RFR: 8299870: TLS record version check allows invalid records

Xue-Lei Andrew Fan xuelei at openjdk.org
Thu Jan 12 07:18:14 UTC 2023


On Wed, 11 Jan 2023 19:49:14 GMT, Matthew Donovan <duke at openjdk.org> wrote:

> > > If we need to support later, currently undefined, versions then is IllegalRecordVersion a valid test?
> > > That's the good question. It may worthy of further evaluation and the test case could be removed if it is not valid.
> 
> I reworked `IllegalRecordVersion.java` so that it creates a ClientHello with a bad value in that version field, continues the handshake to the end, and then verifies that a version was agreed upon.
> 
> If that sounds legitimate, I can clean up the code a little and push it.

I'm fine for this approach.  The file/class name could be revised.

-------------

PR: https://git.openjdk.org/jdk/pull/11929



More information about the security-dev mailing list