Code Review Request: JDK-8148421 (Extended Master Secret TLS extension)

Xuelei Fan xuelei.fan at oracle.com
Wed Oct 18 12:54:09 UTC 2017 

On 10/17/2017 11:45 AM, Martin Balao wrote:
>
> http://cr.openjdk.java.net/~sgehwolf/webrevs/mbalaoal/JDK-8148421/webrev.03/ 

TlsMasterSecretParameterSpec.java
---------------------------------
This spec update impacts the PKCS11 implementation too.  Please update 
jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java 
as well.


ClientHandshaker.java:
----------------------
Per RFC 7627:
1. For full handshaking, a client MUST send the "extended_master_secret" 
extension.
2. A client SHOULD NOT offer an abbreviated handshake to resume a 
session that that does not use an extended master secret.  Instead, it 
SHOULD offer a full handshake.
3. When offering an abbreviated handshake, the client MUST send the 
"extended_master_secret" extension in its ClientHello.
4. For abbreviated handshake, if the original session did not use the 
"extended_master_secret" extension but the new ServerHello contains the 
extension, the client MUST abort the handshake.
5. For abbreviated handshake, if the original session used the extension 
but the new ServerHello does not contain the extension, the client MUST 
abort the handshake.

If I'm reading correct, the update in ClientHandshaker.java implements 
#1, but missing #2, #4 and #5, and a conditional support of #3.

For the missing of #4 and #5, it might be mainly caused by that the 
800-828 lines are put in a place where full handshaking happens. 
Abbreviated handshake return at line 756 and cannot reach line 800.

For #2, I may suggest combine the extension together with System 
property "jdk.tls.allowUnsafeServerCertChange".  If not using extended 
master secret, and not allowUnsafeServerCertChange, and 
useExtendedMasterSecretExtension, do not offer abbreviated handshake. 
Using full handshake instead for TLS 1.0+.  Besides, if using the 
extension, don't use the server certificate change checking any more. 
See allowUnsafeServerCertChange comments in ClientHandshaker.java.

For #3, I may always send the "extended_master_secret" extension, the 
server side can handle it property, no matter the original session use 
the extension or not.


SSLSessionImpl.java
-------------------
   94  private boolean useExtendedMasterSecret;
  200  void setUseExtendedMasterSecret() {
  211  boolean getUseExtendedMasterSecret() {

I may suggest use "final" useExtendedMasterSecret (set during 
construction), so that the set/get methods do not compete against each 
other.  Using "final" may need to adjust some source code.  Looks like 
it is doable.


ServerHandshaker.java
---------------------
For safer, as there is no compatibility impact as if the client request 
for the extension, I think we may want to always enable the extension in 
server side.  It means the system property 
"jsse.useExtendedMasterSecret" disables the extension in client side 
only.  And the property cannot be used to disable server acceptance of 
the extension.

Per RFC 7627:
A. For full handshaking, if a server implementing this document receives 
the "extended_master_secret" extension, it MUST include the extension in 
its ServerHello message.
B. For abbreviated handshake request, If the original session did not 
use the "extended_master_secret" extension but the new ClientHello 
contains the extension, then the server MUST NOT perform the abbreviated 
handshake.  Instead, it SHOULD continue with a full handshake.
C. For abbreviated handshake request, if the original session used the 
"extended_master_secret" extension but the new ClientHello does not 
contain it, the server MUST abort the abbreviated handshake.
D. For abbreviated handshake request, if neither the original session 
nor the new ClientHello uses the extension, the server SHOULD abort the 
handshake.
E. For abbreviated handshake request, if the new ClientHello contains 
the extension and the server chooses to continue the handshake, then the 
server MUST include the "extended_master_secret" extension in its 
ServerHello message.

If I'm reading correct, the update in ServerHandshaker.java implements 
#A, #C and #E, but missing #B and #C.

For #B, I think it should be fine to follow the spec: continue with a 
full handshake.

For #C, I was wondering we may need a new system property 
(jsse.allowLegacyResumption?) to turn on/off this behavior.  If 
application want a strict mode, the server abort the abbreviated 
handshake for case #C.  Otherwise, the server can continue with an 
abbreviated handshake in order to support legacy resumption.

Hope it helps!

Regards,
Xuelei

More information about the security-dev mailing list