RFR JDK-8233619: SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3

Xuelei Fan xuelei.fan at oracle.com
Sat Feb 22 19:20:14 UTC 2020


Hi,

Could I have the following update reviewed?
     http://cr.openjdk.java.net/~xuelei/8233619/webrev.01/

For TLS 1.2 and previous versions, the ChangeCipherSpec message is 
always delivered before the Finished handshake message. 
ChangeCipherSpec is not a handshake message,and cannot be wrapped in one 
TLS record.  The processing of Finished handshake message is unlikely to 
be delegated.

However, for TLS 1.3 there it no non-handshake messages delivered 
immediately before Finished message.  Then, the delegated task could 
happen before consuming the Finished message, and then the Finished 
message is handled in the delegated action, together with other 
handshake message in the flight. The FINISHED does not present in such 
situation.

It would be complicated to consume the Finished message separately after 
the delegated tasks.  Luckily, currently the post-handshake 
NewSessionTicket message is always used, immediately after the handshake 
message.  The FINISHED status could present for producing and consuming 
the NewSessionTicket post-handshake message.

Thanks,
Xuelei


More information about the security-dev mailing list