<BCC jdk-dev, forward to security-dev> Hi Arjan,
Did you have a chance to read RFC 8740? Post-Handshake authentication in HTTP/2 is not allowed for TLS 1.3. Is there a concern for the use case you mentioned? Xuelei ________________________________ From: jdk-dev <jdk-dev-r...@openjdk.java.net> on behalf of arjan tijms <arjan.ti...@gmail.com> Sent: Thursday, March 4, 2021 12:57 PM To: jdk-...@openjdk.java.net <jdk-...@openjdk.java.net> Subject: TLS 1.3 Post-handshake authentication Hi, I noticed the following issue was recently closed: https://bugs.openjdk.java.net/browse/JDK-8206923 For the Servlet spec this is however a very important feature, to the point that for the Servlet TCK we would need to explicitly allow vendors to use TLS 1.2 for the client-cert authentication mechanism test. Servlet needs this post-handshake authentication, since it allows the server to have protected/secured resources on a URL basis. During the handshake the URL that the client wishes to request is not yet available, so the server is unable to determine at that point whether it requires the client to present a certificate. Only when the request is being serviced can the server determine this, and respond with a certificate request. This however fails when using TLS 1.3, since it's not implemented in Java. The issue mentions that it might be implemented on request, so hereby I would like to request this. Kind regards, Arjan Tijms (Servlet spec committer)
