Question about TLS heartbeat extension
gunnarlindroth opened this issue · comments
Hello,
This is not really an issue, but a general question about which TLS extensions are supported by SNF4J (and Java), in particular the "heartbeat extension" (https://tools.ietf.org/html/rfc6520) .
I assume that the hearbeat extension is not necessarily available in the Java SSLEngine I'm using. Is there anyway I can see which extensions are supported in my environment? Can I somehow control which extensions should be enabled?
In the provided Wireshark trace the client includes the extension "heartbeat", but I don't really understand how I can enable this support also in the server (which is built on SNF4J).
dtls-heartbeat.zip
Any hint is much appreciated! :-)
Thanks, Gunnar
The SNF4J is using the JSSE standard API, in particular the SSLEngine, to handle the SSL/TLS/DTLS protocols so it is up to the used JSSE provider (SunJSSE or BCJSSE) whether particular extension is supported or not.
As far as the heartbeat extension is concerned, there is no exposed functionality in the JSSE standard API for this extension (like triggering the Heartbeat Request).
Summing up, considering the limitations of the JSSE standard API it may be not possible to enable the heartbeat extension in any application using the JSSE.
After finding the heartbeat extension being defined in the class "sun.security.ssl.SSLExtension" I for a moment thought that it might actually be possible to enable it somehow, but I guess I need to accept that this is not the case. I appreciate your prompt response!
Thanks, Gunnar