-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8298873: Update IllegalRecordVersion.java for changes to TLS implementation #11929
Conversation
👋 Welcome back mpdonova! A progress list of the required criteria for merging this PR into |
Webrevs
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This update will introduce version negotiation issues. Per TLS spec, version 105.106 should be allowed and the version could be negotiated properly. When TLS 1.4 is defined later in the future, the code update here will cause serious compatibility issues. This has been a well-known issue in some implementations.
If you want to fix the javax/net/ssl/SSLEngine/IllegalRecordVersion.java issue, please refer to the JDK-8042449 patch details.
I'm not sure what you mean here. Can you point me towards the spec that you're referring to? If we need to support later, currently undefined, versions then is IllegalRecordVersion a valid test?
I looked at that original patch and the code history after that. The original patch (JDK-8042449) created/updated The original
The logic is structured differently, but I'm pretty sure that it's has the same result. |
Please refer to "Appendix E. Backward Compatibility" of RFC 5246. Let see an example, suppose TLS 1.4 is defined. If the server is only able to accept TLS 1.3, if the client is using TLS 1.4 format, the connection cannot be established. But TLS 1.3 should be negotiated. BTW, this filed has been deprecated and "MUST be ignored for all purposes" since TLS 1.3 (See RFC 8446).
|
@@ -587,7 +587,6 @@ sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java 8161536 generic- | |||
sun/security/tools/keytool/ListKeychainStore.sh 8156889 macosx-all | |||
|
|||
javax/net/ssl/SSLEngine/TestAllSuites.java 8298874 generic-all | |||
javax/net/ssl/SSLEngine/IllegalRecordVersion.java 8298873 generic-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have closed 8298873 as duplicate of this bug. Can you please update IllegalRecordVersion test to list 8299870 under @bug
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since 8299870 is test only bug now, we don't need to list it.
I reworked If that sounds legitimate, I can clean up the code a little and push it. |
I'm fine for this approach. The file/class name could be revised. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you please update the subject and description of JDK-8299870 so that it fit better with the purpose of the patch?
static final ProtocolVersion MAX_TLS_SUPPORTED = TLS13; | ||
static final ProtocolVersion MIN_TLS_SUPPORTED = SSL30; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you mind restore the update for ProrocolVersion.java?
private static final String PATH_TO_STORES = "../etc"; | ||
private static final String KEYSTORE_FILE = "keystore"; | ||
private static final String TRUSTSTORE_FILE = "truststore"; | ||
|
||
private static final String KEYSTORE_PATH = | ||
System.getProperty("test.src", "./") + "/" + PATH_TO_STORES + | ||
"/" + KEYSTORE_FILE; | ||
private static final String TRUSTSTORE_PATH = | ||
System.getProperty("test.src", "./") + "/" + PATH_TO_STORES + | ||
"/" + TRUSTSTORE_FILE; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to avoid to use binary files. Would you mind to check if test/jdk/javax/net/ssl/templates/SSLContextTemplate.java could be used for the generation of SSLContext (for example test/jdk/javax/net/ssl/templates/SSLEngineTemplate.java)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are few other tests that need update as well. We should create backlog item to update all these tests to use the SSLEngineTemplate to generate SSLContext.
@@ -407,4 +407,4 @@ static ProtocolVersion selectedFrom( | |||
|
|||
return selectedVersion; | |||
} | |||
} | |||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
revert this change as well.
Thinking may be it is better to close JDK-8299870 and "Not an Issue" for archival purpose and address the test fix as part of JDK-8298873. What do you think? |
/integrate |
@mpdonova This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 312 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@XueleiFan, @rhalade) but any other Committer may sponsor as well. ➡️ To flag this PR as ready for integration with the above commit message, type |
/sponsor |
Going to push as commit fc26d3e.
Your commit was automatically rebased without conflicts. |
The copyright line has the incorrect syntax. Please followup with a fix. |
Tested with jdk_security and jdk_security3 test groups.
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/11929/head:pull/11929
$ git checkout pull/11929
Update a local copy of the PR:
$ git checkout pull/11929
$ git pull https://git.openjdk.org/jdk pull/11929/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 11929
View PR using the GUI difftool:
$ git pr show -t 11929
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/11929.diff