1 /*

     2  * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.

     3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

     4  *

     5  * This code is free software; you can redistribute it and/or modify it

     6  * under the terms of the GNU General Public License version 2 only, as

     7  * published by the Free Software Foundation.  Oracle designates this

     8  * particular file as subject to the "Classpath" exception as provided

     9  * by Oracle in the LICENSE file that accompanied this code.

    10  *

    11  * This code is distributed in the hope that it will be useful, but WITHOUT

    12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

    13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

    14  * version 2 for more details (a copy is included in the LICENSE file that

    15  * accompanied this code).

    16  *

    17  * You should have received a copy of the GNU General Public License version

    18  * 2 along with this work; if not, write to the Free Software Foundation,

    19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

    20  *

    21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

    22  * or visit www.oracle.com if you need additional information or have any

    23  * questions.

    24  */

    25 

    26 package sun.security.ssl;

    27 

    28 import java.io.IOException;

    29 import java.security.cert.X509Certificate;

    30 

    31 import sun.security.ssl.ClientHello.ClientHelloMessage;

    32 

    33 class ClientHandshakeContext extends HandshakeContext {

    34     /*

    35      * Allow unsafe server certificate change?

    36      *

    37      * Server certificate change during SSL/TLS renegotiation may be considered

    38      * unsafe, as described in the Triple Handshake attacks:

    39      *

    40      *     https://secure-resumption.com/tlsauth.pdf

    41      *

    42      * Endpoint identification (See

    43      * SSLParameters.getEndpointIdentificationAlgorithm()) is a pretty nice

    44      * guarantee that the server certificate change in renegotiation is legal.

    45      * However, endpoing identification is only enabled for HTTPS and LDAP

    46      * over SSL/TLS by default.  It is not enough to protect SSL/TLS

    47      * connections other than HTTPS and LDAP.

    48      *

    49      * The renegotiation indication extension (See RFC 5746) is a pretty

    50      * strong guarantee that the endpoints on both client and server sides

    51      * are identical on the same connection.  However, the Triple Handshake

    52      * attacks can bypass this guarantee if there is a session-resumption

    53      * handshake between the initial full handshake and the renegotiation

    54      * full handshake.

    55      *

    56      * Server certificate change may be unsafe and should be restricted if

    57      * endpoint identification is not enabled and the previous handshake is

    58      * a session-resumption abbreviated initial handshake, unless the

    59      * identities represented by both certificates can be regraded as the

    60      * same (See isIdentityEquivalent()).

    61      *

    62      * Considering the compatibility impact and the actual requirements to

    63      * support server certificate change in practice, the system property,

    64      * jdk.tls.allowUnsafeServerCertChange, is used to define whether unsafe

    65      * server certificate change in renegotiation is allowed or not.  The

    66      * default value of the system property is "false".  To mitigate the

    67      * compactibility impact, applications may want to set the system

    68      * property to "true" at their own risk.

    69      *

    70      * If the value of the system property is "false", server certificate

    71      * change in renegotiation after a session-resumption abbreviated initial

    72      * handshake is restricted (See isIdentityEquivalent()).

    73      *

    74      * If the system property is set to "true" explicitly, the restriction on

    75      * server certificate change in renegotiation is disabled.

    76      */

    77     static final boolean allowUnsafeServerCertChange =

    78             Utilities.getBooleanProperty(

    79                     "jdk.tls.allowUnsafeServerCertChange", false);

    80 

    81     /*

    82      * the reserved server certificate chain in previous handshaking

    83      *

    84      * The server certificate chain is only reserved if the previous

    85      * handshake is a session-resumption abbreviated initial handshake.

    86      */

    87     X509Certificate[] reservedServerCerts = null;

    88 

    89     X509Certificate[] deferredCerts;

    90 

    91     ClientHelloMessage initialClientHelloMsg = null;

    92 

    93     ClientHandshakeContext(SSLContextImpl sslContext,

    94             TransportContext conContext) throws IOException {

    95         super(sslContext, conContext);

    96     }

    97 

    98     @Override

    99     void kickstart() throws IOException {

   100         if (kickstartMessageDelivered) {

   101             return;

   102         }

   103 

   104         SSLHandshake.kickstart(this);

   105         kickstartMessageDelivered = true;

   106     }

   107 }