RFR 8226338: Updates to Stateless Resumption

Anthony Scarpino anthony.scarpino at oracle.com
Mon Jul 8 04:14:03 UTC 2019


On 7/4/19 10:14 PM, Xuelei Fan wrote:
> SSLSessionImpl.java
> -------------------
>   526     boolean checkSessionTicket(HandshakeContext hc) {
> As the return value is a boolean type, the method is better to use 
> "isSomething".  Otherwise, the meaning of the code 
> "!checkSessionTicket()" is clear and need to read the implementation code.

I'll see if I can come up with a "is*" name

> 
> NewSessionTicket.java
> ---------------------
>   104     //     opaque ticket<1..2^16-1>;
>   108     if (m.remaining() < 6) {
> 
> Per section 3.3, RFC 5077, line 104 should be:
>           opaque ticket<0..2^16-1>;

I'm glad you saw that because it was confusing me why a zero buffer was 
allowed in 5077

> 
> To be better understand the number 6, as you are already there, would 
> you please update line 104 as well?
> 
> I did not get the idea of the update of 
> T13NewSessionTicketMessage.T13NewSessionTicketMessage().  It looks like 
> that the updated code does not comply to TLS 1.3 specification of 
> NewSessionTicket.
> 

So I assume you are talking about the zero length ticket.  I never 
noticed that 1.3 changed behavior away from zero length tickets.  It 
would appear the spec writings made every attempt to make NST usage 
confusing between versions.

> 
>   453             NewSessionTicketMessage nstm;
>   454             nstm = new T12NewSessionTicketMessage(shc, 
> sessionTimeoutSeconds,
> 
> Maybe better to use one statement.
>   453             NewSessionTicketMessage nstm =
>   454                      new T12NewSessionTicketMessage(shc, 
> sessionTimeoutSeconds,
> 
>   499             if (nstm.ticket.length == 0) {
> Empty ticket should be not allowed in TLS 1.3 >
> ServerHelloDone.java
> --------------------
>   110             if (shc.statelessResumption) {
>   111 shc.handshakeConsumers.put(SSLHandshake.NEW_SESSION_TICKET.id,
>   112                         SSLHandshake.NEW_SESSION_TICKET);
>   113             }
> 
> I think the NewSessionTicket is produced by server and consumed in 
> client side.  I did not get the idea to have NST consumer in server 
> side.  Am I missing something?
> 

Hmm.. I remember making this change, and I thought it was a good idea, 
but clearly it does nothing.

> SessionTicketExtension.java
> ---------------------------
>   260             if (!hc.handshakeSession.checkSessionTicket(hc)) {
>   261                 return new byte[0];
>   262             }
> 
>  From the above line, I guess why you use empty ticket for TLS 1.3, 
> although empty ticket is not allowed in TLS 1.3.
> 
> I may suggest never use empty ticket.  Always use a proper ticket in a 
> proper NewSessionTicket message, at least in format.  When there is a 
> problem to retrieve the values, cache the session and prefer to use the 
> case rather than the ticket for session resumption.   As may be a little 
> bit more interop friendly.

Yes, the 1.3 non-zero length sure complicates the code.. Very unfortunate.

> 
>   295                 if (SSLLogger.isOn && 
> SSLLogger.isOn("ssl,handshake")) {
>   296                     SSLLogger.fine("Encryption failed." + 
> e.getMessage());
>   297                     e.printStackTrace(); // Helps with 
> session.write()
>   298                 }
> 
> Line 297 does not use SSLLogger.  It could be:
>           SSLLogger.fine("Encryption failed", e);

I didn't noticed logger accepted exceptions.

> 
> On 7/2/2019 10:35 AM, Anthony Scarpino wrote:
>>
>> Hi,
>>
>> I need a code review on some updates to the stateless resumption.
>> 1) Changing peerSupportedSignAlgs from a String[] to Collection[]
>> 2) Additional items added to the stateless ticket
>> 3) Not provide a stateless ticket when the masterkey is not accessible 
>> (FIPS) or when boundValues are used
> I did not whether the update works if bound values are set after the 
> handshake completed (i.e., after the NewSessionTicket has been produced 
> and used).  Did you have a test for the case?

It was my understanding from previous discussions that we were going to 
take a wait and see approach with boundValues and NST.

When I took a glance at how boundValues were added, they appear to be 
outside of the normal flow of the ConnectionContext.

> 
> Thanks,
> Xuelei
> 
>> 4) Be more graceful in case of stateless ticket generation failure
>>
>> http://cr.openjdk.java.net/~ascarpino/8226338/webrev.00/
>>
>> Tony



More information about the security-dev mailing list