RFR: 8331682: Slow networks/Impatient clients can potentially send unencrypted TLSv1.3 alerts that won't parse on the server [v3]
Artur Barashev
duke at openjdk.org
Fri Sep 20 16:15:37 UTC 2024
On Fri, 20 Sep 2024 15:59:23 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Add assertions. Add the final server wrap
>
> src/java.base/share/classes/sun/security/ssl/SSLTransport.java line 135:
>
>> 133: byte minorVersion = packet.get(); // pos: 2
>> 134: int contentLen = Record.getInt16(packet); // pos: 3, 4
>> 135:
>
> Do you think it may be a good idea to check further the content of the alert including the first byte (WARNING or FATAL) and the second byte (AlertDescription for close_notify)?
I'm not sure why. We only check that it's an alert type and our code downstream (`context.dispatch(plainText);`) actually processes the alert as needed.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21043#discussion_r1768877897
More information about the security-dev
mailing list