TLS extensions API, ALPN and HTTP 2.0
Xuelei Fan
xuelei.fan at oracle.com
Sat Sep 27 02:23:56 UTC 2014
On 9/27/2014 3:53 AM, Simone Bordet wrote:
> Hi,
>
> On Fri, Sep 26, 2014 at 8:03 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>> On 09/17/2014 01:18 PM, Simone Bordet wrote:
>>>
>>> For the server to differentiate between those 2 connections he would
>>> need the SNI information, which I don't think it's currently available
>>> in JDK 8, right ?
>>
>>
>> No. It is. We added support for SNI in JDK 8. See:
>>
>> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension
>
> I understand one cannot extract the string with the SNI name into the
> application, you can only match for certificates via SNIMatcher; and
> that is the reason for SSLExplorer - to extract the SNI names.
> Am I missing something ?
>
I used to think it is better to have SSLExplorer as a public utility but
not a part of JSSE, because the extract is not involved in TLS
transactions. Please let me know if the SSLExplorer cannot meet your
requirements.
Xuelei
> For example, how can I negotiate h2 via ALPN only for certain domains ?
>
> List<String> allowedDomains = ... // provided by some server configuration
> SNIServerName sniName = ... // what here ?
> if (allowedDomains.contains(sniName))
> doALPN();
>
> Thanks !
>
More information about the security-dev
mailing list