Code Review Request: TLS 1.3 Implementation

Bradford Wetmore bradford.wetmore at oracle.com
Tue Jun 12 21:55:17 UTC 2018 

>> I see what you're doing, but I'm not understanding why we're not 
>> checking the other direction also?
>>
>> e.g.  if (p < SSLv3 && not SSLv2) || (p > TLSv1.3 ) {
>>
> Per TLS 1.2 version negotiation specification, the higher number is not 
> limited.  For example, if client request for TLS 1.9, the server can 
> response with TLS 1.2.   If the version if 1.9, this method does not 
> reject it here.  However, it may be not necessary in practice.

Ah, Appendix E.1 of RFC 5246.

    If a TLS server receives a ClientHello containing a version number
    greater than the highest version supported by the server, it MUST
    reply according to the highest version supported by the server.

Thanks.

Brad

> Thanks,
> Xuelei
> 
>> Thanks,
>>
>> Brad
>>
>>
>>>> 289:  You already checked this condition in 285-287 above.  And then 
>>>> 304 is no longer needed.
>>>>
>>> Good catch!
>>>
>>> Thanks,
>>> Xuelei
>>>
>>>> Brad
>>>>
>>>>
>>>>
>>>>
>>>> On 6/7/2018 10:28 AM, Bradford Wetmore wrote:
>>>>> Also reviewed SSLSocketFactoryImpl.java
>>>>>
>>>>>
>>>>> BaseSSLSocketImpl.java
>>>>> ----------------------
>>>>> I don't see where requireCloseNotify is actually being used in the 
>>>>> remaining code.  If you are removing this functionality, you should 
>>>>> probably be calling that out in your CSR.
>>>>>
>>>>> SSLSessionContextImpl.java
>>>>> --------------------------
>>>>> The only change here was to reorder the import of Vector (obsolete) 
>>>>> and update the copyright?  May I ask why?  If this was somehow a 
>>>>> netbeans suggestion, there were several other things that could be 
>>>>> updated that seem more important.  e.g.  37-39 could be made final. 
>>>>> 207: unnecessary unboxing.
>>>>>
>>>>> Brad
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 6/6/2018 5:45 PM, Bradford Wetmore wrote:
>>>>>> Today, I looked over SunJSSE.java, Utilities.java, and 
>>>>>> module-info.java.   Mostly nits below, some style things.
>>>>>>
>>>>>>
>>>>>> Utilities.java
>>>>>> --------------
>>>>>>
>>>>>> 39:  hexDigits can be private.
>>>>>>
>>>>>> 42:  Extra level of indent.  4 or 8.
>>>>>>
>>>>>> 39-41:  Nits: When variables are static finals, they are usually 
>>>>>> written uppercase.
>>>>>>
>>>>>> 115:  Extra " " and can we get SNI cap'd?
>>>>>>
>>>>>> HostName for  server name indication
>>>>>> ->
>>>>>> HostName for Server Name Indication
>>>>>>
>>>>>> 150:  Minor Nit:  You're concating ("+") and then using 
>>>>>> StringBuilder.append(), instead of simply append chaining which 
>>>>>> might be slightly more efficient.
>>>>>>
>>>>>> 167-217:  The code looks ok, but this might be reworked to take 
>>>>>> better advantage of StringBuilder.append() chaining, rather than 
>>>>>> the mix of concat and append here now.  e.g. what you did with 
>>>>>> toHexString(long). I see much of the same code repeated over and 
>>>>>> over here.  Can be done later.
>>>>>>
>>>>>> Brad
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 6/3/2018 9:43 PM, Xuelei Fan wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Here it the 2nd full webrev:
>>>>>>>    http://cr.openjdk.java.net/~xuelei/8196584/webrev-full.01
>>>>>>>
>>>>>>> and the delta update to the 1st webrev:
>>>>>>>    http://cr.openjdk.java.net/~xuelei/8196584/webrev-delta.00/
>>>>>>>
>>>>>>> Xuelei
>>>>>>>
>>>>>>> On 5/25/2018 4:45 PM, Xuelei Fan wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I'd like to invite you to review the TLS 1.3 implementation.  I 
>>>>>>>> appreciate it if I could have compatibility and specification 
>>>>>>>> feedback before May 31, 2018, and implementation feedback before 
>>>>>>>> June 7, 2018.
>>>>>>>>
>>>>>>>> Here is the webrev:
>>>>>>>>      http://cr.openjdk.java.net/~xuelei/8196584/webrev-full.00
>>>>>>>>
>>>>>>>> The formal TLS 1.3 specification is not finalized yet, although 
>>>>>>>> it had been approved to be a standard.  The implementation is 
>>>>>>>> based on the draft version 28:
>>>>>>>>      https://tools.ietf.org/html/draft-ietf-tls-tls13-28
>>>>>>>>
>>>>>>>> For the overall description of this enhancement, please refer to 
>>>>>>>> JEP 332:
>>>>>>>>      http://openjdk.java.net/jeps/332
>>>>>>>>
>>>>>>>> For the compatibility and specification update, please refer to 
>>>>>>>> CSR 8202625:
>>>>>>>>      https://bugs.openjdk.java.net/browse/JDK-8202625
>>>>>>>>
>>>>>>>> Note that we are using the sandbox for the development right 
>>>>>>>> now. For more information, please refer to Bradford's previous 
>>>>>>>> email:
>>>>>>>>
>>>>>>>> http://mail.openjdk.java.net/pipermail/security-dev/2018-May/017139.html 
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks & Regards,
>>>>>>>> Xuelei

More information about the security-dev mailing list