RFR: 8299870: TLS record version check allows invalid records
Xue-Lei Andrew Fan
xuelei at openjdk.org
Tue Jan 10 19:27:53 UTC 2023
On Tue, 10 Jan 2023 18:59:30 GMT, Matthew Donovan <duke at openjdk.org> wrote:
> - Updated ProtocolVersion.isNegotiable() to check a bounded range of version numbers.
> - Removed IllegalRecordVersion.java from ProblemList.txt
>
> Tested with jdk_security and jdk_security3 test groups.
This update will introduce version negotiation issues. Per TLS spec, version 105.106 should be allowed and the version could be negotiated properly. When TLS 1.4 is defined later in the future, the code update here will cause serious compatibility issues. This has been a well-known issue in some implementations.
If you want to fix the javax/net/ssl/SSLEngine/IllegalRecordVersion.java issue, please refer to the JDK-8042449 patch details.
-------------
Changes requested by xuelei (Reviewer).
PR: https://git.openjdk.org/jdk/pull/11929
More information about the security-dev
mailing list