RFR: 8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message [v5]
Sibabrata Sahoo
ssahoo at openjdk.org
Wed Mar 20 09:55:34 UTC 2024
On Wed, 20 Mar 2024 09:33:56 GMT, Prasadrao Koppula <pkoppula at openjdk.org> wrote:
>> Will it produce 2 ChangeCipherSpec record. One after HRR and other after SH?
>
> Yes, the server produces 2 CCS records in the case of HRR. According to RFC:
>
> "Either side can send change_cipher_spec at any time during the handshake, as they must be ignored by the peer, but if the client sends a non-empty session ID, the server MUST send the change_cipher_spec as described in this
> appendix."
>
> https://datatracker.ietf.org/doc/html/rfc8446#appendix-D.4
I am not an expert in this field and expressing one of my thought here and my assumption could be wrong too.
Shouldn't it check "SSLConfiguration.useCompatibilityMode" for any change applicable to solve middlebox issue?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18372#discussion_r1531783071
More information about the security-dev
mailing list