On 13/06/2025 18:26, Amit Pande wrote:
Hello,
When using "protocols" TLSv1.3 in SSLHostConfig with HTTP 1.1 protocol
(Http11NioProtocol or Http11Nio2Protocol ) and certificateVerification=optional, we see
below warning in logs:
13-Jun-2025 11:42:58.453 WARNING [catalina-exec-1]
org.apache.tomcat.util.net.SSLUtilBase.<init> The JSSE TLS 1.3 implementation
does not support post handshake authentication (PHA) and is therefore incompatible
with optional certificate authentication
Looking at : https://www.rfc-editor.org/rfc/rfc8740.html Seems like the TLS1.3
does not support PHA only in case of HTTP/2 and not for HTTP/1.1. Is this
understanding correct?
Yes, but it misses the point.
If yes, could we update the warning to be logged only when HTTP/2 is used or at least
update the message "The JSSE TLS 1.3 implementation does not support post handshake
authentication (PHA) for HTTP/2..." ?
No. Like the message says, the JSSE TLS 1.3 implementation does not
support PHA. The message is correct.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
