Skip to content

Commit

Permalink
8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
Browse files Browse the repository at this point in the history
Reviewed-by: ascarpino
  • Loading branch information
djelinski authored and Anthony Scarpino committed Dec 24, 2021
1 parent 4669bcd commit 9d99a37
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 11 deletions.
16 changes: 8 additions & 8 deletions src/java.base/share/classes/sun/security/ssl/ClientHello.java
Original file line number Diff line number Diff line change
Expand Up @@ -568,15 +568,15 @@ public byte[] produce(ConnectionContext context) throws IOException {
"No new session is allowed and " +
"no existing session can be resumed");
}

if (chc.maximumActiveProtocol.useTLS13PlusSpec() &&
SSLConfiguration.useCompatibilityMode) {
// In compatibility mode, the TLS 1.3 legacy_session_id
// field MUST be non-empty, so a client not offering a
// pre-TLS 1.3 session MUST generate a new 32-byte value.
sessionId =
}
if (sessionId.length() == 0 &&
chc.maximumActiveProtocol.useTLS13PlusSpec() &&
SSLConfiguration.useCompatibilityMode) {
// In compatibility mode, the TLS 1.3 legacy_session_id
// field MUST be non-empty, so a client not offering a
// pre-TLS 1.3 session MUST generate a new 32-byte value.
sessionId =
new SessionId(true, chc.sslContext.getSecureRandom());
}
}

ProtocolVersion minimumVersion = ProtocolVersion.NONE;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ final class SSLConfiguration implements Cloneable {
static final boolean allowLegacyMasterSecret =
Utilities.getBooleanProperty("jdk.tls.allowLegacyMasterSecret", true);

// Allow full handshake without Extended Master Secret extension.
// Use TLS1.3 middlebox compatibility mode.
static final boolean useCompatibilityMode = Utilities.getBooleanProperty(
"jdk.tls.client.useCompatibilityMode", true);

Expand Down
7 changes: 5 additions & 2 deletions test/jdk/javax/net/ssl/SSLSession/ResumeTLS13withSNI.java
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand All @@ -26,7 +26,7 @@

/*
* @test
* @bug 8211806
* @bug 8211806 8277881
* @summary TLS 1.3 handshake server name indication is missing on a session resume
* @run main/othervm ResumeTLS13withSNI
*/
Expand Down Expand Up @@ -338,6 +338,9 @@ private static void checkResumedClientHelloSNI(ByteBuffer resCliHello)

// Get the legacy session length and skip that many bytes
int sessIdLen = Byte.toUnsignedInt(resCliHello.get());
if (sessIdLen == 0) {
throw new Exception("SessionID field empty");
}
resCliHello.position(resCliHello.position() + sessIdLen);

// Skip over all the cipher suites
Expand Down

5 comments on commit 9d99a37

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RealCLanger
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/backport jdk17u-dev

@openjdk
Copy link

@openjdk openjdk bot commented on 9d99a37 Oct 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RealCLanger the backport was successfully created on the branch RealCLanger-backport-9d99a377 in my personal fork of openjdk/jdk17u-dev. To create a pull request with this backport targeting openjdk/jdk17u-dev:master, just click the following link:

➡️ Create pull request

The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:

Hi all,

This pull request contains a backport of commit 9d99a377 from the openjdk/jdk repository.

The commit being backported was authored by Daniel Jelinski on 24 Dec 2021 and was reviewed by Anthony Scarpino.

Thanks!

If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk17u-dev:

$ git fetch https://github.com/openjdk-bots/jdk17u-dev RealCLanger-backport-9d99a377:RealCLanger-backport-9d99a377
$ git checkout RealCLanger-backport-9d99a377
# make changes
$ git add paths/to/changed/files
$ git commit --message 'Describe additional changes made'
$ git push https://github.com/openjdk-bots/jdk17u-dev RealCLanger-backport-9d99a377

@RealCLanger
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/backport jdk11u-dev

@openjdk
Copy link

@openjdk openjdk bot commented on 9d99a37 Nov 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RealCLanger the backport was successfully created on the branch RealCLanger-backport-9d99a377 in my personal fork of openjdk/jdk11u-dev. To create a pull request with this backport targeting openjdk/jdk11u-dev:master, just click the following link:

➡️ Create pull request

The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:

Hi all,

This pull request contains a backport of commit 9d99a377 from the openjdk/jdk repository.

The commit being backported was authored by Daniel Jelinski on 24 Dec 2021 and was reviewed by Anthony Scarpino.

Thanks!

If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk11u-dev:

$ git fetch https://github.com/openjdk-bots/jdk11u-dev RealCLanger-backport-9d99a377:RealCLanger-backport-9d99a377
$ git checkout RealCLanger-backport-9d99a377
# make changes
$ git add paths/to/changed/files
$ git commit --message 'Describe additional changes made'
$ git push https://github.com/openjdk-bots/jdk11u-dev RealCLanger-backport-9d99a377

Please sign in to comment.