Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-tck-dev] [servlet-dev] Help please -- Servlet TCK test issue

Per https://bugs.openjdk.java.net/browse/JDK-8206923

Per, RFC 8740 "Using TLS 1.3 with HTTP/2":
"HTTP/2 servers MUST NOT send post-handshake TLS 1.3 CertificateRequest messages. HTTP/2 clients MUST treat such messages as connection errors (see Section 5.4.1 of [RFC7540]) of type PROTOCOL_ERROR."

On Tue, Mar 2, 2021 at 3:17 AM arjan tijms <arjan.tijms@xxxxxxxxx> wrote:
Hi,

In general, TLS 1.3 is not fully compatible with Servlet since for some reason the JEP decided to exclude Post-Handshake Authentication in Java. See https://openjdk.java.net/jeps/332.

This is exactly what Servlet needs.

I'll take a look at the GlassFish code as I'm very much up to date with that. I'll try to figure out how the TCK test exactly sets the certificate for the client (at a glance this isn't immediately obvious), and will try with the Java EE 7 samples test for this as well (https://github.com/javaee-samples/javaee7-samples/tree/master/servlet/security-clientcert).

Kind regards,
Arjan Tijms






On Tue, Mar 2, 2021 at 3:01 AM Stuart Douglas <sdouglas@xxxxxxxxxx> wrote:
This is a client cert test, so I would suggest it is almost certainly due to TLS differences between JDK8 and JDK11 (it is probably now using TLS 1.3 instead of 1.2). I would check the TLS config to make sure everything is correct for client cert authentication, but I don't really know anything about Glassfish so I can't really help with that.

Stuart

On Tue, 2 Mar 2021 at 12:44, Ed Bratt <ed.bratt@xxxxxxxxxx> wrote:

Hi,

The TCK team needs help diagnosing a problem with the Servlet TCK tests, described in

If someone could have a look and help the TCK team move this forward, it would be appreciated.

Thank you,

-- Ed

_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev

Back to the top