JSSE: SSLEngine reporting HandshakeStatus.FINISHED, disabling NewSessionTicket

Anthony Scarpino anthony.scarpino at oracle.com
Mon Jun 27 18:51:57 UTC 2022

On 5/24/22 8:20 AM, Ben Smyth wrote:
> TL;DR: Why does a client report HandshakeStatus.FINISHED twice? Can 
> production of NewSessionTicket be disabled?

SSLEngine with post handshake messages returns HandshakeStatus.FINISHED. 
  I believe because the FINISHED definition is "The SSLEngine has just 
finished handshaking."

> A client (respectively server) becomes ready to encrypt application data 
> upon completing their side of handshaking: "Once a side has sent its 
> Finished message and has received and validated the Finished message 
> from its peer, it may begin to send and receive Application Data over 
> the connection" (RFC8446); a client completes handshaking upon wrapping 
> a FINISHED message and a server completes upon unwrapping such a 
> message. (There's an exception for 0-RTT data, and another for a server 
> operating with reduced security.)

Before TLS 1.3 and PostHandshake messages, the usage for FINISHED was 
clearly only during the handshake process and more tied to the Finished 
message. This decision was made back when TLS 1.3 was first put into the 
codebase, so I don't remember discussions that occurred about this.  But 
I'm not aware of a rule that that HandshakeStatus.FINISHED was directly 
linked to the finished message.

KeyUpdate and NewSessionTicket call finishPostHandshake() which sets the 
handshake status.

Personally, I don't have a strong feeling which is the better status to 
pass, and since TLS 1.3 was integrated, I haven't heard of issues with it.

> Javadoc advises HandshakeStatus.FINISHED is reported when "a call to 
> SSLEngine.wrap() / unwrap() ... finishes a handshake." As expected,
> * OpenJDK SSLEngine.wrap() reports HandshakeStatus.FINISHED on wrapping 
> a client's (TLS) FINISHED message.
> By comparison, rather than report (server) handshake completion upon 
> unwrapping a client's (TLS) FINISHED message, HandshakeStatus.NEED_WRAP 
> is reported, a NewSessionTicket is produced on wrapping and
> * OpenJDK SSLEngine.wrap() reports HandshakeStatus.FINISHED on wrapping 
> a server's (TLS) NewSessionTicket message.
> Upon receipt of which,
> * OpenJDK SSLEngine.unwrap() reports HandshakeStatus.FINISHED on 
> unwrapping a server's (TLS) NewSessionTicket message.
> What does finishing a handshake mean in SSLEngine parlance? (I don't 
> understand why a client should report finishing twice.) Can production 
> of NewSessionTicket be disabled?

I don't think there is a way to prevent the jsse client from sending a 
PSK extension that triggers the NewSessionTicket.


More information about the security-dev mailing list