Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8270344: Session resumption errors #5110

Closed
wants to merge 5 commits into from

Conversation

coffeys
Copy link
Contributor

@coffeys coffeys commented Aug 13, 2021

Corner case where a session resumption can fail if the TLS server changes supported protocol versions in relation to a cached SSLSession. This is primarily an issue where the legacy TLS version is used in place of the newer "supported_versions" TLS extension.


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/5110/head:pull/5110
$ git checkout pull/5110

Update a local copy of the PR:
$ git checkout pull/5110
$ git pull https://git.openjdk.java.net/jdk pull/5110/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 5110

View PR using the GUI difftool:
$ git pr show -t 5110

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/5110.diff

@bridgekeeper
Copy link

bridgekeeper bot commented Aug 13, 2021

👋 Welcome back coffeys! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the rfr Pull request is ready for review label Aug 13, 2021
@openjdk
Copy link

openjdk bot commented Aug 13, 2021

@coffeys The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Aug 13, 2021
@mlbridge
Copy link

mlbridge bot commented Aug 13, 2021

Webrevs

@djelinski
Copy link
Member

Also fixes resumption when server is a Java application run with -Djdk.tls.allowLegacyResumption=false, client is a Java application with -Djdk.tls.useExtendedMasterSecret=false, and TLSv1.2 is negotiated.
As a side note, it should be possible to merge HandshakeContext#handshakeSession and HandshakeContext#resumingSession into a single field now

@openjdk openjdk bot removed the rfr Pull request is ready for review label Aug 19, 2021
@coffeys
Copy link
Contributor Author

coffeys commented Aug 19, 2021

thanks for the comments @djelinski - per Dev advise, I've split this issue into 2 bugs. This issue will focus on altering the legacy maximum TLS protocol version field sent in the ClientHello. Patch just updated.

A follow on fix will focus on the session invalidation issue (JDK-8272653)

@openjdk openjdk bot added the rfr Pull request is ready for review label Aug 19, 2021
}
}
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is a new line required in the end of file? I see red symbol in the review board, I think the symbol may be generated by the GitHub.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure it matters, but added a new line

// Update protocol version number in underlying socket and
// handshake output stream, so that the output records
// (at the record layer) have the correct version
chc.setVersion(sessionVersion);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removing of the call to "setVersion()" has an impact, I think. I think the declaration of this method could be removed in HandshakeContext class, and set the HandshakeContext.conContext.protocolVersion to HandshakeContext.maximumActiveProtocol in the HandshakeContext.initialize() method.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed the (now) redundant setVersion(..) method.

With respect to initialize() method we already set HandshakeContext.conContext.protocolVersion to HandshakeContext.maximumActiveProtocol in the case of a new session. Is that what you were aiming at ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Thank you!

Comment on lines 50 to 60
String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile;
String trustFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + trustStoreFile;

System.setProperty("javax.net.ssl.keyStore", keyFilename);
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
System.setProperty("javax.net.ssl.trustStore", trustFilename);
System.setProperty("javax.net.ssl.trustStorePassword", passwd);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not recommended to use the binary key store files for JSSE test cases. Please refer to test/jdk/javax/net/ssl/templates/SSLContextTemplate.java for a replacement.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion - done.

// Update protocol version number in underlying socket and
// handshake output stream, so that the output records
// (at the record layer) have the correct version
chc.setVersion(sessionVersion);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Thank you!

@openjdk
Copy link

openjdk bot commented Aug 20, 2021

@coffeys This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8270344: Session resumption errors

Reviewed-by: xuelei

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 66 new commits pushed to the master branch:

  • 1ea437a: 8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
  • 86add21: 8223923: C2: Missing interference with mismatched unsafe accesses
  • c701f6e: 8272739: Misformatted error message in EventHandlerCreator
  • fb1dfc6: 8267185: Add string deduplication support to ParallelGC
  • d874e96: 8271579: G1: Move copy before CAS in do_copy_to_survivor_space
  • 92bde67: 8271946: Cleanup leftovers in Space and subclasses
  • db9834f: 8258951: java/net/httpclient/HandshakeFailureTest.java failed with "RuntimeException: Not found expected SSLHandshakeException in java.io.IOException"
  • a81e5e9: 8272654: Mark word accesses should not use Access API
  • 4bd37c3: 8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
  • ddcd851: 8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
  • ... and 56 more: https://git.openjdk.java.net/jdk/compare/d06d0b9e9d9d27aa549455f19b9803752431bcbb...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Aug 20, 2021
@coffeys
Copy link
Contributor Author

coffeys commented Aug 20, 2021

/integrate

@openjdk
Copy link

openjdk bot commented Aug 20, 2021

Going to push as commit 04a806e.
Since your change was applied there have been 67 commits pushed to the master branch:

  • d85560e: 8267161: Write automated test case for JDK-4479161
  • 1ea437a: 8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
  • 86add21: 8223923: C2: Missing interference with mismatched unsafe accesses
  • c701f6e: 8272739: Misformatted error message in EventHandlerCreator
  • fb1dfc6: 8267185: Add string deduplication support to ParallelGC
  • d874e96: 8271579: G1: Move copy before CAS in do_copy_to_survivor_space
  • 92bde67: 8271946: Cleanup leftovers in Space and subclasses
  • db9834f: 8258951: java/net/httpclient/HandshakeFailureTest.java failed with "RuntimeException: Not found expected SSLHandshakeException in java.io.IOException"
  • a81e5e9: 8272654: Mark word accesses should not use Access API
  • 4bd37c3: 8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
  • ... and 57 more: https://git.openjdk.java.net/jdk/compare/d06d0b9e9d9d27aa549455f19b9803752431bcbb...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot closed this Aug 20, 2021
@openjdk openjdk bot added integrated Pull request has been integrated and removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Aug 20, 2021
@openjdk
Copy link

openjdk bot commented Aug 20, 2021

@coffeys Pushed as commit 04a806e.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
3 participants