RFR 8206929: Check session context for TLS session resumption
Adam Petcher
adam.petcher at oracle.com
Mon Jul 16 17:38:54 UTC 2018
New webrev:
http://cr.openjdk.java.net/~apetcher/8206929/webrev.02/
On 7/13/2018 4:55 PM, Xuelei Fan wrote:
> On 7/13/2018 12:13 PM, Adam Petcher wrote:
>
>> This includes checking the peer supported signature algorithms. Maybe
>> this is a good idea, but I think it is not in scope of this ticket,
>> and it should be discussed separately. If you want to pursue this,
>> feel free to open another ticket for it.
>>
> I would treat it as a part of the bug. I'm fine if you just want to
> fix half of it. I need a confirmation. Please let me know if you
> want another half be addressed in a new bug.
Confirmed. I'm only adding checks to ensure that sessions are acceptable
according to local constraints, which may be influenced by information
in messages. If you think additional validation is needed, please create
another ticket. I believe I have addressed the issues with protocol
version and cipher suite (because they are related to local
constraints), and the only remaining issue is the check for
peer-supported signature schemes.
> I meant to ask whether server side validate the client input. See
> what we did for TLS v1.2 in line 973 of ClientHello.java.
Sorry. I misunderstood what you asked. I think we should do the same
thing, and this is a minor bug in the Webrev. At the point where the
client's PSK extension is processed, the protocol version has already
been negotiated. So the server can check the session version against the
negotiated version. The latest Webrev has this change.
> I meant to ask whether server side validate the client input. See
> what we did for TLS v1.2 in line 1003.
I misunderstood this question, too. I agree that we should add this
check to make sure the cipher suite in the session can be negotiated.
This change is in the updated Webrev.
Note that the relationship between sessions/PSKs and cipher suites is
different in TLS 1.2 vs 1.3. In TLS 1.3, the cipher suite doesn't need
to match---only the hash algorithm needs to match. We can make our
implementation more permissive in the future, but for now, checking
cipher suites is simpler.
More information about the security-dev
mailing list