Post handshake client verification with TLSv1.3
Brad Wood
bdw429s at gmail.com
Tue Aug 9 19:29:03 UTC 2022
I have some questions about this ticket
https://bugs.openjdk.org/browse/JDK-8206923
which was closed as "won't fix". I fully realize that TLS 1.3 forbids SSL
renegotiation after the handshake in the traditional manner, but I'm
curious if the process defined here can be used instead:
https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html
I'm new to this, but it appears to be describing how to accomplish
post-handshake client verification which works on TLS 1.3.
There's not a lot of information online, but this ticket appears to be
Python adding support for this:
https://bugs.python.org/issue34670
Can we discuss reopening the openjdk ticket if this is actually possible?
The use case for this is a rather common requirement-- to have an SSL site
which doesn't prompt the user for a client cert until they visit a secured
area, and then the client cert request is sent, prompting the user at that
point.
Currently, I have to disable both HTTP/2 and TLS 1.3 in order for this to
work. I don't mind sticking to HTTP/1. but I have concerns about disabling
TLSv1.3 and what that means for the future security of my apps.
Thanks!
~Brad
*Developer Advocate*
*Ortus Solutions, Corp *
E-mail: brad at coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20220809/c52a2855/attachment.htm>
More information about the security-dev
mailing list