[External] : Re: TLS 1.3 Post-handshake authentication
arjan tijms
arjan.tijms at gmail.com
Fri Mar 5 13:43:08 UTC 2021
Hi,
On Fri, Mar 5, 2021 at 2:05 AM Xue-Lei Fan <xuelei.fan at oracle.com> wrote:
> Does it mean that when switch to HTTP/2, the concern is not valid any
> longer? Or there is an alternative solution? Sorry for the questions, I
> know little about servlet. I'm trying to understand the requirement of
> this feature.
>
Mark Thomas (Tomcat maintainer) recently explained this on the Servlet
mailing list. I think it explains the requirement quite well, so I'll
copy/paste it:
"The sequence of events in the test is as follows:
- Client connects.
- TLS handshake, no client authentication.
- Client sends request
- Server parses it and maps it to a web application
- Server compares request to security constraints
- Security constraints require CLIENT-CERT
- Request fails because server cannot trigger post-handshake
authentication
(Even if the server did support PHA, the client doesn't so it will fail
there instead).
My reading of the spec is that the ability to create per URL security
constraints strongly implies that renegotiation / PHA needs to be
supported. The existence of this test supports that view."
The above is for HTTP/1.1, which is an important supported target of
Servlet. Hope the above helps.
Kind regards,
Arjan Tijms
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210305/38953c0c/attachment.htm>
More information about the security-dev
mailing list