Issues with ALPN implementation in JDK 9
Greg Wilkins
gregw at webtide.com
Wed Jun 15 00:04:14 UTC 2016
I think this discussion can be simplified to the following points:
- ALPN allows for a negotiated application protocol to be a function of
the cipher negotiated ( h2 vs h1 selection being the prime use-case).
- The cipher is negotiated by SslEngine during the unwrap of the Hello
message
- The negotiated application protocol is sent by SslEngine during the
following wrap of the Hello response.
- SslEngined does not allow the negotiated protocol to be set after the
unwrap of the Hello message.
So this last point means that SslEngine does not allow the negotiated
protocol to be a function of the negotiated cipher. Sure there are
ways to work around this limitation (guessing, running duplicate sslEngine
instances etc.), but we should have to work around limitations in a newly
released feature!
If SslEngine is changed to allow the negotiated application protocol to be
set up until the time the hello response was wrapped, that would fix the
problem. Would it create any others?
cheers
--
Greg Wilkins <gregw at webtide.com> CTO http://webtide.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20160615/0aa8a830/attachment.htm>
More information about the security-dev
mailing list