RFR JDK-8233619: SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3

Xuelei Fan xuelei.fan at oracle.com
Sat Feb 22 19:20:14 UTC 2020


Could I have the following update reviewed?

For TLS 1.2 and previous versions, the ChangeCipherSpec message is 
always delivered before the Finished handshake message. 
ChangeCipherSpec is not a handshake message,and cannot be wrapped in one 
TLS record.  The processing of Finished handshake message is unlikely to 
be delegated.

However, for TLS 1.3 there it no non-handshake messages delivered 
immediately before Finished message.  Then, the delegated task could 
happen before consuming the Finished message, and then the Finished 
message is handled in the delegated action, together with other 
handshake message in the flight. The FINISHED does not present in such 

It would be complicated to consume the Finished message separately after 
the delegated tasks.  Luckily, currently the post-handshake 
NewSessionTicket message is always used, immediately after the handshake 
message.  The FINISHED status could present for producing and consuming 
the NewSessionTicket post-handshake message.


More information about the security-dev mailing list