RFR: 8217633: Configurable extensions with system properties

Rajan Halade rhalade at openjdk.java.net
Mon Jan 25 21:40:42 UTC 2021


On Fri, 11 Dec 2020 23:20:34 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

> The TLS protocols are designed to tolerant unknown TLS extensions. However, although it is not common, there are a few TLS implementations that cannot handle unknown extensions properly. As results in unexpected interoperability issue when new extensions are introduced in JDK. The interoperability impact could be mitigated If applications can customize the extensions if needed.
> 
> With this update, two system properties are added to configure the default extensions in either client or server side of TLS connections.  Please note that the impact of blocking TLS extensions is complicated.  For example, a TLS connection may not be able to established if a mandatory extension is blocked.  Please don't use this feature unless you clearly understand the impact.
> 
> Bug: https://bugs.openjdk.java.net/browse/JDK-8217633 
> CSR: https://bugs.openjdk.java.net/browse/JDK-8217993

Changes requested by rhalade (Reviewer).

test/jdk/sun/security/ssl/SSLSocketImpl/BlockedExtension.java line 2:

> 1: /*
> 2:  * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.

Suggestion:

 * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.

test/jdk/sun/security/ssl/SSLSocketImpl/BlockedExtension.java line 62:

> 60:         } catch (SSLException | IllegalStateException ssle) {
> 61:             if (shouldSuccess) {
> 62:                 throw new Exception(

Suggestion:

                throw new RuntimeException(

test/jdk/sun/security/ssl/SSLSocketImpl/BlockedExtension.java line 70:

> 68: 
> 69:         if (!shouldSuccess) {
> 70:             throw new Exception(

Suggestion:

            throw new RuntimeException(

-------------

PR: https://git.openjdk.java.net/jdk/pull/1752


More information about the security-dev mailing list