I have some questions about this ticket https://bugs.openjdk.org/browse/JDK-8206923 which was closed as "won't fix". I fully realize that TLS 1.3 forbids SSL renegotiation after the handshake in the traditional manner, but I'm curious if the process defined here can be used instead: https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html
I'm new to this, but it appears to be describing how to accomplish post-handshake client verification which works on TLS 1.3. There's not a lot of information online, but this ticket appears to be Python adding support for this: https://bugs.python.org/issue34670 Can we discuss reopening the openjdk ticket if this is actually possible? The use case for this is a rather common requirement-- to have an SSL site which doesn't prompt the user for a client cert until they visit a secured area, and then the client cert request is sent, prompting the user at that point. Currently, I have to disable both HTTP/2 and TLS 1.3 in order for this to work. I don't mind sticking to HTTP/1. but I have concerns about disabling TLSv1.3 and what that means for the future security of my apps. Thanks! ~Brad *Developer Advocate* *Ortus Solutions, Corp * E-mail: [email protected] ColdBox Platform: http://www.coldbox.org Blog: http://www.codersrevolution.com
