iaik.security.ssl
Class TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig

java.lang.Object
  extended by iaik.security.ssl.TLS13PostHandshakeConfig
      extended by iaik.security.ssl.TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig
All Implemented Interfaces:
java.lang.Cloneable
Enclosing class:
TLS13PostHandshakeConfig

public static final class TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig
extends TLS13PostHandshakeConfig
implements java.lang.Cloneable

Configuration for post handshake type POST_HANDSHAKE_AUTH.

At at time after the regular handshake has been finished a server may request post client authentication by sending a certificate_request message to the client (provided the client has sent a PostHandshakeAuth extension in its ClientHello message to indicate that it is willing to fulfill a post handshake authentication request. The client then has to respond with the required authentication messages (certificate, certificate_verify, finished). However, the client is not requested to immediately respond to a post authentication request. The client may send an arbitrary amount of data before responding to the authentication request.

To trigger a post client authentication request a server may specify a TLS13PostHandshakeAuthConfig object when calling method postHandshake on the SSLSocket communicating with the client:

 SSLSocket sslSocket = ...;
 ...
 TLS13PostHandshakeAuthConfig postHandshakeConfig = new TLS13PostHandshakeAuthConfig();
 sslSocket.postHandshake(postHandshakeConfig);
 ...
 
It may be of advantage to trigger the post authentication client request during writing data to the client and do some read() call immediately after having submitted the request. However, since the client is not requested to immediately respond to a post authentication request (see above) a certain data limit may be provided when creating the post handshake auth configuration:
 SSLSocket sslSocket = ...;
 long dataLimit = ...;
 ...
 TLS13PostHandshakeAuthConfig postHandshakeConfig = new TLS13PostHandshakeAuthConfig(dataLimit);
 sslSocket.postHandshake(postHandshakeConfig);
 ...
 
The iSaSiLk server then will check the data processed after an client authentication request has been send and shut down the connection when too much data has been processed but the client has not sent the requested authentication messages.

In any case when having received the client post authentication messages an iSaSiLk server will send a NewSessionTicket message to accommodate the new client certificate, except for the iSaSiLk server is configured to not send a NewSessionTicketMessage after having received the client authentication messages.


Nested Class Summary
 
Nested classes/interfaces inherited from class iaik.security.ssl.TLS13PostHandshakeConfig
TLS13PostHandshakeConfig.TLS13KeyUpdateConfig, TLS13PostHandshakeConfig.TLS13NewSessionTicketConfig, TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig
 
Field Summary
 
Fields inherited from class iaik.security.ssl.TLS13PostHandshakeConfig
KEY_UPDATE, NEW_SESSION_TICKET, POST_HANDSHAKE_AUTH
 
Constructor Summary
TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig()
          Default constructor.
TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig(long dataLimit)
          Creates a TLS13PostHandshakeAuthConfig with the given data limit.
 
Method Summary
 java.lang.Object clone()
          Returns a clone of this TLS13PostHandshakeAuthConfig.
 void setReadClientResponse(boolean read)
          Sets whether to try to read the client authentication messages immediately after having sent the post handshake certificate_request message.
static void setSendNewSessionTicket(boolean sendNewSessionTicket)
          Sets whether the server shall send a NewSessionTicket message immediately after having received the client authentication messages.
 
Methods inherited from class iaik.security.ssl.TLS13PostHandshakeConfig
setMaxNumberOfSubsequentPostHandshakeMessages
 
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig

public TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig()
Default constructor. Creates a TLS13PostHandshakeAuthConfig without any data limit.


TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig

public TLS13PostHandshakeConfig.TLS13PostHandshakeAuthConfig(long dataLimit)
Creates a TLS13PostHandshakeAuthConfig with the given data limit.

Parameters:
dataLimit - specifies how much data maybe processed until the client has to send the requested authentication messages after having received a post authentication request.
Method Detail

setSendNewSessionTicket

public static void setSendNewSessionTicket(boolean sendNewSessionTicket)
Sets whether the server shall send a NewSessionTicket message immediately after having received the client authentication messages.

Parameters:
sendNewSessionTicket - whether to send a NewSessionTicket message immediately after having received the client authentication messages (default: true; a NewSessionTicket message is sent if session caching is enabled)

setReadClientResponse

public void setReadClientResponse(boolean read)
Sets whether to try to read the client authentication messages immediately after having sent the post handshake certificate_request message.

When set to true the iSaSiLk server tries to read the client authentication messages immediately after having sent the post handshake certificate_request message. Any application data that the client sends in front of the the client authentication messages is internally buffered to be pushed back after the client authentication messages have arrived. However, this may cause an exception if too much application data is sent to can be internally buffered. For that reason you may call setReadClientResponse(true); only if you are sure that the client will send the authentication messages immediately (or at least reasonable) soon after having received the post handshake authentication request. Alternatively you may make some explicitly read() call after having triggered the post handshake authentication request to explicitly handle any blocking condition or receiving of application data before receiving the authentication messages.

Parameters:
read - true if trying to read the client authentication response immediately after having sent the authentication request, false if not trying to read the response (default)

clone

public java.lang.Object clone()
Returns a clone of this TLS13PostHandshakeAuthConfig.

Overrides:
clone in class TLS13PostHandshakeConfig
Returns:
a clone of this TLS13PostHandshakeAuthConfig

This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note).

iSaSiLk 6.0, (c) 2002 IAIK, (c) 2003 - 2015 SIC