RFC7525 mapped to JSSE
Xuelei Fan
xuelei.fan at oracle.com
Mon Aug 8 00:57:29 UTC 2016
Hi Bernd,
Thanks for the summary of the compliance. The following comments are
mainly about the items marked with "TODO" or "???".
JDK 9 will support DTLS 1.0/1.2 and OCSP stapling (both RFC 6066 and RFC
6961).
The server preference of cipher suites can be configurable.
JDK uses uncompressed EC point format only.
JDK does not use EC curves < 224 bits for EC key exchange, default 256+
bits.
For TLS 1.2, SHA2 is requested in the signature algorithm extension.
JDK does not implement the truncted HMAC extension.
JDK supports hostname verification APIs for HTTPS, and support hostname
verification during handshaking for HTTPS and LDAP.
JDK tests the DH public keys.
Thanks & Regards,
Xuelei
On 8/2/2016 6:13 AM, Bernd Eckenfels wrote:
> Hello,
>
> because I was asked by a customer I started to map the RFC7525
>
> https://tools.ietf.org/html/rfc7525
>
> recommendations for TLS to JSSE implementation.
>
>
> It is not complete yet but I think I at least have extraced all
> "normative" requirements from the RFC into this table:
>
> https://docs.google.com/spreadsheets/d/135Eqf3RCpYLcmVHOIPb_Q7pzFde9yqJI_oD2jvpnKPE
>
> would like to get your feedback.
>
> Gruss
> Bernd
>
More information about the security-dev
mailing list