Code Review Request: JDK-8148421 (Extended Master Secret TLS extension)
Xuelei Fan
xuelei.fan at oracle.com
Sat Aug 26 22:49:01 UTC 2017
Hi Martin,
Sorry for the delay.
I like this no-API-change design.
There may be some interoperbility/compatibility issues because of
implementation issues of the Extended Master Secret Extension. Maybe,
we want an approach to turn off the extension if there is a concern. It
could be a system property (for example,
jsse.useExtendedMasterSecret="false").
Would you mind file a Compatibility & Specification Review (CSR) request
for this feature proposal? For more information, see the CSR wiki at
OpenJDK:
https://wiki.openjdk.java.net/display/csr/Main
I may have some comments about the implementation if the CSR request get
approved.
Thanks & Regards,
Xuelei
On 8/4/2017 6:18 AM, Martin Balao wrote:
> Hi,
>
> This is my proposal for JDK-8148421 (Support Transport Layer Security
> (TLS) Session Hash and Extended Master Secret Extension) [1]:
>
> *
> http://cr.openjdk.java.net/~sgehwolf/webrevs/mbalaoal/JDK-8148421/webrev.01/
> <http://cr.openjdk.java.net/~sgehwolf/webrevs/mbalaoal/JDK-8148421/webrev.01/>(browse
> online)
> *
> http://cr.openjdk.java.net/~sgehwolf/webrevs/mbalaoal/JDK-8148421/webrev.01/8148421.webrev.01.zip
> (download)
>
> Notes:
>
> * There is no PKCS#11 support for Extended Master Secret key
> derivation at this moment. NSS supports it through a vendor-specific
> type definition (CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE and
> CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH in pkcs11n.h file). Thus,
> P11TlsMasterSecretGenerator uses the legacy Master Key Derivation method
> only.
>
> Thanks in advanced,
> Martin.-
>
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8148421
More information about the security-dev
mailing list