RFR: 8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message
Daniel Jeliński
djelinski at openjdk.org
Tue Mar 19 09:06:22 UTC 2024
On Tue, 19 Mar 2024 08:43:38 GMT, Prasadrao Koppula <pkoppula at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/ServerHello.java line 804:
>>
>>> 802: shc.conContext.outputRecord.changeWriteCiphers(
>>> 803: SSLWriteCipher.nullTlsWriteCipher(),
>>> 804: (clientHello.sessionId.length() != 0));
>>
>> Suggestion:
>>
>> if (clientHello.sessionId.length() != 0) {
>> shc.conContext.outputRecord.encodeChangeCipherSpec();
>> }
>
> Unfortunately, we lack separate properties to control named groups in both the server and client. When running server and client threads in the same JVM, manipulating client hello packets to prompt the server to trigger HRR becomes exceedingly challenging.
since [JDK-8281236](https://bugs.openjdk.org/browse/JDK-8281236) / 5d4c71c8bd361af78c90777f17b79e95d8eb5afe / JDK 20 we have setNamedGroups function to control named groups on every endpoint.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18372#discussion_r1529976574
More information about the security-dev
mailing list