Hi Martin,
Sorry for the delay.
I like this no-API-change design.
There may be some interoperbility/compatibility issues because of
implementation issues of the Extended Master Secret Extension. Maybe,
we want an approach to turn off the extension if there is a concern. It
could be a system property (for example,
jsse.useExtendedMasterSecret="false").
Would you mind file a Compatibility & Specification Review (CSR) request
for this feature proposal? For more information, see the CSR wiki at
OpenJDK:
https://wiki.openjdk.java.net/display/csr/Main
I may have some comments about the implementation if the CSR request get
approved.
Thanks & Regards,
Xuelei
On 8/4/2017 6:18 AM, Martin Balao wrote:
Hi,
This is my proposal for JDK-8148421 (Support Transport Layer Security
(TLS) Session Hash and Extended Master Secret Extension) [1]:
*
http://cr.openjdk.java.net/~sgehwolf/webrevs/mbalaoal/JDK-8148421/webrev.01/
<http://cr.openjdk.java.net/~sgehwolf/webrevs/mbalaoal/JDK-8148421/webrev.01/>(browse
online)
*
http://cr.openjdk.java.net/~sgehwolf/webrevs/mbalaoal/JDK-8148421/webrev.01/8148421.webrev.01.zip
(download)
Notes:
* There is no PKCS#11 support for Extended Master Secret key
derivation at this moment. NSS supports it through a vendor-specific
type definition (CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE and
CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH in pkcs11n.h file). Thus,
P11TlsMasterSecretGenerator uses the legacy Master Key Derivation method
only.
Thanks in advanced,
Martin.-
--
[1] - https://bugs.openjdk.java.net/browse/JDK-8148421
