TLS 1.3.

Inside Java is a resource for Java developers, offering insights, tutorials, and updates on the Java programming language, platform, and ecosystem. With contributions from Java experts and members of the Java community, Inside Java covers a wide range of topics, including language features, performance optimizations, and upcoming releases. Developers can stay informed about the latest developments in the Java ecosystem, learn about new APIs and frameworks, and explore best practices for building robust and scalable Java applications.

Inside Java

JDK 27 early-access builds now include JEP 527, adding post-quantum hybrid key exchange for TLS 1.3 via the SunJSSE provider. Three hybrid schemes are available: X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024, each combining classical elliptic-curve Diffie-Hellman with ML-KEM quantum-resistant algorithms. X25519MLKEM768 is enabled by default alongside classical algorithms, so most Java applications using standard javax.net.ssl APIs benefit without code changes. Developers can customize enabled groups via the jdk.tls.namedGroups system property or SSLParameters::setNamedGroups. The feature targets protection against harvest-now, decrypt-later attacks. Feedback is requested via the security-dev OpenJDK mailing list.

JDK 27: Post-Quantum Hybrid Key Exchange for TLS 1.3 – Inside.java