RFR: 8331682: Slow networks/Impatient clients can potentially send unencrypted TLSv1.3 alerts that won't parse on the server [v3]
Daniel Jeliński
djelinski at openjdk.org
Fri Sep 20 16:43:38 UTC 2024
On Fri, 20 Sep 2024 16:16:24 GMT, Artur Barashev <duke at openjdk.org> wrote:
>> test/jdk/javax/net/ssl/TLSv13/SSLEngineNoServerHelloClientShutdown.java line 239:
>>
>>> 237:
>>> 238: /* TODO: Final client unwrap fails because server doesn't send an alert to terminate
>>> 239: the handshake after receiving close_notify alert from the client. Investigate why.
>>
>> Is this TODO item done?
>
> Not yet. I'm currently learning the internals of TLS code and going through TLS RFC in order to understand if it's an expected behavior or not. What do you think?
you can't clear the sTOc buffer if you want this to work; TLS is running over TCP, and TCP never loses data. So, the final client unwrap is expected to deal with serverHello and all handshake messages before receiving the encrypted close_notify alert.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21043#discussion_r1768907171
More information about the security-dev
mailing list