RFR 8206929: Check session context for TLS session resumption

Adam Petcher adam.petcher at oracle.com
Mon Jul 16 17:38:54 UTC 2018


New webrev:
http://cr.openjdk.java.net/~apetcher/8206929/webrev.02/

On 7/13/2018 4:55 PM, Xuelei Fan wrote:

> On 7/13/2018 12:13 PM, Adam Petcher wrote:
>
>> This includes checking the peer supported signature algorithms. Maybe 
>> this is a good idea, but I think it is not in scope of this ticket, 
>> and it should be discussed separately. If you want to pursue this, 
>> feel free to open another ticket for it.
>>
> I would treat it as a part of the bug.  I'm fine if you just want to 
> fix half of it.  I need a confirmation.  Please let me know if you 
> want another half be addressed in a new bug.

Confirmed. I'm only adding checks to ensure that sessions are acceptable 
according to local constraints, which may be influenced by information 
in messages. If you think additional validation is needed, please create 
another ticket. I believe I have addressed the issues with protocol 
version and cipher suite (because they are related to local 
constraints), and the only remaining issue is the check for 
peer-supported signature schemes.

> I meant to ask whether server side validate the client input.  See 
> what we did for TLS v1.2 in line 973 of ClientHello.java.

Sorry. I misunderstood what you asked. I think we should do the same 
thing, and this is a minor bug in the Webrev. At the point where the 
client's PSK extension is processed, the protocol version has already 
been negotiated. So the server can check the session version against the 
negotiated version. The latest Webrev has this change.

> I meant to ask whether server side validate the client input.  See 
> what we did for TLS v1.2 in line 1003.

I misunderstood this question, too. I agree that we should add this 
check to make sure the cipher suite in the session can be negotiated. 
This change is in the updated Webrev.

Note that the relationship between sessions/PSKs and cipher suites is 
different in TLS 1.2 vs 1.3. In TLS 1.3, the cipher suite doesn't need 
to match---only the hash algorithm needs to match. We can make our 
implementation more permissive in the future, but for now, checking 
cipher suites is simpler.


More information about the security-dev mailing list