On 11/07/2014 02:06 PM, Simone Bordet wrote:
This email is about the idea to introduce in JDK 9 a fully fledged TLS
Extensions API.
Adding ALPN [0] support to JDK 9 requires, differently from other TLS
extensions, to provide application code that will be run in the
context of the TLS implementation, rather than just values such as
booleans or strings.
That's going to be interesting if you need to support non-blocking
operation for use with SSLEngine.
IMHO this chance can be lifted to provide a full TLS Extensions API.
I don't think this is possible because TLS extensions can alter the TLS
handshake, result in additional messages being exchanged, and generally
alter the protocol in unforeseeable ways. On top of that, the concrete
TLS implementation is not fixed, it can be swapped out, so tying the
extension API to the existing OpenJDK internals will not work for everyone.
--
Florian Weimer / Red Hat Product Security
