RFR 8206929: Check session context for TLS session resumption

Adam Petcher adam.petcher at oracle.com
Fri Jul 13 15:08:18 UTC 2018


Here's a new Webrev that includes this change: 
http://cr.openjdk.java.net/~apetcher/8206929/webrev.01/


On 7/12/2018 1:02 PM, Xuelei Fan wrote:
> Set it in PostHandshakeContext should be fine as the session should 
> have been negotiated.
>
> Thanks,
> Xuelei
>
> On 7/12/2018 9:57 AM, Adam Petcher wrote:
>> This value needs to be set when we create a PostHandshakeContext from 
>> a TransportContext. This only happens after the handshake is 
>> complete, so we should always have a session (right?).
>>
>> It may be better to set localSupportedSignAlgs in the constructor of 
>> PostHandshakeContext instead of where it is now. Would that address 
>> your concern?
>>
>>
>> On 7/12/2018 12:45 PM, Xuelei Fan wrote:
>>> A quick question about the update in HandshakeContext.java.
>>>
>>> +   this.localSupportedSignAlgs = new ArrayList<SignatureScheme>(
>>> + conContext.conSession.getLocalSupportedSignatureSchemes());
>>>
>>> Why set the value here?  The 'null' value of localSupportedSignAlgs 
>>> has a special meaning that it has not been set.  A few places depend 
>>> on this special value.  The above update may set it to empty if the 
>>> session has not been established, and then prevent the proper 
>>> setting of the value of it later.
>>>
>>> Xuelei
>>>
>>> On 7/12/2018 8:50 AM, Adam Petcher wrote:
>>>> This change adds some checks for session resumption in TLS 1.3 to 
>>>> ensure that the resumed session is compatible with what is 
>>>> requested. Specifically, I'm adding checks for protocol version, 
>>>> cipher suite, client authentication, and signature schemes. There 
>>>> are also some minor whitespace formatting changes in 
>>>> PreSharedKeyExtension.java.
>>>>
>>>> This is a JDK 11 change, so please review soon.
>>>>
>>>> Webrev: http://cr.openjdk.java.net/~apetcher/8206929/webrev.00/
>>>> JBS: https://bugs.openjdk.java.net/browse/JDK-8206929
>>>>
>>



More information about the security-dev mailing list