If we have a look from the viewpoint of HTTP/2, how applications could meet the requirements in HTTP/2? Did you have a plan to have the application works with HTTP/2 in the future?
Xuelei > On Aug 9, 2022, at 12:29 PM, Brad Wood <bdw4...@gmail.com> wrote: > > I have some questions about this ticket > https://bugs.openjdk.org/browse/JDK-8206923 > <https://bugs.openjdk.org/browse/JDK-8206923> > which was closed as "won't fix". I fully realize that TLS 1.3 forbids SSL > renegotiation after the handshake in the traditional manner, but I'm curious > if the process defined here can be used instead: > https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html > > <https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html> > I'm new to this, but it appears to be describing how to accomplish > post-handshake client verification which works on TLS 1.3. > > There's not a lot of information online, but this ticket appears to be Python > adding support for this: > https://bugs.python.org/issue34670 <https://bugs.python.org/issue34670> > > Can we discuss reopening the openjdk ticket if this is actually possible? > The use case for this is a rather common requirement-- to have an SSL site > which doesn't prompt the user for a client cert until they visit a secured > area, and then the client cert request is sent, prompting the user at that > point. > Currently, I have to disable both HTTP/2 and TLS 1.3 in order for this to > work. I don't mind sticking to HTTP/1. but I have concerns about disabling > TLSv1.3 and what that means for the future security of my apps. > > Thanks! > > ~Brad > > Developer Advocate > Ortus Solutions, Corp > > E-mail: b...@coldbox.org <mailto:b...@coldbox.org> > ColdBox Platform: http://www.coldbox.org <http://www.coldbox.org/> > Blog: http://www.codersrevolution.com <http://www.codersrevolution.com/> >
