Hi, On Mon, Nov 30, 2015 at 1:08 AM, Vincent Ryan <vincent.x.r...@oracle.com> wrote: > Hello, > > Following on from Brad’s recent email, here is the full webrev of the API > and the implementation classes for ALPN: > http://cr.openjdk.java.net/~vinnie/8144093/webrev.00/ > > In adds the implementation classes (sun/security/ssl) to the public API > classes (javax/net/ssl) which have already been agreed. > Some basic tests (test/javax/net/ssl) are also included.
I just would like to remind that session resumption is a very important use case to support for ALPN. I have not seen anything related to this review for session resumption. Has it been tested ? It is still not clear to me what a client and a server have to do to support ALPN. >From my understanding a server has to: * read encrypted bytes into a ByteBuffer * parse the TLS ClientHello frame on its own * extract from the ClientHello the TLS Protocol version, the ALPN extension, and the ciphers * run some logic to determine the AP ** if no AP can be chosen, generate a TLS Alert frame on its own to close the connection and bail out * otherwise, an AP/cipher combo has been chosen * sslParameters.setApplicationProtocols(AP) // just one protocol * sslParameters.setCipherSuites(cipher) // just one cipher * sslEngine.setSSLParameters(sslParameters) * reset the ByteBuffer position to the beginning * pass the ByteBuffer to sslEngine.unwrap() * JDK implementation will re-parse the ClientHello, and use the sslParameters data during handshake and when generating the ServerHello A client has to: * read encrypted bytes into a ByteBuffer * parse a ServerHello frame on its own * extract the ALPN extension and the cipher * run some logic to verify that the AP and the cipher can be used together ** if AP and cipher don't match, generate a TLS Alert frame on its own to close the connection and bail out * otherwise the AP/cipher combo is ok * reset the ByteBuffer position to the beginning * pass the ByteBuffer to sslEngine.unwrap() * JDK implementation will re-parse the ServerHello and complete the TLS handshake Is that right ? In that scenario, what is the use of SSLEngine.getHandshakeApplicationProtocol() ? Also, I don't understand how the above could work for SSLSocket ? Can someone write down the steps a client and a server should do to actually use ALPN with SSLSocket ? Thanks ! -- Simone Bordet http://bordet.blogspot.com --- Finally, no matter how good the architecture and design are, to deliver bug-free software with optimal performance and reliability, the implementation technique must be flawless. Victoria Livschitz
