On 12/30/2010 9:39 AM, Weijun Wang wrote: > Hi Xuelei > > Are you sure these 3 files all need to be changed? Hopefully you can > change as few as possible. > Yes, we need to change all 3 files. As we discussed before, we'd better to check the version number attack in all 3 files, see the comments around line 1090 of Handshaker.java:
// we have checked the ClientKeyExchange message when reading TLS // record, the following check is necessary to ensure that // JCE provider does not ignore the checking, or the previous // checking process bypassed the premaster secret version checking. > Also, the message name is not "PreMasterSecret message". I know it > should be "ClientKeyExchange" for RSAClientKeyExchange.java. > OK, I change the word to "... version number of PreMasterSecret in a ClientKeyExchange". > and, "tolerate" is the verb, "tolerant" is an adjective. > Good. webrev updated: http://cr.openjdk.java.net/~xuelei/6976118/webrev.01/ Thanks, Xuelei > Thanks > Max > > > On 12/27/2010 05:46 PM, Xuelei Fan wrote: >> Hi Weijun, >> >> A simple fix for version number tolerance. >> >> webrev: http://cr.openjdk.java.net/~xuelei/6976118/webrev.00/ >> >> Thanks, >> Xuelei
