Code Review Request JDK-8209965 : The "supported_groups" extension in ServerHellos
Xuelei Fan
xuelei.fan at oracle.com
Mon Aug 27 14:12:56 UTC 2018
Hi Tony,
I thought about to limit the workaround to TLS 1.2 and prior version.
However, just as you noticed that the implementation is not effective as
it is needed to wait and check for the supported_versions extension if
it presents. As may make the workaround a lot complicated. I would
prefer to a simple change for now.
Thanks,
Xuelei
On 8/26/2018 2:35 PM, Anthony Scarpino wrote:
> The change looks fine but I have a question about restricting it.
>
> This sounds like a problem with servers using 1.2 or before, does it make sense to throw an error for 1.3? I don’t like allowing buggy implementation to continue because we will never be able to undo this workaround. It would be nice if when someday 1.2 is removed, this change won’t persist in our code base. I realize this maybe a lot to ask given the decision of the protocol version hasn’t been made yet I believe. If it’s unreasonable, that is ok. I’m fine with the change as is.
>
> Tony
>
>> On Aug 26, 2018, at 7:39 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>
>> Hi,
>>
>> Please review a compatibility fix for SunJSSE provider:
>> http://cr.openjdk.java.net/~xuelei/8209965/webrev.00
>>
>> There are servers that send the supported_groups extension in the ServerHello handshake message. It does not comply to the specification. However, as there are a few deployments already with the buggy implementation, we may want to tolerate this behavior in JDK.
>>
>> Note that although this extension is allowed in the ServerHello, it should be ignored and have no impact on the client behavior.
>>
>> The problem was reported and the fix was tested in OopenJDK:
>> http://mail.openjdk.java.net/pipermail/security-dev/2018-August/018005.html
>>
>>
>> Thanks,
>> Xuelei
>
More information about the security-dev
mailing list