On Fri, Oct 12, 2018 at 9:59 PM Rainer Jung <rainer.j...@kippdata.de> wrote:
> Am 12.10.2018 um 19:39 schrieb Mark Thomas: > > On 12/10/18 15:55, George Stanchev wrote: > >> Mark, > >> > >> Can you elaborate around the following: > >> > >> <quote> > >> All combinations support server initiated requests for client > certificates apart from NIO[2]+JSSE on Java 11 as the Java 11 TLSv1.3 > implementation does not include post handshake authentication. > >> </quote> > >> > >> What are the use cases affected. Is it for TLS upgrade when a certain > resource is being requested? > > > > Security constraints can require CLIENT-CERT authentication for some > > URLs within a web application. > > > > If the TLS connection is established before one of these URLs is > > requested then either renegotiation (TLSv1.2 and earlier) or post > > handshake authentication (TLSv1.3) is required to obtain the > > certificates from the client. > > > > Tomcat supports this for all combinations of TLSv1.2. It supports it for > > TLSv1.3 only when OpenSSL is providing the encryption. With pure Java > > (JSSE, Java 11+) it is not supported because Java has not (yet?) > > implemented post handshake authentication. > > And for those who are not aware: post_handshake_auth is a new TLS > extension in TLS 1.3 that's supposed to get used for that. The Java JEP > (Java Enhancement Proposal) that defines the TLS1.3 support in Java 11 > can eg. be found under > > http://openjdk.java.net/jeps/332 > > It contains: > > "The following significant features will not be implemented as part of > this JEP: > > ... > - Post-handshake authentication > ..." > There's also that 0RTT performance thing that is another useful item that will not be in JSSE, so it seems the OpenSSL support that was added to get supportable ALPN remains a must have. Rémy > > There's a three month old open bug for implementing it with no > noticeable activity: > > https://bugs.openjdk.java.net/browse/JDK-8206923 > > Regards, > > Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
