RFR: 8277307: Pre shared key sent under both session_ticket and pre_shared_key extensions
Sean Coffey
coffeys at openjdk.java.net
Tue May 31 13:50:46 UTC 2022
On Fri, 27 May 2022 13:20:24 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
> Session ticket extension should only contain pre-TLS1.3 stateless session tickets; it should not be used for sending TLS1.3 pre-shared keys.
src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java line 410:
> 408: || chc.resumingSession.getPskIdentity() == null
> 409: || !Arrays.asList(ProtocolVersion.PROTOCOLS_10_12)
> 410: .contains(chc.resumingSession.getProtocolVersion())) {
would `chc.resumingSession.getProtocolVersion().useTLS13PlusSpec()` read better for your last condition ? Might save on Array allocations also ?
-------------
PR: https://git.openjdk.java.net/jdk/pull/8922
More information about the security-dev
mailing list