Hi,
we're looking at a requirement to secure certain TLS 1.2 CBC ciphers by using the TLS extension encrypt-then-MAC (RFC 7366) for an installation of Oracle Unified Directory using a supported Oracle Java 8 JDK.
I cannot seem to find anything about that TLS extension with regards to the JDK or JSSE, in any kind of documentation. (The only TLS extensions I find mentioned is SNI and MFLM.) However, there does seem to be code present for it, as per this since 2018:
Blaming shenandoah/src/java.base/share/classes/sun/security/ssl/SSLExtension.java at master · openjdk/shenandoah · GitHub
Does anybody have any insight into whether this is EXCLUSIVELY for 1.3, or whether it can be enabled for TLS 1.2, or maybe it is even a new default?
I have been told that EtM could be present since Java 8u51 and should work automatically without additional configuration if the client requests the extension in the ClientHello, but I have neither found an official statement nor am I able to get my Java-based test client to announce the extension (mainly because I cannot find any documentation on how one would do that.)
Can anybody comment on the support for the extension (maybe there is some kind of official statement, somewhere) or shed some light on how to get the client above to mention the extension in the ClientHello so I can maybe verify EtM myself?
TIA,
K.