RFR: 8331682: Slow networks/Impatient clients can potentially send unencrypted TLSv1.3 alerts that won't parse on the server [v24]

[Artur Barashev]

On Fri, 25 Oct 2024 19:38:58 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:

>> Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 28 additional commits since the last revision:
>> 
>>  - Merge branch 'master' into JDK-8331682
>>  - Use more appropriate exception with the alert description
>>  - Update Copyright
>>  - Update @library directive
>>  - Merge branch 'master' into JDK-8331682
>>  - Produce appropriate exception message. Update tests.
>>  - Adjust line length
>>  - Additional error checking
>>  - Write and read to/from server in a single pass. Use SocketChannel.
>>  - Return null if there is no record we attempted to decode
>>  - ... and 18 more: https://git.openjdk.org/jdk/compare/43903daa...aef08dd0
>
> src/java.base/share/classes/sun/security/ssl/SSLCipher.java line 1872:
> 
>> 1870:                         }
>> 1871: 
>> 1872:                         throw new GeneralSecurityException(msg);
> 
> Why a `GeneralSecurityException` instead of `SSLHandshakeException`?

We actually don't know that we are at handshake stage here, SSLCipher doesn't have the context

> test/lib/jdk/test/lib/security/SecurityUtils.java line 130:
> 
>> 128:     }
>> 129: 
>> 130:     public static void inspectTlsBuffer(ByteBuffer buffer) throws IOException {
> 
> I'm not sure how useful the information provided by the call this really is, and whether it's worth introducing in a separate library.  Was the output really useful in your debugging?

Yes, it was useful for me.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/21043#discussion_r1817466460
PR Review Comment: https://git.openjdk.org/jdk/pull/21043#discussion_r1817467135