On Fri, 17 Jul 2026 09:56:52 GMT, Divang Sharma <[email protected]> wrote:
> Added two new public API methods to ExtendedSSLSession to support TLS unique > channel binding as defined in RFC 5929. > The updated API exposes two explicit Finished verify_data values: > - getTlsUniqueClientFirstFinishedVerifyData() returns the Client Finished > verify_data for the session. > - getTlsUniqueFirstFinishedVerifyData() returns the first Finished > verify_data sent for the session. > > Tier1 tests pass on Ubuntu > > --------- > - [x] I confirm that I make this contribution in accordance with the [OpenJDK > Interim AI Policy](https://openjdk.org/legal/ai). Can you provide more rationale as to why this has been proposed? There is very little incentive to add new TLS 1.2 features to the JDK since it will never support PQC and has been frozen by the IETF: https://www.rfc-editor.org/info/rfc9851 Customers should be migrating to TLS 1.3, if not already. In JDK 25 we added new methods to the ExtendedSSLSession API that allow you to generate and extract the Exported Keying Material from a TLS handshake [1, 2]. This API is based on RFC 5705 and can be used for security purposes in a higher layer or to implement the tls-exporter channel binding specified in RFC 9266. [1] https://docs.oracle.com/en/java/javase/25/docs/api/java.base/javax/net/ssl/ExtendedSSLSession.html#exportKeyingMaterialData(java.lang.String,byte[],int) [2] https://docs.oracle.com/en/java/javase/25/docs/api/java.base/javax/net/ssl/ExtendedSSLSession.html#exportKeyingMaterialKey(java.lang.String,java.lang.String,byte[],int) ------------- PR Comment: https://git.openjdk.org/jdk/pull/31946#issuecomment-5003008184
