Thank you Mark for the clarification. Thanks, Amit ________________________________ From: Mark Thomas <ma...@apache.org> Sent: Friday, June 13, 2025 12:57 PM To: users@tomcat.apache.org <users@tomcat.apache.org> Subject: Re: TLS 1.3 and post handshake authentication (PHA)
On 13/06/2025 18:26, Amit Pande wrote: > Hello, > > When using "protocols" TLSv1.3 in SSLHostConfig with HTTP 1.1 protocol > (Http11NioProtocol or Http11Nio2Protocol ) and > certificateVerification=optional, we see below warning in logs: > > 13-Jun-2025 11:42:58.453 WARNING [catalina-exec-1] > org.apache.tomcat.util.net.SSLUtilBase.<init> The JSSE TLS 1.3 implementation > does not support post handshake authentication (PHA) and is therefore > incompatible with optional certificate authentication > > Looking at : > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rfc-editor.org%2Frfc%2Frfc8740.html&data=05%7C02%7Camit.pande%40cohesity.com%7C43b083ae02f5445913ca08ddaaa3d5b3%7Cb3c5c12c459546ac9b80e6d7b886903f%7C0%7C0%7C638854342843767991%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=FgeuUUE%2FNcbDEOIq%2BF8P7kTtuPu0TifTBOL26l%2BJLgA%3D&reserved=0<https://www.rfc-editor.org/rfc/rfc8740.html> > Seems like the TLS1.3 does not support PHA only in case of HTTP/2 and not > for HTTP/1.1. Is this understanding correct? Yes, but it misses the point. > If yes, could we update the warning to be logged only when HTTP/2 is used or > at least update the message "The JSSE TLS 1.3 implementation does not support > post handshake authentication (PHA) for HTTP/2..." ? No. Like the message says, the JSSE TLS 1.3 implementation does not support PHA. The message is correct. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
