On 12/10/18 15:55, George Stanchev wrote: > Mark, > > Can you elaborate around the following: > > <quote> > All combinations support server initiated requests for client certificates > apart from NIO[2]+JSSE on Java 11 as the Java 11 TLSv1.3 implementation does > not include post handshake authentication. > </quote> > > What are the use cases affected. Is it for TLS upgrade when a certain > resource is being requested?
Security constraints can require CLIENT-CERT authentication for some URLs within a web application. If the TLS connection is established before one of these URLs is requested then either renegotiation (TLSv1.2 and earlier) or post handshake authentication (TLSv1.3) is required to obtain the certificates from the client. Tomcat supports this for all combinations of TLSv1.2. It supports it for TLSv1.3 only when OpenSSL is providing the encryption. With pure Java (JSSE, Java 11+) it is not supported because Java has not (yet?) implemented post handshake authentication. HTH, Mark > > Thanks in advance, > George > > -----Original Message----- > From: Mark Thomas <ma...@apache.org> > Sent: Thursday, October 11, 2018 2:39 PM > To: Tomcat Developers List <dev@tomcat.apache.org> > Subject: TLSv1.3 and 9.0.next > > Hi, > > As you probably noticed I've been working on TLS 1.3 support, building on > Chris's work in BZ 62748. > > The current status is the Tomcat Native 1.2.x and Tomcat 9.0.x support > TLSv1.3 in any of the following combinations: > - NIO[2]+JSSE on Java 11 > - NIO[2]+OpenSSL on Java 8 onwards > - APR/Native on Java 8 onwards > > All combinations support server initiated requests for client certificates > apart from NIO[2]+JSSE on Java 11 as the Java 11 TLSv1.3 implementation does > not include post handshake authentication. > > I have made quite a few changes to the Native code to support this. > > My plan going forwards is as follows: > > - give folks until early next week to review the native changes > - tag 1.2.18 early next week > - hopefully release 1.2.18 late next week > - update 9.0.x to require 1.2.18 or later > - tag / release 9.0.x > > Alongside the above, I'll be backporting the TLSv1.3 support to 8.5.x and > 9.0.x. > > Thoughts, comments and especially code reviews welcome. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional > commands, e-mail: dev-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
