RFR 8133632: javax.net.ssl.SSLEngine does not properly handle received SSL fatal alerts
Jamil Nimeh
jamil.j.nimeh at oracle.com
Thu Nov 3 00:13:35 UTC 2016
Good suggestion. Updated webrev below:
http://cr.openjdk.java.net/~jnimeh/reviews/8133632/webrev.02/
On 11/2/2016 1:56 AM, Xuelei Fan wrote:
> Looks fine to me exception that you may also want to consider the case:
>
> 1850 if (description == -1) { // check for short message
> 1851 fatal(Alerts.alert_illegal_parameter, "Short alert message");
> 1852 }
>
> If the level is not warning, please don't sent the alert any more at
> line 1851 (via fatal()).
>
> Xuelei
>
> On 11/2/2016 3:30 PM, Jamil Nimeh wrote:
>> Hello folks,
>>
>> This fixes an issue in SSLEngine that happens when an engine unwraps a
>> TLS fatal alert record. The resulting engine state still leaves both
>> input and output queues in an open state, and in NEED_UNWRAP. Unwrapping
>> just causes the exception thrown as a result of processing the exception
>> to be thrown again.
>>
>> This fix updates the resulting state of the engine in this particular
>> case to have both I/O queues closed and updates the state of the engine
>> to NOT_HANDSHAKING.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8133632
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8133632/webrev.01/
>>
>> Thanks,
>> --Jamil
More information about the security-dev
mailing list