A fully fledged TLS Extensions API ?

Florian Weimer fweimer at redhat.com
Mon Nov 10 13:07:41 UTC 2014

On 11/07/2014 02:06 PM, Simone Bordet wrote:

> This email is about the idea to introduce in JDK 9 a fully fledged TLS
> Extensions API.
> Adding ALPN [0] support to JDK 9 requires, differently from other TLS
> extensions, to provide application code that will be run in the
> context of the TLS implementation, rather than just values such as
> booleans or strings.

That's going to be interesting if you need to support non-blocking 
operation for use with SSLEngine.

> IMHO this chance can be lifted to provide a full TLS Extensions API.

I don't think this is possible because TLS extensions can alter the TLS 
handshake, result in additional messages being exchanged, and generally 
alter the protocol in unforeseeable ways.  On top of that, the concrete 
TLS implementation is not fixed, it can be swapped out, so tying the 
extension API to the existing OpenJDK internals will not work for everyone.

Florian Weimer / Red Hat Product Security

More information about the security-dev mailing list