RFR: 8299870: TLS record version check allows invalid records

Matthew Donovan duke at openjdk.org
Wed Jan 11 19:52:14 UTC 2023

On Tue, 10 Jan 2023 20:34:49 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

> > If we need to support later, currently undefined, versions then is IllegalRecordVersion a valid test?
> That's the good question. It may worthy of further evaluation and the test case could be removed if it is not valid.

I reworked `IllegalRecordVersion.java` so that it creates a ClientHello with a bad value in that version field, continues the handshake to the end, and then verifies that a version was agreed upon.

If that sounds legitimate, I can clean up the code a little and push it.


PR: https://git.openjdk.org/jdk/pull/11929

More information about the security-dev mailing list