RFR: 8331682: Slow networks/Impatient clients can potentially send unencrypted TLSv1.3 alerts that won't parse on the server [v3]

Artur Barashev duke at openjdk.org
Fri Sep 20 21:15:35 UTC 2024 

On Fri, 20 Sep 2024 20:07:31 GMT, Artur Barashev <duke at openjdk.org> wrote:

>> @djelinski I see, thanks! But here is the exception I'm getting, it's not about unexpected command. Can we get it because server is using TLSv1.3 and client is using plaintext? How do we switch server to plaintext after encountering this situation (unexpected plaintext alert message during TLSv1.3 handshake)?
>> `---Last Client Unwrap---
>> javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
>> 	at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
>> 	at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
>> 	at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:613)
>> 	at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:507)
>> 	at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:483)
>> 	at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
>> 	at SSLEngineNoServerHelloClientShutdown.runTestUserCancelled(SSLEngineNoServerHelloClientShutdown.java:244)
>> 	at SSLEngineNoServerHelloClientShutdown.main(SSLEngineNoServerHelloClientShutdown.java:140)
>> 	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
>> 	at java.base/java.lang.reflect.Method.invoke(Method.java:573)
>> `
>
> Yes, I figured out how to switch the server to plaintext and now client can read the last server message. Now it produces `(unexpected_message) Received close_notify during handshake` error. Client expects `user_cancelled` alert first before getting `close_notify` during handshake.

Fixed that client issue by requiring to always send `user_cancelled` alert first during handshake, will be pushing a new commit soon.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/21043#discussion_r1769261618

More information about the security-dev mailing list