[PATCH] JDK-8190917 : SSL session resumption, through handshake, in SSLEngine is broken for any protocols lesser than TLSv1.2

Jaikiran Pai jai.forums2013 at gmail.com
Sat Feb 24 05:17:03 UTC 2018

Sounds fine, thank you Xuelei. Would this later be backported to Java 9 too?


On 24/02/18 12:21 AM, Xuelei Fan wrote:
> Hi Jaikiran,
> Thanks a lot for the update.  Your code looks fine to me.
> As we are working on the re-org of the implementation[1] now, I may 
> integrate your contribution shortly after the re-org changes.
> Thanks,
> Xuelei
> [1]: 
> http://mail.openjdk.java.net/pipermail/security-dev/2018-February/016815.html
> On 2/22/2018 9:58 PM, Jaikiran Pai wrote:
>> Given some recent changes to the class involved in this patch, in the 
>> jdk repo (http://hg.openjdk.java.net/jdk/jdk), I noticed some merge 
>> conflicts to this patch today. So I've now attached an updated patch 
>> which resolves those merge issues. This has been tested with latest 
>> jtreg (tip).
>> -Jaikiran
>> On 06/12/17 9:35 PM, Jaikiran Pai wrote:
>>> Thank you Xuelei. Please take your time.
>>> -Jaikiran
>>> On Wednesday, December 6, 2017, Xuelei Fan <xuelei.fan at oracle.com 
>>> <mailto:xuelei.fan at oracle.com>> wrote:
>>>     Hi Jaikiran,
>>>     I will sponsor this contribution.  I need more time for the review
>>>     and testing.
>>>     Thanks,
>>>     Xuelei
>>>     On 11/23/2017 9:22 PM, Jaikiran Pai wrote:
>>>         As noted in [1], there's a regression in Java 9, where SSL
>>>         session resumption no longer works for SSL protocols other
>>>         than TLSv1.2. The code which is responsible for session
>>>         resumption resides in the ServerHandshaker[2], in the
>>>         clientHello method. This method, in its logic to decide
>>>         whether or not to resume a (previously) cached session, checks
>>>         if the client hello message has a session id associated. If it
>>>         does, it then fetches a session from the cache. If it does
>>>         find a previously cached session for that id, it then goes
>>>         ahead to check if the SSL protocol associated with the cached
>>>         session matches with the protocol version that's
>>>         "applicable/selected" of the incoming client hello message.
>>>         However, a relatively recent change[3] has, IMO,
>>>         unintentionally caused the protocol version check logic to
>>>         fail for protocols other than TLSv1.2. The protocol version
>>>         check looks like:
>>>         // cannot resume session with different
>>>         if (oldVersion != protocolVersion) {
>>>         resumingSession = false;
>>>         }
>>>         The `protocolVersion` variable in this case happens to be a
>>>         _default initialized value_ (TLSv1.2) instead of the one
>>>         that's "selected" based on the incoming client hello message.
>>>         As a result the `protocolVersion` value is always TLSv1.2 and
>>>         thus for any other protocols, this comparison fails, even when
>>>         the client hello message uses the right session id and the
>>>         right protocol that matches the previous session.
>>>         The attached patch, includes a potential fix to this issue.
>>>         The change makes sure that the protocol selection, based on
>>>         the client hello message, is done before this session
>>>         resumption check and also makes sure it uses that "selected"
>>>         protocol in the version comparison check instead of the class
>>>         member `protocolVersion` (which gets set when the server hello
>>>         message is finally being sent).
>>>         The attached patch also contains a (jtreg) test case which
>>>         reproduces this bug and verifies this fix. The test case tests
>>>         the session resumption against TLSv1, TLSv1.1 and TLSv1.2. The
>>>         test code itself is a minor modification of the SSL demo
>>>         that's available here [4].
>>>         This is my first OpenJDK patch and my OCA got approved a few
>>>         days back. Could someone please help with the review of this
>>>         patch?
>>>         P.S: I noticed that the JIRA got assigned a few days back. I
>>>         am not sure if that means the fix is already being worked upon
>>>         by someone else from the team. If that's the case, then let me
>>>         know and I'll let it be handled by them.
>>>         [1] https://bugs.openjdk.java.net/browse/JDK-8190917
>>> <https://bugs.openjdk.java.net/browse/JDK-8190917>
>>>         [2]
>>> http://hg.openjdk.java.net/jdk/jdk/file/b7ae1437111b/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java
>>> <http://hg.openjdk.java.net/jdk/jdk/file/b7ae1437111b/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java>
>>>         [3] http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/42268eb6e04e
>>> <http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/42268eb6e04e>
>>>         [4]
>>> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/samples/sslengine/SSLEngineSimpleDemo.java
>>> <https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/samples/sslengine/SSLEngineSimpleDemo.java>
>>>         -Jaikiran

More information about the security-dev mailing list