SSLSession#getPeerCertificates and resumed TLSv1.3 sessions
Oleg Kalnichevski
olegk at apache.org
Sun Oct 21 20:31:39 UTC 2018
Good time of the day
OpenJDK 11 TLS v1.3 implementation at present breaks hostname
verification code in all versions of Apache HttpClient and I am trying
to figure the best way to remedy the situation.
Resumed TLS v1.3 sessions do not appear to carry a server certificate
chain, which, is as far as I understand, is to be expected. In case
of resumed TLSv1.3 sessions an attempt to get the servers certificates
with SSLSession#getPeerCertificates causes "peer not authenticated"
SSLPeerUnverifiedException. The trouble is that I fail to see any way
to find out whether or not an TLS v1.3 session has been negotiated
using the complete TLS handshake or resumed.
The only solution I was able to have found so far is to catch
SSLPeerUnverifiedException, see if the TLS protocol is v1.3 and presume
this is because the session has been resumed [1]. This naturally looks
and feels very dodgy.
Please advise how one should tell if TLS v1.3 session has been resumed
using SSLSession interface or what would be the right way to perform
hostname verification or any custom certificate validity checks with
TLS v1.3.
Thank you in advance
Oleg Kalnichevski
[1] https://github.com/ok2c/httpclient/commit/6ca28be047a7a461c7814ee7e0f3e083158ee349
More information about the security-dev
mailing list