RFR: 8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message [v5]
Prasadrao Koppula
pkoppula at openjdk.org
Thu Mar 21 02:13:24 UTC 2024
On Wed, 20 Mar 2024 10:49:55 GMT, Sibabrata Sahoo <ssahoo at openjdk.org> wrote:
>> Prasadrao Koppula has updated the pull request incrementally with one additional commit since the last revision:
>>
>> JDK-8326643
>
> test/jdk/javax/net/ssl/TLSv13/EngineOutOfSeqCCS.java line 98:
>
>> 96:
>> 97: // client consumes ServerHello/HelloRetryRequest
>> 98: clientResult = clientEngine.unwrap(sTOc, clientIn);
>
> May be it would be nice to ensure it really received a HRR record when isHRRTest=true by checking the Handshake record attribute content Random=“cf21ad74e59a6111be1d8c021e65b891c2a211167abb8c5e079e09e2c8a8339c” which is SHA-256("HelloRetryRequest")
Great suggestion. According to the RFC, in middlebox compatibility mode, the Server should send CCS for all the first handshake messages. Currently, those include HRR and SH. I don't think it's wise to validate all the first handshake messages from the Server in this test.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18372#discussion_r1533153847
More information about the security-dev
mailing list