8217633: Configurable extensions with system properties #1752
Conversation
|
👋 Welcome back xuelei! A progress list of the required criteria for merging this PR into |
|
@XueleiFan The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
|
/csr needed |
|
@XueleiFan this pull request will not be integrated until the CSR request JDK-8217993 for issue JDK-8217633 has been approved. |
|
@XueleiFan This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration! |
|
ping ... |
Yes. The properties will be described in the JSSE Reference Guide. I added a "Documentation" section in the CSR.
Thanks for the review. |
| @@ -0,0 +1,75 @@ | |||
| /* | |||
| * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. | |||
There was a problem hiding this comment.
| * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. | |
| * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. |
| (new BlockedExtension(new String[] {args[1]})).run(); | ||
| } catch (SSLException | IllegalStateException ssle) { | ||
| if (shouldSuccess) { | ||
| throw new Exception( |
There was a problem hiding this comment.
| throw new Exception( | |
| throw new RuntimeException( |
| } | ||
|
|
||
| if (!shouldSuccess) { | ||
| throw new Exception( |
There was a problem hiding this comment.
| throw new Exception( | |
| throw new RuntimeException( |
There was a problem hiding this comment.
Good catches, the years should be 2021 now. Thanks!
|
Mailing list message from Bernd Eckenfels on security-dev: Hello, I wanted to mention again, that all those System property configurations are good, especially to resolve the update pains, but not really useful if you want to make configurations on a per-connection base. If you have to support multiple partners it can be a real pain to setup a common feature set or multiple instances. For this a generic feature setter for the context would be really useful. Most prominent recent example is the ca-extension, which only really makes sense if you also did programmatically configure a small list of trusted CAs. I also think it would overall clean up the code and give a good place for Javadoc all those options. Gruss
Xue-Lei Andrew Fan has updated the pull request incrementally with one additional commit since the last revision: Update copyright years to 2021 ------------- Changes: Webrevs: Stats: 4 lines in 2 files changed: 0 ins; 0 del; 4 mod PR: https://git.openjdk.java.net/jdk/pull/1752 |
|
Hi Bernd, I agree with you that System property is not as useful to configure individual connections. It is mostly used for corner cases that have interoperability or compatibility issues. A general program should use APIs and the default system properties.
Yes, ca-extension is an item I was thinking of to support in JDK.
Currently, the system properties are documented in the JSSE Reference Guides. But just as you know, it is as easy to follow. I agree with you that it would be nice to have better place to have them all together. Thank you for the review. Regards,
|
|
@XueleiFan This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 23 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
|
/integrate |
openjdk
bot
added
integrated
|
@XueleiFan Since your change was applied there have been 37 commits pushed to the
Your commit was automatically rebased without conflicts. Pushed as commit 71bfe96. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
|
Hi @XueleiFan , i don't find this patch into latest OpenJDK 1.8 releases . Is there a plan to integrate this patch also into OpenJDK 1.8 ? (i see that OracleJDK 1.8 was updated) |
The TLS protocols are designed to tolerant unknown TLS extensions. However, although it is not common, there are a few TLS implementations that cannot handle unknown extensions properly. As results in unexpected interoperability issue when new extensions are introduced in JDK. The interoperability impact could be mitigated If applications can customize the extensions if needed.
With this update, two system properties are added to configure the default extensions in either client or server side of TLS connections. Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to established if a mandatory extension is blocked. Please don't use this feature unless you clearly understand the impact.
Bug: https://bugs.openjdk.java.net/browse/JDK-8217633
CSR: https://bugs.openjdk.java.net/browse/JDK-8217993
Progress
Issue
Reviewers
Download
$ git fetch https://git.openjdk.java.net/jdk pull/1752/head:pull/1752$ git checkout pull/1752