Certificate Transparency—basic support for the TLS extension?
Ivan Ristic
ivan.ristic at gmail.com
Fri Feb 28 08:35:38 UTC 2025
Hello group,
>From what I can tell, it's currently not possible to consume CT information
from Java reliably because there is no way to indicate support for the CT
TLS extension [1] in the handshake as well as get the data sent back by a
compatible server.
The work involved would be small, for example just grab the raw data and
expose it via ExtendedSSLSession, in the same way stapled OCSP responses
are currently handled.
However, the improvements would be significant, as this change would enable
Java applications to use CT if they so wish.
Apologies as I am not familiar with how things are done; what's the process
to make this happen?
[1] https://datatracker.ietf.org/doc/html/rfc6962#section-3.3
--
Ivan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20250228/9b6b3a75/attachment.htm>
More information about the security-dev
mailing list