Hi Martin,
Yes, we re-orged the code a lot for TLS 1.3. As you were already there,
did you want to resume the work? I can sponsor for the code review.
Thanks,
Xuelei
On 1/15/2019 6:16 AM, Martin Balao wrote:
Hi,
I was working on an implementation of the Certificate Authorities TLS
extension (former Trusted CAs) a few months ago. I stopped this work
because of the integration of TLS 1.3.
Here it's my latest patch:
http://cr.openjdk.java.net/~sgehwolf/webrevs/mbalaoal/JDK-8046295/webrev.03/
May be useful to resume the work. Note that this patch won't apply
because code changed after TLS 1.3.
Kind regards,
Martin.-
On 1/15/19 11:08 AM, Andrew Leonard wrote:
Thanks for the feedback Sean,
Do we have a view on the "priority" for such an enhancement? While we
don't support it, what won't work or is limited? Ajay?
Cheers
Andrew
Andrew Leonard
Java Runtimes Development
IBM Hursley
IBM United Kingdom Ltd
Phone internal: 245913, external: 01962 815913
internet email: [email protected]
From: Sean Mullan <[email protected]>
To: Andrew Leonard <[email protected]>,
[email protected]
Cc: Ajay Reddy <[email protected]>, Alaine DeMyers
<[email protected]>
Date: 15/01/2019 13:39
Subject: Re: Is TLS1.3 support missing the
"certificate_authorities" extension?
------------------------------------------------------------------------
Hello,
On 1/15/19 4:03 AM, Andrew Leonard wrote:
Re-posting this question..
Isn't the "certificate_authorities" extension mandatory for TLS1.3?
The text in question says "SHOULD" and not "MUST" [1]. So while it is
very desirable, I would not categorize this as a mandatory requirement.
_https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.openjdk.java.net_browse_JDK-2D8206925-5F&d=DwIC-g&c=jf_iaSHvJObTbx-siA1ZOg&r=NaV8Iy8Ld-vjpXZFDdTbgGlRTghGHnwM75wUPd5_NUQ&m=oBlMiJsdliKXCh6xlsC6g8rXysVIW6yBnRhW7uyqc8U&s=fXR6uf8ytLCOekA3CJ9goijSOsnkE1wrBf0wfoa_czY&e=
See
_https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dtls-2Dtls13-2D20-23section-2D4.2.4-5F&d=DwIC-g&c=jf_iaSHvJObTbx-siA1ZOg&r=NaV8Iy8Ld-vjpXZFDdTbgGlRTghGHnwM75wUPd5_NUQ&m=oBlMiJsdliKXCh6xlsC6g8rXysVIW6yBnRhW7uyqc8U&s=4Znnq5ZgqzAESypi4g2C1Xd-Yr1FxK4cTa4_0k3amHs&e=
There's a known typo in
_https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dtls-2Dtls13-2D20-23section-2D4.4.2.2-5F&d=DwIC-g&c=jf_iaSHvJObTbx-siA1ZOg&r=NaV8Iy8Ld-vjpXZFDdTbgGlRTghGHnwM75wUPd5_NUQ&m=oBlMiJsdliKXCh6xlsC6g8rXysVIW6yBnRhW7uyqc8U&s=K7autmuNw1rTGW0J32W1bDIiQXN0s2OfUD5ueAK6z7o&e=
which from this comment:
_https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tls_current_msg23612.html-5F&d=DwIC-g&c=jf_iaSHvJObTbx-siA1ZOg&r=NaV8Iy8Ld-vjpXZFDdTbgGlRTghGHnwM75wUPd5_NUQ&m=oBlMiJsdliKXCh6xlsC6g8rXysVIW6yBnRhW7uyqc8U&s=eagruzUipLL49ZtMHhrbAg3RIRRB1Ucbpx-VNLD6qvU&e=
indicates section 4.4.2.2 was a typo and "certificate_authorities" should
be used instead of "trusted_ca_keys"
Note that your links above are referencing the Internet Draft. This has
been corrected in the RFC:
https://tools.ietf.org/html/rfc8446#section-4.4.2.2
Should JDK-8206925 be a "bug"? Thoughts?
It seems correct as an Enhancement.
--Sean
[1] https://tools.ietf.org/html/rfc2119
Many thanks
Andrew
Andrew Leonard
Java Runtimes Development
IBM Hursley
IBM United Kingdom Ltd
Phone internal: 245913, external: 01962 815913
internet email: [email protected]
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
