A fully fledged TLS Extensions API ?
Florian Weimer
fweimer at redhat.com
Mon Nov 10 13:07:41 UTC 2014
On 11/07/2014 02:06 PM, Simone Bordet wrote:
> This email is about the idea to introduce in JDK 9 a fully fledged TLS
> Extensions API.
>
> Adding ALPN [0] support to JDK 9 requires, differently from other TLS
> extensions, to provide application code that will be run in the
> context of the TLS implementation, rather than just values such as
> booleans or strings.
That's going to be interesting if you need to support non-blocking
operation for use with SSLEngine.
> IMHO this chance can be lifted to provide a full TLS Extensions API.
I don't think this is possible because TLS extensions can alter the TLS
handshake, result in additional messages being exchanged, and generally
alter the protocol in unforeseeable ways. On top of that, the concrete
TLS implementation is not fixed, it can be swapped out, so tying the
extension API to the existing OpenJDK internals will not work for everyone.
--
Florian Weimer / Red Hat Product Security
More information about the security-dev
mailing list