Skip to content
Permalink
Browse files
8237474: Default SSLEngine should create in server role
Reviewed-by: xuelei, coffeys
  • Loading branch information
Prasadrao Koppula committed Apr 14, 2020
1 parent b812e8b commit aadc7c7ca86e053b87725c13f99143176958a444
Showing 9 changed files with 67 additions and 13 deletions.
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -352,6 +352,14 @@ public final SSLServerSocketFactory getServerSocketFactory() {
* Some cipher suites (such as Kerberos) require remote hostname
* information, in which case this factory method should not be used.
*
* @implNote
* It is provider-specific if the returned SSLEngine uses client or
* server mode by default for the (D)TLS connection. The JDK SunJSSE
* provider implementation uses server mode by default. However, it
* is recommended to always set the desired mode explicitly by calling
* {@link SSLEngine#setUseClientMode(boolean) SSLEngine.setUseClientMode()}
* before invoking other methods of the SSLEngine.
*
* @return the {@code SSLEngine} object
* @throws UnsupportedOperationException if the underlying provider
* does not implement the operation.
@@ -382,6 +390,14 @@ public final SSLEngine createSSLEngine() {
* Some cipher suites (such as Kerberos) require remote hostname
* information, in which case peerHost needs to be specified.
*
* @implNote
* It is provider-specific if the returned SSLEngine uses client or
* server mode by default for the (D)TLS connection. The JDK SunJSSE
* provider implementation uses server mode by default. However, it
* is recommended to always set the desired mode explicitly by calling
* {@link SSLEngine#setUseClientMode(boolean) SSLEngine.setUseClientMode()}
* before invoking other methods of the SSLEngine.
*
* @param peerHost the non-authoritative name of the host
* @param peerPort the non-authoritative port
* @return the new {@code SSLEngine} object
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -90,6 +90,14 @@ protected abstract void engineInit(KeyManager[] km, TrustManager[] tm,
* Some cipher suites (such as Kerberos) require remote hostname
* information, in which case this factory method should not be used.
*
* @implNote
* It is provider-specific if the returned SSLEngine uses client or
* server mode by default for the (D)TLS connection. The JDK SunJSSE
* provider implementation uses server mode by default. However, it
* is recommended to always set the desired mode explicitly by calling
* {@link SSLEngine#setUseClientMode(boolean) SSLEngine.setUseClientMode()}
* before invoking other methods of the SSLEngine.
*
* @return the {@code SSLEngine} Object
* @throws IllegalStateException if the SSLContextImpl requires
* initialization and the {@code engineInit()}
@@ -110,6 +118,14 @@ protected abstract void engineInit(KeyManager[] km, TrustManager[] tm,
* Some cipher suites (such as Kerberos) require remote hostname
* information, in which case peerHost needs to be specified.
*
* @implNote
* It is provider-specific if the returned SSLEngine uses client or
* server mode by default for the (D)TLS connection. The JDK SunJSSE
* provider implementation uses server mode by default. However, it
* is recommended to always set the desired mode explicitly by calling
* {@link SSLEngine#setUseClientMode(boolean) SSLEngine.setUseClientMode()}
* before invoking other methods of the SSLEngine.
*
* @param host the non-authoritative name of the host
* @param port the non-authoritative port
* @return the {@code SSLEngine} Object
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -329,9 +329,12 @@
* each endpoint must decide which role to assume. This choice determines
* who begins the handshaking process as well as which type of messages
* should be sent by each party. The method {@link
* #setUseClientMode(boolean)} configures the mode. Once the initial
* handshaking has started, an {@code SSLEngine} can not switch
* between client and server modes, even when performing renegotiations.
* #setUseClientMode(boolean)} configures the mode. Note that the
* default mode for a new {@code SSLEngine} is provider-specific.
* Applications should set the mode explicitly before invoking other
* methods of the {@code SSLEngine}. Once the initial handshaking has
* started, an {@code SSLEngine} can not switch between client and server
* modes, even when performing renegotiations.
* <P>
* Applications might choose to process delegated tasks in different
* threads. When an {@code SSLEngine}
@@ -1098,6 +1101,9 @@ public SSLSession getHandshakeSession() {
* Servers normally authenticate themselves, and clients
* are not required to do so.
*
* @implNote
* The JDK SunJSSE provider implementation default for this mode is false.
*
* @param mode true if the engine should start its handshaking
* in "client" mode
* @throws IllegalArgumentException if a mode change is attempted
@@ -1111,6 +1117,10 @@ public SSLSession getHandshakeSession() {
* Returns true if the engine is set to use client mode when
* handshaking.
*
* @implNote
* The JDK SunJSSE provider implementation returns false unless
* {@link setUseClientMode(boolean)} is used to change the mode to true.
*
* @return true if the engine should do handshaking
* in "client" mode
* @see #setUseClientMode(boolean)
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -1178,6 +1178,10 @@ private abstract static class AbstractDTLSContext extends SSLContextImpl {
@Override
protected SSLParameters engineGetDefaultSSLParameters() {
SSLEngine engine = createSSLEngineImpl();
// Note: The TLSContext defaults to client side SSLParameters.
// We can do the same here. Please don't change the behavior
// for compatibility.
engine.setUseClientMode(true);
return engine.getSSLParameters();
}

@@ -89,7 +89,7 @@ final class TransportContext implements ConnectionContext {
// Called by SSLEngineImpl
TransportContext(SSLContextImpl sslContext, SSLTransport transport,
InputRecord inputRecord, OutputRecord outputRecord) {
this(sslContext, transport, new SSLConfiguration(sslContext, true),
this(sslContext, transport, new SSLConfiguration(sslContext, false),
inputRecord, outputRecord, true);
}

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@

/*
* @test
* @bug 8237474
* @summary Test jdk.tls.client.protocols with DTLS
* @run main/othervm -Djdk.tls.client.protocols="DTLSv1.0"
* CustomizedDTLSDefaultProtocols
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@

/*
* @test
* @bug 8237474
* @summary Test jdk.tls.server.protocols with DTLS
* @run main/othervm -Djdk.tls.server.protocols="DTLSv1.0"
* CustomizedDTLSServerDefaultProtocols
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@

/*
* @test
* @bug 8237474
* @summary Test jdk.tls.client.protocols with DTLS
* @run main/othervm DefaultDTLSEnabledProtocols
*/
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,7 @@

/*
* @test
* @bug 4980882 8207250
* @bug 4980882 8207250 8237474
* @summary SSLEngine should enforce setUseClientMode
* @run main/othervm EngineEnforceUseClientMode
* @author Brad R. Wetmore
@@ -89,6 +89,11 @@ private void createSSLEngines() throws Exception {
ssle3 = sslc.createSSLEngine();
ssle4 = sslc.createSSLEngine();
ssle5 = sslc.createSSLEngine();
//Check default SSLEngine role.
if (ssle5.getUseClientMode()) {
throw new RuntimeException("Expected default role to be server");
}

}

private void runTest() throws Exception {

0 comments on commit aadc7c7

Please sign in to comment.