Issues with ALPN implementation in JDK 9
Simone Bordet
simone.bordet at gmail.com
Tue Jun 14 15:02:16 UTC 2016
Hi,
On Tue, Jun 14, 2016 at 4:53 PM, David M. Lloyd <david.lloyd at redhat.com> wrote:
> Yes. Basically the server logic always has to be up to date with the latest
> cipher suites and that sort of thing. Our solution to this is to have a
> security framework that is responsible for this (among other things). It's
> not ideal but it seems to work OK so far.
Right, but this is not always possible.
To cite our experience, we have people running Jetty 5 in JDK 1.4.
That some few hundreds releases back for both Jetty and the JDK.
Point being, we never know what version of Jetty people run with what JDK.
We already painfully maintain Jetty's alpn-boot implementation for JDK
8 changing it for every JDK change.
We hoped to get rid of that with JDK 9, but currently that does not
seem possible.
I really hope that handshaker.started=true could be delayed (or a
similar solution) to give room to a forward compatible ALPN
implementation that can be run with any JDK 9+.
Thanks !
--
Simone Bordet
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless. Victoria Livschitz
More information about the security-dev
mailing list