RFR 8133632: javax.net.ssl.SSLEngine does not properly handle received SSL fatal alerts
Xuelei Fan
xuelei.fan at oracle.com
Wed Nov 2 08:56:15 UTC 2016
Looks fine to me exception that you may also want to consider the case:
1850 if (description == -1) { // check for short message
1851 fatal(Alerts.alert_illegal_parameter, "Short alert message");
1852 }
If the level is not warning, please don't sent the alert any more at
line 1851 (via fatal()).
Xuelei
On 11/2/2016 3:30 PM, Jamil Nimeh wrote:
> Hello folks,
>
> This fixes an issue in SSLEngine that happens when an engine unwraps a
> TLS fatal alert record. The resulting engine state still leaves both
> input and output queues in an open state, and in NEED_UNWRAP. Unwrapping
> just causes the exception thrown as a result of processing the exception
> to be thrown again.
>
> This fix updates the resulting state of the engine in this particular
> case to have both I/O queues closed and updates the state of the engine
> to NOT_HANDSHAKING.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8133632
> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8133632/webrev.01/
>
> Thanks,
> --Jamil
More information about the security-dev
mailing list