Hi Bernd, For the status_request_v2 extension, both ocsp and ocsp_multi forms are supported, with preference on the latter type. The only feature we currently don't support right now is Responder ID selection, and that will hopefully come in a 9 update. --Jamil -------- Original message --------From: Bernd Eckenfels <e...@zusammenkunft.net> Date: 8/11/16 3:00 PM (GMT-08:00) To: security-dev@openjdk.java.net Subject: Re: RFC7525 mapped to JSSE Hello,
thank you Xuelei and Jamil. I updated the sheet and added an actual column for Java 9. There are still some todos left (mostly for digging up the detauls), but it starts to look complete now. There are only two real non-compliances (for Java 9), that is the support for HSTS in client code (not related to JSSE) and the fallback signalling cipher (with limited usefullness). For Java 8 the EC keySize < 224, can it be added? For OCSP, the status_request(_v2), does it also support the multi certificate variant? https://docs.google.com/spreadsheets/d/135Eqf3RCpYLcmVHOIPb_Q7pzFde9yqJI_oD2jvpnKPE Gruss Bernd Am Mon, 8 Aug 2016 08:57:29 +0800 schrieb Xuelei Fan <xuelei....@oracle.com>: > Hi Bernd, > > Thanks for the summary of the compliance. The following comments are > mainly about the items marked with "TODO" or "???". > > JDK 9 will support DTLS 1.0/1.2 and OCSP stapling (both RFC 6066 and > RFC 6961). > > The server preference of cipher suites can be configurable. > > JDK uses uncompressed EC point format only. > > JDK does not use EC curves < 224 bits for EC key exchange, default > 256+ bits. > > For TLS 1.2, SHA2 is requested in the signature algorithm extension. > > JDK does not implement the truncted HMAC extension. > > JDK supports hostname verification APIs for HTTPS, and support > hostname verification during handshaking for HTTPS and LDAP. > > JDK tests the DH public keys. > > Thanks & Regards, > Xuelei > > On 8/2/2016 6:13 AM, Bernd Eckenfels wrote: > > Hello, > > > > because I was asked by a customer I started to map the RFC7525 > > > > https://tools.ietf.org/html/rfc7525 > > > > recommendations for TLS to JSSE implementation. > > > > > > It is not complete yet but I think I at least have extraced all > > "normative" requirements from the RFC into this table: > > > > https://docs.google.com/spreadsheets/d/135Eqf3RCpYLcmVHOIPb_Q7pzFde9yqJI_oD2jvpnKPE > > > > would like to get your feedback. > > > > Gruss > > Bernd > > >
