iSaSiLk 6.1, (c) 2002 IAIK, (c) 2003 - 2015 SICpublic static final class TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig extends TLS13PostHandshakeConfig implements java.lang.Cloneable
POST_HANDSHAKE_AUTH.
At at time after the regular handshake has been finished a server
may request post client authentication by sending a certificate_request
message to the client (provided the client has sent a PostHandshakeAuth extension in its ClientHello message to indicate that
it is willing to fulfill a post handshake authentication request.
The client then has to respond with the required authentication
messages (certificate, certificate_verify, finished). However, the client is
not requested to immediately respond to a post authentication request. The client
may send an arbitrary amount of data before responding to the authentication request.
To trigger a post client authentication request a server may specify
a TLS13PostHandshakeAuthConfig object when calling method
postHandshake
on the SSLSocket communicating with the client:
SSLSocket sslSocket = ...; ... TLS13PostHandshakeAuthConfig postHandshakeConfig = new TLS13PostHandshakeAuthConfig(); sslSocket.postHandshake(postHandshakeConfig); ...It may be of advantage to trigger the post authentication client request during writing data to the client and do some read() call immediately after having submitted the request. However, since the client is not requested to immediately respond to a post authentication request (see above) a certain data limit may be provided when creating the post handshake auth configuration:
SSLSocket sslSocket = ...; long dataLimit = ...; ... TLS13PostHandshakeAuthConfig postHandshakeConfig = new TLS13PostHandshakeAuthConfig(dataLimit); sslSocket.postHandshake(postHandshakeConfig); ...The iSaSiLk server then will check the data processed after an client authentication request has been send and shut down the connection when too much data has been processed but the client has not sent the requested authentication messages.
In any case when having received the client post authentication messages an
iSaSiLk server will send a NewSessionTicket message to accommodate
the new client certificate, except for the iSaSiLk server is configured to not send a NewSessionTicketMessage after having received the
client authentication messages.
TLS13PostHandshakeConfig.TLS13KeyUpdateConfig, TLS13PostHandshakeConfig.TLS13NewSessionTicketConfig, TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfigKEY_UPDATE, NEW_SESSION_TICKET, POST_HANDSHAKE_AUTH| Constructor and Description |
|---|
TLS13PostHandshakeAuthConfig()
Default constructor.
|
TLS13PostHandshakeAuthConfig(long dataLimit)
Creates a TLS13PostHandshakeAuthConfig with the given data limit.
|
| Modifier and Type | Method and Description |
|---|---|
java.lang.Object |
clone()
Returns a clone of this TLS13PostHandshakeAuthConfig.
|
void |
setReadClientResponse(boolean read)
Sets whether to try to read the client authentication messages
immediately after having sent the post handshake certificate_request message.
|
static void |
setSendNewSessionTicket(boolean sendNewSessionTicket)
Sets whether the server shall send a NewSessionTicket message immediately after
having received the client authentication messages.
|
setMaxNumberOfPostHandshakeMessages, setMaxNumberOfSubsequentPostHandshakeMessagespublic TLS13PostHandshakeAuthConfig()
public TLS13PostHandshakeAuthConfig(long dataLimit)
dataLimit - specifies how much data maybe processed until the
client has to send the requested authentication messages after
having received a post authentication request.public static void setSendNewSessionTicket(boolean sendNewSessionTicket)
sendNewSessionTicket - whether to send a NewSessionTicket message immediately
after having received the client authentication messages
(default: true; a NewSessionTicket message
is sent if session caching is enabled)public void setReadClientResponse(boolean read)
When set to true the iSaSiLk server tries to read
the client authentication messages immediately after having sent
the post handshake certificate_request message. Any application
data that the client sends in front of the the client authentication messages
is internally buffered to be pushed back after the client authentication messages
have arrived. However, this may cause an exception if too much application
data is sent to can be internally buffered. For that reason you may call
setReadClientResponse(true); only if you are sure that the client
will send the authentication messages immediately (or at least reasonable)
soon after having received the post handshake authentication request.
Alternatively you may make some explicitly read() call after having triggered
the post handshake authentication request to explicitly handle any blocking
condition or receiving of application data before receiving the authentication
messages.
read - true if trying to read the client authentication response
immediately after having sent the authentication request,
false if not trying to read the response (default)public java.lang.Object clone()
clone in class TLS13PostHandshakeConfig