Re: RFR: 8277307: Pre shared key sent under both session_ticket and pre_shared_key extensions [v2]
On Thu, 2 Jun 2022 21:02:16 GMT, Daniel Jeliński wrote: >> Session ticket extension should only contain pre-TLS1.3 stateless session >> tickets; it should not be used for sending TLS1.3 pre-shared keys. > > Daniel Jeliński has updated the pull request incrementally with one > additional commit since the last revision: > > different check for TLS13 A little late to this review as it's already been pushed, but I would have suggested leaving the `return new SessionTicketSpec().getEncoded();` as it keeps the encapsulation more clear. Otherwise, it looks good. - PR: https://git.openjdk.org/jdk/pull/8922
Re: RFR: 8277307: Pre shared key sent under both session_ticket and pre_shared_key extensions [v2]
On Wed, 8 Jun 2022 05:05:13 GMT, Anthony Scarpino wrote: > The bug and the PR could have used a lot more description that the issue here > is that 1.2 and 1.3 are enabled at the same time. As far as I can tell, 1.2 and 1.3 are both enabled by default. > One could ask the reverse, if the resumption is from 1.2 should we be sending > a 1.3 pre_shared_key extension.. But that can be for another bug I suppose. We are not sending `pre_shared_key` when resuming TLS 1.2 > please make sure all jdk_security tests and tier1 tests pass before > integrating done. Thanks for reviewing! - PR: https://git.openjdk.java.net/jdk/pull/8922
Re: RFR: 8277307: Pre shared key sent under both session_ticket and pre_shared_key extensions [v2]
On Thu, 2 Jun 2022 21:02:16 GMT, Daniel Jeliński wrote: >> Session ticket extension should only contain pre-TLS1.3 stateless session >> tickets; it should not be used for sending TLS1.3 pre-shared keys. > > Daniel Jeliński has updated the pull request incrementally with one > additional commit since the last revision: > > different check for TLS13 Marked as reviewed by ascarpino (Reviewer). please make sure all jdk_security tests and tier1 tests pass before integrating - PR: https://git.openjdk.java.net/jdk/pull/8922
Re: RFR: 8277307: Pre shared key sent under both session_ticket and pre_shared_key extensions [v2]
On Thu, 2 Jun 2022 21:02:16 GMT, Daniel Jeliński wrote: >> Session ticket extension should only contain pre-TLS1.3 stateless session >> tickets; it should not be used for sending TLS1.3 pre-shared keys. > > Daniel Jeliński has updated the pull request incrementally with one > additional commit since the last revision: > > different check for TLS13 The bug and the PR could have used a lot more description that the issue here is that 1.2 and 1.3 are enabled at the same time. such as via `setEnabledProtocols()`. At first I thought this bug was incorrect because 1.3 does not display a session_ticket extension as it is only supported in the code by 1.0-1.2. But with both enabled, it causes all the extensions to be enabled. After thinking about it, this maybe the better way to fix this as the it a heterogeneous server environment, only sending 1.3 extension from the resumed TLS protocol may cause errors when talking to 1.2 server. So both extensions need to be enabled globally, but since we are resuming 1.3 state, the same state does not to be passed in a 1.2 connection. It should do a full handshake. One could ask the reverse, if the resumption is from 1.2 should we be sending a 1.3 pre_shared_key extension.. But that can be for another bug I suppose. - PR: https://git.openjdk.java.net/jdk/pull/8922
Re: RFR: 8277307: Pre shared key sent under both session_ticket and pre_shared_key extensions [v2]
On Thu, 2 Jun 2022 21:02:16 GMT, Daniel Jeliński wrote: >> Session ticket extension should only contain pre-TLS1.3 stateless session >> tickets; it should not be used for sending TLS1.3 pre-shared keys. > > Daniel Jeliński has updated the pull request incrementally with one > additional commit since the last revision: > > different check for TLS13 Looks good to me - Marked as reviewed by coffeys (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/8922
Re: RFR: 8277307: Pre shared key sent under both session_ticket and pre_shared_key extensions [v2]
> Session ticket extension should only contain pre-TLS1.3 stateless session > tickets; it should not be used for sending TLS1.3 pre-shared keys. Daniel Jeliński has updated the pull request incrementally with one additional commit since the last revision: different check for TLS13 - Changes: - all: https://git.openjdk.java.net/jdk/pull/8922/files - new: https://git.openjdk.java.net/jdk/pull/8922/files/258930f5..ae7c68b2 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk=8922=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk=8922=00-01 Stats: 3 lines in 1 file changed: 0 ins; 2 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/8922.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/8922/head:pull/8922 PR: https://git.openjdk.java.net/jdk/pull/8922
