[Update]: JEP 249 (OCSP Stapling for TLS)
Xuelei Fan
xuelei.fan at oracle.com
Sat Jul 18 23:56:21 UTC 2015
In the new webrev, you try the approach to throw exceptions
CertificateStatus constructor and catch it in ServerHandshaker. It is a
kind a abuse of SSLHandshakeException. I would like to make the
checking before construct CertificateStatus in ServerHandshaker. It's
really hard to understand the code. When I find a
SSLHandshakeException, firstly, I think the connection would be
terminated. But actually the handshaking can continue. It's not easy
to understand the code.
You can file a new bug and make the update later.
Xuelei
On 7/1/2015 10:42 AM, Xuelei Fan wrote:
> On 7/1/2015 10:02 AM, Jamil Nimeh wrote:
>>
>>
>> On 06/30/2015 06:04 PM, Xuelei Fan wrote:
>>> On 7/1/2015 6:39 AM, Jamil Nimeh wrote:
>>>>> src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java
>>>>> ==================================================================
>>>>> line 713/714, 730/731 throws SSLHandshakeException for extension
>>>>> constructor in server side. That's unlikely to happen, I think. I was
>>>>> wondering, if CertificateStatus cannot be constructed, the server may
>>>>> not want to send the message, rather than terminate the connection
>>>>> immediately.
>>>> I think you're right. While the exception is unlikely, I'd like to have
>>>> the HandshakeMessage throw the exception if something bad happens. I do
>>>> however, agree that we shouldn't make it a fatal error. I'll catch the
>>>> exception in ServerHandshaker, log it, and just not send the message as
>>>> you suggested since that is legal. OK?
>>> I have not read the server side implementation. I would like firstly
>>> check whether the message should be delivered, and than new the
>>> instance. Exception catching is not performance friendly, and looks a
>>> little bit not-straightforward. I think you may want a static method
>>> for the validity checking in CertificateStatus class, instead.
>> As it is written today, the ServerHandshaker will only create a new
>> CertificateStatus instance if the following is true:
>>
>> * Stapling has already been activated in the server (meaning that the
>> client requested it and the server has the feature enabled)
>> * A "get" operation was done from the StatusResponseManager and at
>> least one OCSP response was returned. In other words, if no
>> responses can be brought back from the SRM, then there's no point in
>> even asserting status_request[_v2] in the ServerHello.
>>
>> I don't see the advantage of making a static method that does what is
>> already accomplished in two lines of code in ServerHandshaker (873-4).
>>
> Good you can accomplish it in ServerHandshaker.
>
>>>
>>> It's OK to throw exception if something bad happens. For easy reading,
>>> please have a comment that it is unlikely to happen if you keep the
>>> throw exception blocks.
>> Okay, I can definitely do that. There are some cases where I think we
>> need to throw an exception, particularly on the constructor from a
>> HandshakeInStream.
> It's the expected behavior to throw exception for reading issues. What
> we are talking about previously is for write side constructor.
>
> Thanks,
> Xuelei
>
>> That's a case where we want the client to Alert if
>> the server asserts some weird/unsupported/illegal type or does something
>> like type = ocsp and a zero length response (also illegal according to
>> the spec). Zero length responses are OK for ocsp_multi, though.
>>
>
More information about the security-dev
mailing list