RFR: 8270344: Session resumption errors [v4]
Xue-Lei Andrew Fan
xuelei at openjdk.java.net
Thu Aug 19 19:54:25 UTC 2021
On Thu, 19 Aug 2021 13:07:59 GMT, Sean Coffey <coffeys at openjdk.org> wrote:
>> Corner case where a session resumption can fail if the TLS server changes supported protocol versions in relation to a cached SSLSession. This is primarily an issue where the legacy TLS version is used in place of the newer "supported_versions" TLS extension.
>
> Sean Coffey has updated the pull request incrementally with one additional commit since the last revision:
>
> maxProtocolVersion refactoring
Changes requested by xuelei (Reviewer).
src/java.base/share/classes/sun/security/ssl/ClientHello.java line 547:
> 545: // handshake output stream, so that the output records
> 546: // (at the record layer) have the correct version
> 547: chc.setVersion(sessionVersion);
The removing of the call to "setVersion()" has an impact, I think. I think the declaration of this method could be removed in HandshakeContext class, and set the HandshakeContext.conContext.protocolVersion to HandshakeContext.maximumActiveProtocol in the HandshakeContext.initialize() method.
test/jdk/sun/security/ssl/SSLSessionImpl/InvalidateSession.java line 60:
> 58: System.setProperty("javax.net.ssl.keyStorePassword", passwd);
> 59: System.setProperty("javax.net.ssl.trustStore", trustFilename);
> 60: System.setProperty("javax.net.ssl.trustStorePassword", passwd);
It is not recommended to use the binary key store files for JSSE test cases. Please refer to test/jdk/javax/net/ssl/templates/SSLContextTemplate.java for a replacement.
test/jdk/sun/security/ssl/SSLSessionImpl/InvalidateSession.java line 173:
> 171: }
> 172: }
> 173: }
Is a new line required in the end of file? I see red symbol in the review board, I think the symbol may be generated by the GitHub.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5110
More information about the security-dev
mailing list