[jetty-users] 回复: Does Jetty support the function of export keying mat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] 回复: Does Jetty support the function of export keying material for TLS defined in RFC5705？

From: Xia Bing <bing_xia518@xxxxxxxxxxx>
Date: Tue, 12 Apr 2022 02:28:59 +0000
Accept-language: zh-CN, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=z6sZrTV2wZlQ4hQyYnK009MlD6155eVShhR+QGvTI9Y=; b=kMuzqCOwAeiGdY1VSLO6CUjGgT8N8OcQaZkeEevQjyj07N9cl7qCt87dDwSJ5XzLjFFw+Xkz7QMtHOoliZmiJGbnG/1m7nqnMPLDAxkNRDL6s62OU0ZF7BoCobpoZsp0GWY77BgKiAuXgobNzPaE4BFFQEEof8tEkPcq7bbzat24lXHc4AF8Pd8lr9LY+qoWGmPUkXN/jAJwxTjkNQ5VukQNsxtvXJ5hkA4JKAwgZRNrSllsQlxqlSf/CPKUz8Tb0VM180QVWUwmslY8CJuU2C5zZcgJX37hp3vjK0Vf4Wwt5l2eTb8GLvJ4t+hm1aJjQHoqeabWilr8ZqHYp9df9Q==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RRwyfF66PaX+V5jCFFCqErPET1gYKgBdWvuaGGAUiCS8wXtet2+Bfk80gOBU+0GDB61j//qsvGr5U7TLpW2EhLh6G8Jp4zYgYHAUnuPuHiTx/++cYUvn8s+CjGt0NhvAfUrlD3YSl6OYiieqUO4SCCPg+b4PmNW8F8RiulL7GQQui8EQNhxtXZpdgE8j4Rz4V/rqW7174gKr954lxchTZgSr02MpP0r7lEL6nNBSRHkVT4PeROTXYPcTCwe9Jl/jt0gwHYuTNL/gNeXfwiRZ7mpGqeNSFPeBs+o7buI9Ux7tC07GbdcKbbB5R9iRtm8aDey37xqaIq451mW6oNvD6A==
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
Suggested_attachment_session_id: 5fe47a9b-bfe8-fa25-25ed-89a73937ddde
Thread-index: AQHYRbAcFvBw8dHRQ0SdccmjXE6vMKzrnTam
Thread-topic: [jetty-users] Does Jetty support the function of export keying material for TLS defined in RFC5705？

Hi,

I try to use BouncyCastle as the provider by the following code:

Security.addProvider(new BouncyCastleJsseProvider(true));

sslContextFactory.setProvider("BCJSSE");

And the following exception is raised when creating http2 session:

java.lang.IllegalStateException: No ALPNProcessor for org.bouncycastle.jsse.provider.ProvSSLEngine_8@989a394

at org.eclipse.jetty.alpn.client.ALPNClientConnectionFactory.newConnection(ALPNClientConnectionFactory.java:111)

at org.eclipse.jetty.io.ssl.SslClientConnectionFactory.newConnection(SslClientConnectionFactory.java:136)

at org.eclipse.jetty.http2.client.HTTP2Client.lambda$doStart$1(HTTP2Client.java:165)

at org.eclipse.jetty.http2.client.HTTP2Client$ClientSelectorManager.newConnection(HTTP2Client.java:500)

at org.eclipse.jetty.io.ManagedSelector.createEndPoint(ManagedSelector.java:386)

at org.eclipse.jetty.io.ManagedSelector.access$2100(ManagedSelector.java:65)

at org.eclipse.jetty.io.ManagedSelector$CreateEndPoint.run(ManagedSelector.java:1069)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)

at java.base/java.lang.Thread.run(Thread.java:844)

I think that some enhancement in Jetty should be done to support BouncyCastle, is this understanding right?

Best Regards

Bing

发件人: jetty-users <jetty-users-bounces@xxxxxxxxxxx> 代表 Simone Bordet <simone.bordet@xxxxxxxxx>
发送时间: 2022年4月1日 18:05
收件人: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
主题: Re: [jetty-users] Does Jetty support the function of export keying material for TLS defined in RFC5705？

Hi,

On Fri, Apr 1, 2022 at 11:45 AM Xia Bing <bing_xia518@xxxxxxxxxxx> wrote:
>
> Hi, Jetty team,
>
> Could anyone help to clarify the this question：
> After setting up the HTTP2/TLS session by Jetty HTTP2 client, can upper application gets the exported keying material for TLS defined in RFC5705 by some APIs provided by Jetty?
> Looking forward to the reply!

This functionality should be provided by the TLS implementation, and
Jetty can only forward what the TLS implementation provides.
Unfortunately, I don't think the OpenJDK implementation provides EKM,
see https://bugs.openjdk.java.net/browse/JDK-8201287.
If you find otherwise about OpenJDK, let us know.

If you find a way to use EKM with BouncyCastle, let us know how you did it.

--
Simone Bordet
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless. Victoria Livschitz
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Follow-Ups:
- Re: [jetty-users] 回复: Does Jetty support the function of export keying material for TLS defined in RFC5705？
  - From: Joakim Erdfelt

References:
- [jetty-users] Does Jetty support the function of export keying material for TLS defined in RFC5705？
  - From: Xia Bing
- Re: [jetty-users] Does Jetty support the function of export keying material for TLS defined in RFC5705？
  - From: Simone Bordet

Prev by Date: Re: [jetty-users] Duplicate valid session cookies?
Next by Date: Re: [jetty-users] 回复: Does Jetty support the function of export keying material for TLS defined in RFC5705？
Previous by thread: Re: [jetty-users] Does Jetty support the function of export keying material for TLS defined in RFC5705？
Next by thread: Re: [jetty-users] 回复: Does Jetty support the function of export keying material for TLS defined in RFC5705？
Index(es):
- Date
- Thread

Breadcrumbs