RFR: 8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message [v5]
Prasadrao Koppula
pkoppula at openjdk.org
Wed Mar 20 10:02:23 UTC 2024
On Wed, 20 Mar 2024 09:52:40 GMT, Sibabrata Sahoo <ssahoo at openjdk.org> wrote:
>> Yes, the server produces 2 CCS records in the case of HRR. According to RFC:
>>
>> "Either side can send change_cipher_spec at any time during the handshake, as they must be ignored by the peer, but if the client sends a non-empty session ID, the server MUST send the change_cipher_spec as described in this
>> appendix."
>>
>> https://datatracker.ietf.org/doc/html/rfc8446#appendix-D.4
>
> I am not an expert in this field and expressing one of my thought here and my assumption could be wrong too.
> Shouldn't it check "SSLConfiguration.useCompatibilityMode" or similar for any change applicable to solve middlebox compatibility issue?
(clientHello.sessionId.length() != 0) condition checks for same
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18372#discussion_r1531793243
More information about the security-dev
mailing list