Re: [kitten] Channel Binding to TLS in a Java only environment
Tobias Markmann <tmarkmann@googlemail.com> Thu, 13 October 2011 18:21 UTC
Return-Path: <tmarkmann@googlemail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E662D21F8A95 for <kitten@ietfa.amsl.com>; Thu, 13 Oct 2011 11:21:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.233
X-Spam-Level:
X-Spam-Status: No, score=-2.233 tagged_above=-999 required=5 tests=[AWL=0.744, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Li3u6-O9cGmo for <kitten@ietfa.amsl.com>; Thu, 13 Oct 2011 11:21:51 -0700 (PDT)
Received: from mail-pz0-f50.google.com (mail-pz0-f50.google.com [209.85.210.50]) by ietfa.amsl.com (Postfix) with ESMTP id 4933721F8678 for <kitten@ietf.org>; Thu, 13 Oct 2011 11:21:51 -0700 (PDT)
Received: by pzk37 with SMTP id 37so3454243pzk.9 for <kitten@ietf.org>; Thu, 13 Oct 2011 11:21:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=zX/hGTy2QZCYpkRost190WE+3CwCDeiO7o1813n4iqE=; b=Ri7IS69ISLTaCyRdBnRlLUefCXZr1WzwcRrYnO04cZDSYBe3EsK1x9E+sUPI2MlkkD pP2O2vyOttIAQvsV2fEBZmHaxGkaHaM5+Y+zRGL1MbBIwWlaOndfQFYQR0NjeZh07QPg Jbaq8y9Kwz1WSTwsY5vzMKDasM2s2DnDXN5RY=
Received: by 10.68.36.6 with SMTP id m6mr10455668pbj.111.1318530111044; Thu, 13 Oct 2011 11:21:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.56.72 with HTTP; Thu, 13 Oct 2011 11:21:31 -0700 (PDT)
In-Reply-To: <201110131411.p9DEBa9v025756@fs4113.wdf.sap.corp>
References: <CAJ9A0VuGBGtQPGoBLsPz95zXYWcDU7omRAFZQ86CRQQXNfsr2w@mail.gmail.com> <201110131411.p9DEBa9v025756@fs4113.wdf.sap.corp>
From: Tobias Markmann <tmarkmann@googlemail.com>
Date: Thu, 13 Oct 2011 20:21:31 +0200
Message-ID: <CAJ9A0VuEV178qVqRnv4X0JarzmAVj_wS7dyv7eyPiuWOAT5AOQ@mail.gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: kitten@ietf.org
Subject: Re: [kitten] Channel Binding to TLS in a Java only environment
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2011 18:21:52 -0000
On Thu, Oct 13, 2011 at 16:11, Martin Rex <mrex@sap.com> wrote: > Are you actually asking for an official API in JDK to access > the tls-unique channel bindings (which consists of the **decrypted** > *first* finished message (of the two finished messages at the end > of a TLS handshake, one in each direction. (for a full TLS handshake > the client sends the first finished message, for an abbreviated > TLS handshake, aka TLS session resume, the server sends the first > finished message). Yes. Initially I was intending to write a XMPP client for Android and on the first look I did not find an API which provides that data for me. I wondered whether standard JDK, SE or EE, just any JDK had an API which provides the data OpenSSL's SSL_get_finished() function provides. > > But with the addition of TLS extension renegotiation_info (rfc5746) > that information needs to be persisted anyway, so this would have > been the perfect time to add the necessary APIs for it as well > (that's how I did it four our implementation). Since it is a > new API, it can not adversely affect any of the existing callers, > so it was safe to ship as a feature enhancement. > > But I can't speak about Java/JDK, it is nothing that I use. > Right. The Java SE documentation [1] does not seem to list any method related to that. If it had an API that would provide the data of the finished message one could probably find it in SSLSession [2]. So if one wants to have channel binding in a Java application one probably has to run his own TLS stack (either implemented in Java or as a JNI binding to a C lib) which then gives you access to the finished message. [1] http://download.oracle.com/javase/7/docs/api/javax/net/ssl/package-summary.html [2] http://download.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html Tobi
- [kitten] Channel Binding to TLS in a Java only en… Tobias Markmann
- Re: [kitten] Channel Binding to TLS in a Java onl… Martin Rex
- Re: [kitten] Channel Binding to TLS in a Java onl… Tobias Markmann
- Re: [kitten] Channel Binding to TLS in a Java onl… Cantor, Scott