Code Review Request JDK-8209965 : The "supported_groups" extension in ServerHellos

Anthony Scarpino anthony.scarpino at oracle.com
Sun Aug 26 21:35:07 UTC 2018


The change looks fine but I have a question about restricting it. 

This sounds like a problem with servers using 1.2 or before, does it make sense to throw an error for 1.3? I don’t like allowing buggy implementation to continue because we will never be able to undo this workaround.  It would be nice if when someday 1.2 is removed, this change won’t persist in our code base. I realize this maybe a lot to ask given the decision of the protocol version hasn’t been made yet I believe.  If it’s unreasonable, that is ok. I’m fine with the change as is. 

Tony

> On Aug 26, 2018, at 7:39 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> 
> Hi,
> 
> Please review a compatibility fix for SunJSSE provider:
>    http://cr.openjdk.java.net/~xuelei/8209965/webrev.00
> 
> There are servers that send the supported_groups extension in the ServerHello handshake message.  It does not comply to the specification.  However, as there are a few deployments already with the buggy implementation, we may want to tolerate this behavior in JDK.
> 
> Note that although this extension is allowed in the ServerHello, it should be ignored and have no impact on the client behavior.
> 
> The problem was reported and the fix was tested in OopenJDK:
> http://mail.openjdk.java.net/pipermail/security-dev/2018-August/018005.html
> 
> 
> Thanks,
> Xuelei




More information about the security-dev mailing list