On Mon, 14 Apr 2025 12:54:31 GMT, Nibedita Jena <d...@openjdk.org> wrote:
>> Session resumption without server side state was added under >> [JDK-8211018](https://bugs.openjdk.org/browse/JDK-8211018). >> While it is TLSv1.2 session resumption, the client hello message is being >> parsed in SSLSessionImpl for each extensions. >> >> Customer has reported handshake failure and is reproducible locally with >> exception NegativeArraySizeExceptions when there is ServerNameIndication >> with size > 127. >> According to RFC 3546, the host_name limit allowed is 255. >> With a sample testcase when the host_name length is > 127, exception is >> thrown: >> javax.net.ssl|DEBUG|71|Thread-1|2025-04-06 17:13:07.278 >> UTC|ClientHello.java:825|Negotiated protocol version: TLSv1.2 >> javax.net.ssl|WARNING|71|Thread-1|2025-04-06 17:13:07.281 >> UTC|SSLSocketImpl.java:1672|handling exception ( >> "throwable" : { >> java.lang.NegativeArraySizeException: -1 >> at >> java.base/sun.security.ssl.SSLSessionImpl.<init>(SSLSessionImpl.java:399) >> at >> java.base/sun.security.ssl.SessionTicketExtension$T12CHSessionTicketConsumer.consume(SessionTicketExtension.java:468) >> >> e.g. >> int l = buf.get(); >> b = new byte[l]; <-------------------- NegativeArraySizeException thrown >> here when > 127 >> >> For TLSv1.3, its not an issue until length > 255. >> >> According to RFC 5077, PSK identity length allowed is <0..2^16-1> and so its >> value conversion being taken care of under this change. >> Master secret is allowed for 48 bytes - master_secret[48], shouldnt be an >> issue. > > Nibedita Jena has updated the pull request incrementally with one additional > commit since the last revision: > > Updated SSLSessionImpl constructor with Record interface methods I will look at this.. At the time I wrote this I avoided using Record for a reason, but I don't remember why right now. ------------- PR Comment: https://git.openjdk.org/jdk/pull/24535#issuecomment-2825410613
