RFR 8133632: javax.net.ssl.SSLEngine does not properly handle received SSL fatal alerts
Xuelei Fan
xuelei.fan at oracle.com
Thu Nov 3 00:35:07 UTC 2016
Looks fine to me.
Thanks,
Xuelei
On 11/3/2016 8:13 AM, Jamil Nimeh wrote:
> Good suggestion. Updated webrev below:
>
> http://cr.openjdk.java.net/~jnimeh/reviews/8133632/webrev.02/
>
> On 11/2/2016 1:56 AM, Xuelei Fan wrote:
>> Looks fine to me exception that you may also want to consider the case:
>>
>> 1850 if (description == -1) { // check for short message
>> 1851 fatal(Alerts.alert_illegal_parameter, "Short alert message");
>> 1852 }
>>
>> If the level is not warning, please don't sent the alert any more at
>> line 1851 (via fatal()).
>>
>> Xuelei
>>
>> On 11/2/2016 3:30 PM, Jamil Nimeh wrote:
>>> Hello folks,
>>>
>>> This fixes an issue in SSLEngine that happens when an engine unwraps a
>>> TLS fatal alert record. The resulting engine state still leaves both
>>> input and output queues in an open state, and in NEED_UNWRAP. Unwrapping
>>> just causes the exception thrown as a result of processing the exception
>>> to be thrown again.
>>>
>>> This fix updates the resulting state of the engine in this particular
>>> case to have both I/O queues closed and updates the state of the engine
>>> to NOT_HANDSHAKING.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8133632
>>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8133632/webrev.01/
>>>
>>> Thanks,
>>> --Jamil
>
More information about the security-dev
mailing list