TLS 1.3 Post-handshake authentication

arjan tijms arjan.tijms at
Thu Mar 4 20:57:09 UTC 2021


I noticed the following issue was recently closed:

For the Servlet spec this is however a very important feature, to the point
that for the Servlet TCK we would need to explicitly allow vendors to use
TLS 1.2 for the client-cert authentication mechanism test.

Servlet needs this post-handshake authentication, since it allows the
server to have protected/secured resources on a URL basis. During the
handshake the URL that the client wishes to request is not yet available,
so the server is unable to determine at that point whether it requires the
client to present a certificate.

Only when the request is being serviced can the server determine this, and
respond with a certificate request. This however fails when using TLS 1.3,
since it's not implemented in Java.

The issue mentions that it might be implemented on request, so hereby I
would like to request this.

Kind regards,
Arjan Tijms (Servlet spec committer)

More information about the jdk-dev mailing list