Proposal for potential new feature: TLS Certificate Compression

Hi, The TLS Certificate Compression standard was described in RFC 8879, and has been enabled in browser Chrome and Safari. What’s TLS Certificate Compression and what’s the benefits of this feature? For TLS connections, a client must authenticate the identity of the server. This typically

Proposal for potential new feature: TLS Certificate Compression

Hi, The TLS Certificate Compression standard was described in RFC 8879, and has been enabled in browser Chrome and Safari. What’s TLS Certificate Compression and what’s the benefits of this feature? For TLS connections, a client must authenticate the identity of the server. This typically

Re: [Internet]Re: Re: JEP Review Request: TLS Certificate Compression

for members of the > Security Group and other interested participants to find time to review new > proposals for significant features. > > Thanks, > Sean > > On 2/28/22 3:33 PM, xueleifan(XueleiFan) wrote: >> Hi, >> It may be better to have more detail here, rather

Re: [Internet]Re: [External] : Re: Recent SSLSocket close() @apiNote Changes.

ure. Thanks, Xuelei On Mar 4, 2022, at 4:46 PM, Bradford Wetmore mailto:bradford.wetm...@oracle.com>> wrote: On 3/2/2022 11:46 PM, xueleifan(XueleiFan) wrote: I think you are right that this design is actually for TLSv1.3 half-close mode. For TLS 1.3, there is no duplex closu

Re: [Internet]Need a reviewer for CSR: JDK-8282768

The CSR looks good to me, and I added my name as reviewer. Xuelei > On Mar 7, 2022, at 1:38 PM, Bradford Wetmore > wrote: > > > Hi, > > We (zzambers/I) need a reviewer for this CSR involving the close @apiNote of > SSLSocket.java: > >https://bugs.openjdk.java.net/browse/JDK-8282768 >

Re: [Internet]Re: Proposal for potential new feature: TLS Certificate Compression

first steps for the JEP have been cleared. But you've got my support on this one! --Jamil On 3/7/2022 11:46 AM, xueleifan(XueleiFan) wrote: Hi, The TLS Certificate Compression standard was described in RFC 8879, and has been enabled in browser Chrome and Safari. What’s TLS Certificate Compr

JEP Review Request: TLS Certificate Compression

Hi all, The JDK Enhancement Proposal, TLS Certificate Compression, has been opened for community review. Detailed, please refer to the draft: https://bugs.openjdk.java.net/browse/JDK-8281710 Feel free to make comment and send your feedback to the alias. I may submit this JEP in the

Re: JEP Review Request: TLS Certificate Compression

Hi, Could I have this JEP reviewed? One or more qualified Committers review is required to move it forward. Here is the PR if you want to have a further look at the implementation and test: https://github.com/openjdk/jdk/pull/7599 Thanks, Xuelei On Feb 15, 2022, at 9:30 PM, xueleifan

Re: [Internet]Re: JEP Review Request: TLS Certificate Compression

handshakes with compressed certificates. Please feel free to share you comments, if it is something we want in OpenJDK? Thanks, Xuelei On Feb 28, 2022, at 10:57 AM, xueleifan(XueleiFan) mailto:xuelei...@tencent.com>> wrote: Hi, Could I have this JEP reviewed? One or more qualified Committers

Re: [Internet]Recent SSLSocket close() @apiNote Changes.

Hi Brad, I think you are right that this design is actually for TLSv1.3 half-close mode. For TLS 1.3, there is no duplex closure design. The close() implementation in JDK is actually a workaround for compatibility. Application can use either the half-close mode socket.shutdownOutput();

JEP Review Request: TLS Certificate Compression

Hi, The JDK Enhancement Proposal, TLS Certificate Compression, has been opened for community review. Detailed, please refer to the draft: https://bugs.openjdk.java.net/browse/JDK-8281710 and the discussion of this potential feature at security-dev:

Re: [Internet]"Pluggable" key serialization in JCE/JCA

> On Mar 23, 2022, at 11:46 PM, Anders Rundgren > wrote: > > Hi List, > > I find it a bit strange that every user of crypto either have to write or > install specific software for converting JOSE/COSE/PEM keys back-and-forth to > Java's internal representation. This reduces the value of the

Re: [Internet]Re: "Pluggable" key serialization in JCE/JCA

Hi Anders, I would like to have look at the COSE/JOSE specs. If it is convenient to you, any suggestions about where I could start from? RFC 8812? Do you know where (areas and products) the COSE/JOSE specs are used in practice? Thanks, Xuelei > On Mar 25, 2022, at 11:56 AM, Anders Rundgren

Re: [Internet]Re: Re: "Pluggable" key serialization in JCE/JCA

Thank you for the information and discussion, Anders, Bernd and Mike. I had a better understand of JOSE/COSE and the problems. For the crypto implementation, for example Ed25519 in the SunEC provider, I would prefer to keep the footprint in OpenJDK as minimal as possible. For example, the

