JEP 244: TLS Application-Layer Protocol Negotiation Extension

Thomas Lußnig openjdk at
Wed May 20 19:15:30 UTC 2015


1) There are two types of extensions:
a) That modify the directly how the engine works like
b) That provide information (modify the network protocol) like
2) Some of the extionsions could be called deprecated like heartbeat,
npn and compression

signed_certificate_timestamp -> could be done without ocsp interference
via extra handshake message like you can see it on
there are 3 ways
how this can be archived Included in Certificate, OCSP-Response, Extra
handshake Message.

extended_master_secret -> would be hard to implement.

There are two ways to enable better plugin/develop:
+ Expose the client handshake to KeyManager/TrustManager/Client/Server
+ Generic way to add extra messages [status_request, user_mapping,
client_authz, server_authz, application_layer_protocol_negotiation,
status_request_v2, signed_certificate_timestamp,

Specially the information what the client can could be interesting for
site owner to decide what he should take care and what is so unusual
that it can be ignored.

Gruß Thomas

More information about the security-dev mailing list