<div dir="ltr"><div dir="ltr"><div dir="ltr">Hi,<div><br></div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 5, 2021 at 2:05 AM Xue-Lei Fan <<a href="mailto:xuelei.fan@oracle.com">xuelei.fan@oracle.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Does it mean that when switch to HTTP/2, the concern is not valid any longer? Or there is an alternative solution? Sorry for the questions, I know little about servlet. I'm trying to understand the requirement of this feature.</div></div></blockquote><div><br></div><div>Mark Thomas (Tomcat maintainer) recently explained this on the Servlet mailing list. I think it explains the requirement quite well, so I'll copy/paste it:</div><div><br></div><div><div>"The sequence of events in the test is as follows:</div><div><br></div><div>- Client connects.</div><div>- TLS handshake, no client authentication.</div><div>- Client sends request</div><div>- Server parses it and maps it to a web application</div><div>- Server compares request to security constraints</div><div>- Security constraints require CLIENT-CERT</div><div>- Request fails because server cannot trigger post-handshake</div><div> authentication</div><div><br></div><div>(Even if the server did support PHA, the client doesn't so it will fail </div><div>there instead).</div><div><br></div><div>My reading of the spec is that the ability to create per URL security </div><div>constraints strongly implies that renegotiation / PHA needs to be </div><div>supported. The existence of this test supports that view."</div></div><div><br></div><div>The above is for HTTP/1.1, which is an important supported target of Servlet. Hope the above helps.</div><div><br></div><div>Kind regards,</div><div>Arjan Tijms </div><div><br></div><div><br></div></div></div></div>