JEP 244: TLS Application-Layer Protocol Negotiation Extension

Thomas Lußnig openjdk at suche.org
Wed May 20 19:15:30 UTC 2015


Hi,

1) There are two types of extensions:
a) That modify the directly how the engine works like
[max_fragment_length,heartbeat,encrypt_then_mac,extended_master_secret,SessionTicket,...]
b) That provide information (modify the network protocol) like
[npn,alpn,status_request,...]
2) Some of the extionsions could be called deprecated like heartbeat,
npn and compression

signed_certificate_timestamp -> could be done without ocsp interference
via extra handshake message like you can see it on https://suche.org
there are 3 ways
how this can be archived Included in Certificate, OCSP-Response, Extra
handshake Message.

extended_master_secret -> would be hard to implement.

There are two ways to enable better plugin/develop:
+ Expose the client handshake to KeyManager/TrustManager/Client/Server
+ Generic way to add extra messages [status_request, user_mapping,
client_authz, server_authz, application_layer_protocol_negotiation,
status_request_v2, signed_certificate_timestamp,
                                                               npn,
TLS_FALLBACK_SCSV

Specially the information what the client can could be interesting for
site owner to decide what he should take care and what is so unusual
that it can be ignored.

Gruß Thomas



More information about the security-dev mailing list