RFR: 8350830: Values converted incorrectly when reading TLS session tickets [v3]
Daniel Jeliński
djelinski at openjdk.org
Mon Apr 14 12:54:35 UTC 2025
On Mon, 14 Apr 2025 12:11:22 GMT, Nibedita Jena <duke at openjdk.org> wrote:
>> Session resumption without server side state was added under [JDK-8211018](https://bugs.openjdk.org/browse/JDK-8211018).
>> While it is TLSv1.2 session resumption, the client hello message is being parsed in SSLSessionImpl for each extensions.
>>
>> Customer has reported handshake failure and is reproducible locally with exception NegativeArraySizeExceptions when there is ServerNameIndication with size > 127.
>> According to RFC 3546, the host_name limit allowed is 255.
>> With a sample testcase when the host_name length is > 127, exception is thrown:
>> javax.net.ssl|DEBUG|71|Thread-1|2025-04-06 17:13:07.278 UTC|ClientHello.java:825|Negotiated protocol version: TLSv1.2
>> javax.net.ssl|WARNING|71|Thread-1|2025-04-06 17:13:07.281 UTC|SSLSocketImpl.java:1672|handling exception (
>> "throwable" : {
>> java.lang.NegativeArraySizeException: -1
>> at java.base/sun.security.ssl.SSLSessionImpl.<init>(SSLSessionImpl.java:399)
>> at java.base/sun.security.ssl.SessionTicketExtension$T12CHSessionTicketConsumer.consume(SessionTicketExtension.java:468)
>>
>> e.g.
>> int l = buf.get();
>> b = new byte[l]; <-------------------- NegativeArraySizeException thrown here when > 127
>>
>> For TLSv1.3, its not an issue until length > 255.
>>
>> According to RFC 5077, PSK identity length allowed is <0..2^16-1> and so its value conversion being taken care of under this change.
>> Master secret is allowed for 48 bytes - master_secret[48], shouldnt be an issue.
>
> Nibedita Jena has updated the pull request incrementally with one additional commit since the last revision:
>
> Updated SSLSessionImpl constructor with Record interface methods
Nice. Here's a +1 from me, but please wait for the usual reviewers.
-------------
Marked as reviewed by djelinski (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/24535#pullrequestreview-2764127508
More information about the security-dev
mailing list