Code review request, JEP 114, 7068321 Support TLS Server Name Indication (SNI) Extension in JSSE Server
Xuelei Fan
xuelei.fan at oracle.com
Tue Oct 9 16:02:30 UTC 2012
The new webrev with the updated spec and implementation:
http://cr.openjdk.java.net./~xuelei/7068321/webrev.12/
Xuelei
On 10/9/2012 11:56 PM, Xuelei Fan wrote:
> Thanks for the comments. The new comments for
> SSLEngine/SSLSocket/SSLServerSocket do make the spec much more simple
> and clear.
>
> BTW, I removed the restriction on SSLSocketFactory.createSocket(), the
> socket parameter can be an instance of SSLSocket.
>
> The spec review is closed. Please file new bugs if you have other concerns.
>
> Thanks,
> Xuelei
>
> On 10/9/2012 9:03 AM, Brad Wetmore wrote:
>>
>> On 9/26/2012 8:05 AM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Please review the implementation of JEP 114/CR 7068321, Support TLS
>>> Server Name Indication (SNI) Extension in JSSE Server.
>>>
>>> JEP 114: http://openjdk.java.net/jeps/114
>>> BuG : http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7068321
>>> webrev : http://cr.openjdk.java.net./~xuelei/7068321/webrev.10/
>>
>> Not a lot of comments since we've already done so much over the last few
>> months. :)
>>
>> If you modified anything else that we hadn't talked about previously,
>> please call it out. I didn't do a complete line/line review, just
>> looking at the main points and previous comments.
>>
>>
>> javax/net/ssl/SSLSocket.java
>> javax/net/ssl/SSLEngine.java
>> javax/net/ssl/SSLServerSocket.java
>> ==================================
>> (Xuelei and I have been having internal discussions about how to rework
>> some of the lengthy verbage currently in the SSLParameters class, so
>> this comment builds on that discussion.)
>>
>> I just noticed three classes missing from the webrev. We are updating
>> the SSLParameters class with two new data structures (Host
>> names/Matchers), but the actual discussion of what happens to the
>> underlying SSLSockets/SSLEngines/SSLServerSocket is missing. Note we
>> did that for the other values like protocols/cipherSuites.
>>
>> Rather than the current discussion in SSLParameters about "previously
>> configured/default", I would like to suggest we follow the simple
>> discussion already in the javadocs, and it can shorten the verbiage in
>> SSLParameters very significantly! Even though we don't have equivalent
>> methods (setEnabledHostNames()) in SSLSocket/SSLEngine/SSLServer, we
>> should still talk about what happens when called:
>>
>> Add:
>>
>> This means:
>>
>> o ...deleted...
>> o if params.getServerNames() is non-null, the socket will configure
>> its server names with that value.
>> o if params.getSNIMatchers() is non-null, the socket will configure
>> its SNI matchers with that value.
>>
>> This places the behavior explanation better where it should be, and not
>> in the configuration discussion.
>>
>> Now in the SSLParameters we simply talk about the effects these methods
>> have on the SSLParameters class and what the values represent. We
>> already have the link to
>> SSLSocket/SSLServerSocket/SSLEngine.setSSLParameters(). So...
>>
>> setServerNames() remains as is.
>> setSNIHostNames() remains as is.
>>
>> getServerNames():
>> =================
>> 316: Add to the constructor
>> ", or null if none has been set."
>>
>> 321-326: We can leave this discussion if desired, I think it sets up
>> the discussion for 327-341 well. I might suggest reordering the points
>> slightly:
>>
>> * It is recommended that providers initialize default Server Name
>> * Indications when creating
>> * <code>SSLSocket</code>/<code>SSLEngine</code>s. In the following
>> * examples, the server name could be represented by an instance of
>> * {@link SNIHostName} which has been initialized with the hostname
>> * "www.example.com" and type {@link StandardConstants#SNI_HOST_NAME}.
>> *
>> * <pre>
>> * Socket socket =
>> * sslSocketFactory.createSocket("www.example.com", 443);
>> * </pre>
>> * or
>> * <pre>
>> * SSLEngine engine =
>> * sslContext.createSSLEngine("www.example.com", 443);
>> * </pre>
>> * <P>
>>
>> 342-367: Remove these lines. All the necessary info is in the
>> setSSLParameters methods.
>>
>> getSNIHostNames():
>> ==================
>> 435: Add to the constructor
>> ", or null if none has been set."
>>
>> 440-471: Remove these lines.
>>
>> Nice and clean. All the discussion about default/current goes away.
>>
>> javax/net/ssl/SNIHostName.java
>> ==============================
>> 52: Do you want to remind folks here that this class is supposed to be
>> immutable?
>>
>> 64: Not sure if caching this hash value will actually add much to
>> performance vs. volatile adds overhead. There will only a few of these
>> (likely 1).
>>
>> 85-86: Should these fragments be separated "," instead of "." as you
>> did below in 143-149. You probably need an "or" before the last item.
>>
>> 147: You probably need an "or" before the last item.
>>
>> javax/net/ssl/SNIMatcher.java
>> =============================
>> 32: Do you want to spell out Server Name Indication before you use the
>> abbreviation? Or link to RFC 6066? Just a thought, not strictly
>> necessary.
>>
>> 105: Empty line at end of file.
>>
>> javax/net/ssl/SNIServerName.java
>> ================================
>> 56: Same comment about hashCode/volatile.
>>
>> 136: Might want to add a <p> between sentences.
>>
>> javax/net/ssl/StandardConstants.java
>> ====================================
>> OK
>>
>> javax/net/ssl/ExtendedSSLSession.java
>> =====================================
>> OK
>>
>> javax/net/ssl/SSLParameters.java
>> ================================
>> See above. No other comments.
>>
>> javax/net/ssl/SSLSocketFactory.java
>> ===================================
>> Ok.
>>
>>
>> So that you can update and submit to CCC, I'll stop here, but the
>> implementation review will be continued in next email.
>>
>> Hope this helps,
>>
>> Brad
>
More information about the security-dev
mailing list