TLS extensions API, ALPN and HTTP 2.0

Michael McMahon michael.x.mcmahon at oracle.com
Wed Sep 17 10:57:21 UTC 2014


Hi Simone,

I'm interested to understand why you think this Http 2 requirement
is difficult or impossible to implement in the JDK currently.

I thought, cipher suite selection would be independent of the ALPN 
mechanism.
So, a Http 2 client implementation would ensure that allowed ciphers
are in its list of proposed ciphers, and it's up to the server then to 
choose
an allowed one. And presumably, a server implementation can do the same?

- Michael.

On 17/09/14 11:02, Simone Bordet wrote:
> Hi,
>
> On Tue, Sep 2, 2014 at 11:11 AM, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:
>> Your OCA is still being processed. When that has completed your name will be listed at:
>>    http://www.oracle.com/technetwork/community/oca-486395.html#b
>>
>> Until then, we can discuss these TLS/HTTP issues but we cannot include your APIs or source code.
> Just an update on this...
>
> While ALPN should offer mechanism independent from the protocol
> advertised or the cipher used in the TLS connection, it seems that the
> HTTP/2.0 spec has put some constraint that link the protocol
> advertised to the ciphers negotiated
> (http://tools.ietf.org/html/draft-ietf-httpbis-http2-14#section-9.2.2).
> Currently it seems that this HTTP/2 requirement is difficult, if not
> impossible, to implement in the JDK.
> I am following the HTTP/2 expert group to see if this issue is
> resolved, and working on the Jetty code to implement this feature.
>
> The idea being to wait a bit to define the ALPN APIs until this issue
> is resolved, to see if the resolution requires changes in the ALPN
> APIs.
>
> Thanks !
>



More information about the security-dev mailing list