RFR: 8299870: TLS record version check allows invalid records [v2]
Xue-Lei Andrew Fan
xuelei at openjdk.org
Thu Jan 12 16:08:20 UTC 2023
On Thu, 12 Jan 2023 15:32:23 GMT, Matthew Donovan <duke at openjdk.org> wrote:
>> - Updated ProtocolVersion.isNegotiable() to check a bounded range of version numbers.
>> - Removed IllegalRecordVersion.java from ProblemList.txt
>>
>> Tested with jdk_security and jdk_security3 test groups.
>
> Matthew Donovan has updated the pull request incrementally with three additional commits since the last revision:
>
> - renamed IllegalRecordVersion to HandshakeWithInvalidRecordVersion
> - Updated IllegalRecordVersion
> - reverted change in ProtocolVersion, updated IllegalRecordVersion
Would you please update the subject and description of JDK-8299870 so that it fit better with the purpose of the patch?
src/java.base/share/classes/sun/security/ssl/ProtocolVersion.java line 70:
> 68: static final ProtocolVersion MAX_TLS_SUPPORTED = TLS13;
> 69: static final ProtocolVersion MIN_TLS_SUPPORTED = SSL30;
> 70:
Would you mind restore the update for ProrocolVersion.java?
test/jdk/javax/net/ssl/SSLEngine/HandshakeWithInvalidRecordVersion.java line 51:
> 49: private static final String TRUSTSTORE_PATH =
> 50: System.getProperty("test.src", "./") + "/" + PATH_TO_STORES +
> 51: "/" + TRUSTSTORE_FILE;
It would be nice to avoid to use binary files. Would you mind to check if test/jdk/javax/net/ssl/templates/SSLContextTemplate.java could be used for the generation of SSLContext (for example test/jdk/javax/net/ssl/templates/SSLEngineTemplate.java)?
-------------
PR: https://git.openjdk.org/jdk/pull/11929
More information about the security-dev
mailing list