RFR JDK-8206925,,Support the certificate_authorities extension

Alexey Bakhtin alexey at azul.com
Thu May 14 10:52:40 UTC 2020 

Hello Xuelei,

I’ve posted a reproducer for described issue:
http://cr.openjdk.java.net/~abakhtin/8206925/

The test passed and returns code=200 from the server in case of CA extension disabled on the client side:
$JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=./cacerts -Djavax.net.ssl.trustStorePassword=changeit HttpsClient https://www.google.com

The test fails with “fatal alert: illegal_parameter” in case of CA extension enabled on the client side:
java -Djavax.net.debug=none -Djdk.tls.client.enableCAExtension=false -Djavax.net.ssl.trustStore=./cacerts -Djavax.net.ssl.trustStorePassword=changeit HttpsClient https://www.google.com

I would suggest to control number of CA in the ClientHello message. It could be done with additional system property. Default value should allow to send ClientHello message in a single record. Application can enlarge it if the server supports ClientHello in several TLS records.

Thank you
Alexey

> On 13 May 2020, at 13:00, Alexey Bakhtin <alexey at azul.com> wrote:
> 
> Hello Xuelei,
> 
> I’m not a reviewer but I have some comment which could be helpful for your implementation.
> We’ve developed CA Extension in the OpenJSSE provider [1] and found an issue with a third party server implementations.
> According to RFC-8446 specification [2] the maximum size of the CA extension is 2^16 bytes. The maximum TLS record size is 2^14 bytes. In case of handshake message is bigger then maximum TLS record size, it should be splitted into several records. In fact, some server implementations does not allow ClientHello message bigger than the Maximum TLS record size and aborts connection immediately with “illegal_parameter” fatal alert.
> This issue can be easily reproduced on the client side:
> 1) put additional certificates into cacerts file, about 200 certs in total,
> 2) enable certificate_authorities extension in the ClientHello message
> 3) connect to https://www.google.com
> 
> [1] - https://github.com/openjsse/openjsse/blob/master/src/main/java/org/openjsse/sun/security/ssl/CertificateAuthorityExtension.java
> [2] - https://tools.ietf.org/html/rfc8446#page-45
> 
> Thank you
> Alexey

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200514/8920a8d5/signature.asc>

More information about the security-dev mailing list