Code Review Request: TLS 1.3 Implementation

Xuelei Fan xuelei.fan at oracle.com
Tue Jun 12 03:47:03 UTC 2018


Update: http://hg.openjdk.java.net/jdk/sandbox/rev/ae0cd8b2e2c2

Xuelei

On 6/11/2018 6:36 PM, Xuelei Fan wrote:
> 
> 
> On 6/11/2018 5:56 PM, Bradford Wetmore wrote:
> <...skipped...>
>>>>> 262:  What is the point of the aliases argument in the constructor? 
>>>>> Was the idea to provide a mapping between suites we originally 
>>>>> created with the SSL_ prefix vs the more current TLS_ prefix we 
>>>>> used in the later TLS protocols?  There is only an empty string in 
>>>>> every constructor, so this code doesn't do anything.
>>>>>
>>> Added the aliases.
>>
>> Great, thanks.  Once minor formatting comment which would help 
>> comparability/readability.  Take or leave it.
>>
>>      SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(
>>              0x0016, true, "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
>>              "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
>>              ProtocolVersion.PROTOCOLS_TO_12,
>>              K_DHE_RSA, B_3DES, M_SHA, H_SHA256),
>> ->
>>      SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(
>>              0x0016, true, "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
>>                            "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
>>              ProtocolVersion.PROTOCOLS_TO_12,
>>              K_DHE_RSA, B_3DES, M_SHA, H_SHA256),
>>
> It looks really nice, and I will take it.  Updated in my local 
> workspace, will push later in my next changeset.
> 
> <...skipped...>
>>>>> 840:  Is this else/break needed?
>>>>>
>>> Yes.  It is mostly for performance by ignoring unsupported cipher 
>>> suites look up.
>>
>> Ah, because they are coming out of .values() ordered, and the 
>> unsupported are at the end.  Can you change the comment:
>>
>> the following cipher suites are not supported.
>> ->
>> values() is ordered, remaining cipher suites are not supported.
>>
> Updated.
> 
>>
>>>>> SSLServerSocketImpl.java
>>>>> ------------------------
>>>>> 160:  You should allow multiple changes between server to client, 
>>>>> and switch enabled protocols/ciphersuites accordingly.
>>>>>
>>> Yes, multiple changes are allowed.
>>
>> I didn't see a change here.  If you go from server (default) to 
>> client, and then back again, shouldn't you reset to the original 
>> server values? And set sslConfig.useClientMode()
>>
>> e.g.
>>      sslServerSocket.setUseClientMode(true);
>>      sslServerSocket.setUseClientMode(false);
>>
>> The current code won't change back to server.
>>
> I may miss something.  I think, it is able to change back.
> 
> sslServerSocket.setUseClientMode(true) ->
>    if it is server mode, set to use client mode; and if using default 
> protocols, set to use client default protocols; if using default cipher 
> suites, set to use client default cipher suites.  sslConfig is set to 
> use client mode.
> 
> sslServerSocket.setUseClientMode(false);
>    if it is client mode, set to use server mode; and id using default 
> protocols, set to use server default protocols; if using default cipher 
> suites, set to use server default cipher suites.  sslConfig is set to 
> use server mode.
> 
> Thanks,
> Xuelei


More information about the security-dev mailing list