Am 12.10.2018 um 19:39 schrieb Mark Thomas:
On 12/10/18 15:55, George Stanchev wrote:
Mark,
Can you elaborate around the following:
<quote>
All combinations support server initiated requests for client certificates
apart from NIO[2]+JSSE on Java 11 as the Java 11 TLSv1.3 implementation does
not include post handshake authentication.
</quote>
What are the use cases affected. Is it for TLS upgrade when a certain resource
is being requested?
Security constraints can require CLIENT-CERT authentication for some
URLs within a web application.
If the TLS connection is established before one of these URLs is
requested then either renegotiation (TLSv1.2 and earlier) or post
handshake authentication (TLSv1.3) is required to obtain the
certificates from the client.
Tomcat supports this for all combinations of TLSv1.2. It supports it for
TLSv1.3 only when OpenSSL is providing the encryption. With pure Java
(JSSE, Java 11+) it is not supported because Java has not (yet?)
implemented post handshake authentication.
And for those who are not aware: post_handshake_auth is a new TLS
extension in TLS 1.3 that's supposed to get used for that. The Java JEP
(Java Enhancement Proposal) that defines the TLS1.3 support in Java 11
can eg. be found under
http://openjdk.java.net/jeps/332
It contains:
"The following significant features will not be implemented as part of
this JEP:
...
- Post-handshake authentication
..."
There's a three month old open bug for implementing it with no
noticeable activity:
https://bugs.openjdk.java.net/browse/JDK-8206923
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
