RFR: 8301379: Verify TLS_ECDH_* cipher suites cannot be negotiated [v2]
Matthew Donovan
mdonovan at openjdk.org
Mon Jun 12 17:33:55 UTC 2023
On Fri, 9 Jun 2023 17:23:00 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Matthew Donovan has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
>>
>> - cleaned up code, combined individual executions
>> - Merge branch 'master' into JDK-8301379
>> - 8301379: Verify TLS_ECDH_* cipher suites cannot be negotiated
>
> test/jdk/javax/net/ssl/TLS/TLSWontNegotiateDisabledCipherAlgos.java line 119:
>
>> 117: public void run() throws IOException {
>> 118: try {
>> 119: socket.getOutputStream().write("SECRET MESSAGE".getBytes(StandardCharsets.UTF_8));
>
> Should this fail if this handshake passes?
I updated the code to throw an exception here. It's useful for logging but if the handshake is successful and data is transferred the server will report the error.
> test/jdk/javax/net/ssl/TLS/TLSWontNegotiateDisabledCipherAlgos.java line 121:
>
>> 119: socket.getOutputStream().write("SECRET MESSAGE".getBytes(StandardCharsets.UTF_8));
>> 120: } catch (SSLHandshakeException exc) {
>> 121: // handshake failures are expected
>
> Can you inspect the handshake failure message to make sure it is failing for the right reason as you do for the server case?
I added a check for the failure message.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/14316#discussion_r1227017797
PR Review Comment: https://git.openjdk.org/jdk/pull/14316#discussion_r1227018124
More information about the security-dev
mailing list