Re: [Internet]Re: "Pluggable" key serialization in JCE/JCA

> On Mar 29, 2022, at 10:18 AM, Anders Rundgren > wrote: > > On 2022-03-28 21:57, xueleifan(XueleiFan) wrote: >> Thank you for the information and discussion, Anders, Bernd and Mike. I had >> a better understand of JOSE/COSE and the problems. > > Thanx Xuelei

Re: [Internet]Re: RFR: 8284415: Collapse identical catch branches in security libs

I think it is a good point, Mike. Some of the exception constructors do not accept cause parameters, for example UnrecoverableKeyException. And some others do, for example InvalidKeyException. I would like to keep original cause. I read this patch as a format clean-up. It is fine to me to

Re: [Internet]Re: JEP Review Request: TLS Certificate Compression

Ping … Xuelei > On Mar 24, 2022, at 1:05 PM, Sean Mullan wrote: > > > > On 3/21/22 11:49 AM, xueleifan(XueleiFan) wrote: >> Hi, >> >> >> The JDK Enhancement Proposal, TLS Certificate Compression, has been opened >> for community review. Deta

Re: [Internet]JDK-8221218 - Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)

Hi Thomas, Did you have a reproducing code that I would play with? Thanks, Xuelei On Apr 24, 2022, at 2:01 PM, Thomas Lußnig mailto:open...@suche.org>> wrote: Hi, i like to inform you that this problem is not yet fixed. I Use java 18.0.1 and the problem still popup. OS: Win 11 openjdk 18

JDK-8221218 is not yet fixed

Hi Thomas, Did you have reproducing code that I could play with? Thanks, Xuelei

Re: [Internet]Re: RFR: 8285404: RSA signature verification should follow RFC 8017 8.2.2 Step 4 [v2]

With this update, is the purpose of this PR changed? The bug subject and description may need an update. Xuelei > On Apr 26, 2022, at 9:02 AM, Weijun Wang wrote: > >> Compare encoded instead of decoded digest in RSA signature verification. > > Weijun Wang has updated the pull request

Re: [Internet]Reproducer for JDK-8221218

I will have a look at it. I may need help for more information. On Apr 25, 2022, at 7:45 AM, Flavia Rainone mailto:frain...@redhat.com>> wrote: Hi everyone, I work with the XNIO ( https://github.com/xnio/xnio/ ) project, led by David Lloyd in CC. I'm not sure if this is the best way to get

Re: [Internet]Re: JDK-8221218 - Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)

Is it the same problem as discussed in this thread: https://mail.openjdk.java.net/pipermail/security-dev/2022-April/030129.html Xuelei On Apr 26, 2022, at 7:36 AM, Thomas Lußnig mailto:open...@suche.org>> wrote: Hi, i changed the logging and now better get the Location of the error

Re: [Internet]Re: Re: JDK-8221218 - Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)

Would you mind send the debug log information, with System property javax.net.debug=all? Thanks, Xuelei > On May 13, 2022, at 8:27 AM, xueleifan(XueleiFan) > wrote: > > Hm, I get a hint about the issue now. Did SunJSSE provider used in both > client and server? > > X

Re: [Internet]Re: Reproducer for JDK-8221218

Ping … Is there a link to the "How to reproduce” information? Thanks, Xuelei On Apr 26, 2022, at 7:16 AM, xueleifan(XueleiFan) mailto:xuelei...@tencent.com>> wrote: I will have a look at it. I may need help for more information. On Apr 25, 2022, at 7:45 AM, Flavia Rainone m

Re: [Internet]Re: JDK-8221218 - Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)

Hm, I get a hint about the issue now. Did SunJSSE provider used in both client and server? Xuelei > On Apr 26, 2022, at 7:36 AM, Thomas Lußnig wrote: > > Hi, > > i changed the logging and now better get the Location of the error > > javax.crypto.BadPaddingException: Insufficient buffer

Interesting in DTLS 1.3

Hi, The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 (DTLS 1.3) has been published on April 2022. The specification describes the most current version of the DTLS protocol as a delta from TLS 1.3 and obsoletes DTLS 1.2. In JDK, the

Interesting in TLS Ticket Requests

Hi, A new standard, RFC 9149 TLS Ticket Requests, was published on April 2022. Is anyone interested in have it implemented in JDK? As described in RFC 8446/TLS 1.3, TLS servers vend clients an arbitrary number of session tickets for session resumption. However, the number may be not what

Re: [Internet]Re: JEP Review Request: TLS Certificate Compression

; multiple handshakes? Decompression has to be performed every time, > obviously. > > Regards, > Daniel > > pon., 21 mar 2022 o 16:49 xueleifan(XueleiFan) > napisał(a): >> >> Hi, >> >> >> The JDK Enhancement Proposal, TLS Certificate Compre

Re: [Internet]Re: JEP Review Request: TLS Certificate Compression

, 2022 10:01:29 PM An: xueleifan(XueleiFan) mailto:xuelei...@tencent.com>> Cc: OpenJDK Dev list mailto:security-dev@openjdk.java.net>> Betreff: Re: JEP Review Request: TLS Certificate Compression I like the idea of implementing certificate compression. Only one concern: TLS handshakes