RFR: 8331682: Slow networks/Impatient clients can potentially send unencrypted TLSv1.3 alerts that won't parse on the server [v26]

Tue Oct 29 20:35:16 UTC 2024

On Tue, 29 Oct 2024 19:49:05 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Remove logging
>
> src/java.base/share/classes/sun/security/ssl/SSLCipher.java line 1875:
> 
>> 1873:                             "fragment (" + bb.remaining() + "). Needs to be " +
>> 1874:                             "more than tag size (" + tagSize + ")");
>> 1875:                     }
> 
> From the context, we only know the record is an alert message.  We don't actually know it is plaintext or not.  But I will have you for the final decision.
> 
> There are another "Insufficient buffer remaining" exception in the SSLCipher class, we may want to keep the behavior consistent, with similar update.  But I am fine to do it separately.
> 
> I am going to approve it.

- I'm not sure what you mean by `plaintext`, what is your definition of plaintext? Per TLS1.3 RFC it's a plaintext unless  contentType == 23
- About other "Insufficient buffer remaining" exceptions: from what we know so far this problem is specific to TLSv1.3, so I think we'll deal with other cases separately if needed in the future.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/21043#discussion_r1821495642