Hi, On Thu, Mar 4, 2021 at 10:48 PM Xue-Lei Fan <xuelei....@oracle.com> wrote:
> <BCC jdk-dev, forward to security-dev> > > Hi Arjan, > > Did you have a chance to read RFC 8740? Post-Handshake authentication in > HTTP/2 is not allowed for TLS 1.3. Is there a concern for the use case you > mentioned? > Servlet supports both HTTP/1.1 and HTTP/2. The concern here is for HTTP/1.1. We'll likely exclude client-cert for HTTP/2. Kind regards, Arjan Tijms > > > Xuelei > ------------------------------ > *From:* jdk-dev <jdk-dev-r...@openjdk.java.net> on behalf of arjan tijms < > arjan.ti...@gmail.com> > *Sent:* Thursday, March 4, 2021 12:57 PM > *To:* jdk-...@openjdk.java.net <jdk-...@openjdk.java.net> > *Subject:* TLS 1.3 Post-handshake authentication > > Hi, > > I noticed the following issue was recently closed: > > https://bugs.openjdk.java.net/browse/JDK-8206923 > > For the Servlet spec this is however a very important feature, to the point > that for the Servlet TCK we would need to explicitly allow vendors to use > TLS 1.2 for the client-cert authentication mechanism test. > > Servlet needs this post-handshake authentication, since it allows the > server to have protected/secured resources on a URL basis. During the > handshake the URL that the client wishes to request is not yet available, > so the server is unable to determine at that point whether it requires the > client to present a certificate. > > Only when the request is being serviced can the server determine this, and > respond with a certificate request. This however fails when using TLS 1.3, > since it's not implemented in Java. > > The issue mentions that it might be implemented on request, so hereby I > would like to request this. > > Kind regards, > Arjan Tijms (Servlet spec committer) >
