Trusted service?
Wang Weijun
weijun.wang at oracle.com
Thu Aug 14 07:47:25 UTC 2014
On Aug 13, 2014, at 22:11, Bernd Eckenfels <ecki at zusammenkunft.net> wrote:
> Just a BTW: It would be really cool to have a SPI interface for that, so people who need SRP, CCM or shared secret handshakes (or stuff like NPN?) don't need to use a third party SSL engine.
Are they all ciphersuites not based on certificates? My main area is Kerberos so have never heard of them, but I'll be very glad if we can support them in some way.
My current webrev is at http://cr.openjdk.java.net/~weijun/8038089/webrev.02/. There is an ExternalCipherSuiteProvider interface but you can see it is not really general and uses Kerberos-concept like ticket. Also inside the SSL codes I create a Krb5Helper which will be called when TLS_KRB5_* ciphersuites are used, like this
case K_KRB5: case K_KRB5_EXPORT:
Krb5Helper.doXXX(...):
Ideally, in order to deal with other ExternalCipherSuiteProvider impls, it should be something like
default:
getExternalHelper(keyExchange).doXXX(...)
Anyway, please tell me if this step is something you believe useful and what kind of change is needed to be able to support more ciphersuites. The interface is now internal so we can evolve it later. Any contribution is welcomed.
Thanks
Max
More information about the security-dev
mailing list