RFR JDK-8233619: SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3
Xuelei Fan
xuelei.fan at oracle.com
Sat Feb 22 19:20:14 UTC 2020
Hi,
Could I have the following update reviewed?
http://cr.openjdk.java.net/~xuelei/8233619/webrev.01/
For TLS 1.2 and previous versions, the ChangeCipherSpec message is
always delivered before the Finished handshake message.
ChangeCipherSpec is not a handshake message,and cannot be wrapped in one
TLS record. The processing of Finished handshake message is unlikely to
be delegated.
However, for TLS 1.3 there it no non-handshake messages delivered
immediately before Finished message. Then, the delegated task could
happen before consuming the Finished message, and then the Finished
message is handled in the delegated action, together with other
handshake message in the flight. The FINISHED does not present in such
situation.
It would be complicated to consume the Finished message separately after
the delegated tasks. Luckily, currently the post-handshake
NewSessionTicket message is always used, immediately after the handshake
message. The FINISHED status could present for producing and consuming
the NewSessionTicket post-handshake message.
Thanks,
Xuelei
More information about the security-dev
mailing list