RFR: 8270344: Session resumption errors
Sean Coffey
coffeys at openjdk.java.net
Thu Aug 19 09:10:53 UTC 2021
On Wed, 18 Aug 2021 19:03:10 GMT, djelinski <github.com+30433125+djelinski at openjdk.org> wrote:
>> Corner case where a session resumption can fail if the TLS server changes supported protocol versions in relation to a cached SSLSession. This is primarily an issue where the legacy TLS version is used in place of the newer "supported_versions" TLS extension.
>
> Also fixes resumption when server is a Java application run with `-Djdk.tls.allowLegacyResumption=false`, client is a Java application with `-Djdk.tls.useExtendedMasterSecret=false`, and TLSv1.2 is negotiated.
> As a side note, it should be possible to merge `HandshakeContext#handshakeSession` and `HandshakeContext#resumingSession` into a single field now
thanks for the comments @djelinski - per Dev advise, I've split this issue into 2 bugs. This issue will focus on altering the legacy maximum TLS protocol version field sent in the ClientHello. Patch just updated.
A follow on fix will focus on the session invalidation issue (JDK-8272653)
-------------
PR: https://git.openjdk.java.net/jdk/pull/5110
More information about the security-dev
mailing list