On 12/30/2010 06:07 PM, Xuelei Fan wrote:
On 12/30/2010 9:39 AM, Weijun Wang wrote:
Hi Xuelei
Are you sure these 3 files all need to be changed? Hopefully you can
change as few as possible.
Yes, we need to change all 3 files. As we discussed before, we'd better
to check the version number attack in all 3 files, see the comments
around line 1090 of Handshaker.java:
If you're sure that if any one of these 3 files is not updated, and IE
has a problem accessing JSSE server, I'm OK with the webrev.
Still, I somehow wish only one change will do, say, when
ClientKeyExchange message is received, you secretly modify something
inside. Of course, if this makes HandshakeHash computing error or any
other inconvenience/confusing, don't do it.
Thanks
Max
// we have checked the ClientKeyExchange message when reading TLS
// record, the following check is necessary to ensure that
// JCE provider does not ignore the checking, or the previous
// checking process bypassed the premaster secret version checking.
Also, the message name is not "PreMasterSecret message". I know it
should be "ClientKeyExchange" for RSAClientKeyExchange.java.
OK, I change the word to "... version number of PreMasterSecret in a
ClientKeyExchange".
and, "tolerate" is the verb, "tolerant" is an adjective.
Good.
webrev updated: http://cr.openjdk.java.net/~xuelei/6976118/webrev.01/
Thanks,
Xuelei
Thanks
Max
On 12/27/2010 05:46 PM, Xuelei Fan wrote:
Hi Weijun,
A simple fix for version number tolerance.
webrev: http://cr.openjdk.java.net/~xuelei/6976118/webrev.00/
Thanks,
Xuelei
