RFC7525 mapped to JSSE
Jamil Nimeh
jamil.j.nimeh at oracle.com
Thu Aug 11 23:10:11 UTC 2016
Hi Bernd,
For the status_request_v2 extension, both ocsp and ocsp_multi forms are supported, with preference on the latter type. The only feature we currently don't support right now is Responder ID selection, and that will hopefully come in a 9 update.
--Jamil
-------- Original message --------From: Bernd Eckenfels <ecki at zusammenkunft.net> Date: 8/11/16 3:00 PM (GMT-08:00) To: security-dev at openjdk.java.net Subject: Re: RFC7525 mapped to JSSE
Hello,
thank you Xuelei and Jamil. I updated the sheet and added an actual
column for Java 9. There are still some todos left (mostly for digging
up the detauls), but it starts to look complete now.
There are only two real non-compliances (for Java 9), that is the
support for HSTS in client code (not related to JSSE) and the fallback
signalling cipher (with limited usefullness).
For Java 8 the EC keySize < 224, can it be added?
For OCSP, the status_request(_v2), does it also support the multi
certificate variant?
https://docs.google.com/spreadsheets/d/135Eqf3RCpYLcmVHOIPb_Q7pzFde9yqJI_oD2jvpnKPE
Gruss
Bernd
Am Mon, 8 Aug 2016 08:57:29 +0800
schrieb Xuelei Fan <xuelei.fan at oracle.com>:
> Hi Bernd,
>
> Thanks for the summary of the compliance. The following comments are
> mainly about the items marked with "TODO" or "???".
>
> JDK 9 will support DTLS 1.0/1.2 and OCSP stapling (both RFC 6066 and
> RFC 6961).
>
> The server preference of cipher suites can be configurable.
>
> JDK uses uncompressed EC point format only.
>
> JDK does not use EC curves < 224 bits for EC key exchange, default
> 256+ bits.
>
> For TLS 1.2, SHA2 is requested in the signature algorithm extension.
>
> JDK does not implement the truncted HMAC extension.
>
> JDK supports hostname verification APIs for HTTPS, and support
> hostname verification during handshaking for HTTPS and LDAP.
>
> JDK tests the DH public keys.
>
> Thanks & Regards,
> Xuelei
>
> On 8/2/2016 6:13 AM, Bernd Eckenfels wrote:
> > Hello,
> >
> > because I was asked by a customer I started to map the RFC7525
> >
> > https://tools.ietf.org/html/rfc7525
> >
> > recommendations for TLS to JSSE implementation.
> >
> >
> > It is not complete yet but I think I at least have extraced all
> > "normative" requirements from the RFC into this table:
> >
> > https://docs.google.com/spreadsheets/d/135Eqf3RCpYLcmVHOIPb_Q7pzFde9yqJI_oD2jvpnKPE
> >
> > would like to get your feedback.
> >
> > Gruss
> > Bernd
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20160811/a70b396a/attachment.htm>
More information about the security-dev
mailing list