# HG changeset patch # User jnimeh # Date 1556844206 25200 # Node ID e2af6324d67cae337f862c53ad7d30ca8b6c41ff # Parent e17ec6bc670a993f847552dabcd5fd7e8a0d59e2 8222678: Improve TLS negotiation Reviewed-by: mullan, rhalade, mschoene diff -r e17ec6bc670a -r e2af6324d67c src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java --- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java Tue Apr 23 08:34:51 2019 +0800 +++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java Thu May 02 17:43:26 2019 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -724,12 +724,14 @@ // Update the context. chc.handshakeExtensions.put( SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT); - chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id, - SSLHandshake.CERTIFICATE_STATUS); // Since we've received a legitimate status_request in the // ServerHello, stapling is active if it's been enabled. chc.staplingActive = chc.sslContext.isStaplingEnabled(true); + if (chc.staplingActive) { + chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id, + SSLHandshake.CERTIFICATE_STATUS); + } // No impact on session resumption. } @@ -1079,12 +1081,16 @@ // Update the context. chc.handshakeExtensions.put( SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT); - chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id, - SSLHandshake.CERTIFICATE_STATUS); // Since we've received a legitimate status_request in the - // ServerHello, stapling is active if it's been enabled. + // ServerHello, stapling is active if it's been enabled. If it + // is active, make sure we add the CertificateStatus message + // consumer. chc.staplingActive = chc.sslContext.isStaplingEnabled(true); + if (chc.staplingActive) { + chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id, + SSLHandshake.CERTIFICATE_STATUS); + } // No impact on session resumption. } diff -r e17ec6bc670a -r e2af6324d67c src/java.base/share/classes/sun/security/ssl/CertificateRequest.java --- a/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java Tue Apr 23 08:34:51 2019 +0800 +++ b/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java Thu May 02 17:43:26 2019 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -330,6 +330,15 @@ // clean up this consumer chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id); + SSLConsumer certStatCons = chc.handshakeConsumers.remove( + SSLHandshake.CERTIFICATE_STATUS.id); + if (certStatCons != null) { + // Stapling was active but no certificate status message + // was sent. We need to run the absence handler which will + // check the certificate chain. + CertificateStatus.handshakeAbsence.absent(context, null); + } + T10CertificateRequestMessage crm = new T10CertificateRequestMessage(chc, message); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { @@ -647,6 +656,15 @@ // clean up this consumer chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id); + SSLConsumer certStatCons = chc.handshakeConsumers.remove( + SSLHandshake.CERTIFICATE_STATUS.id); + if (certStatCons != null) { + // Stapling was active but no certificate status message + // was sent. We need to run the absence handler which will + // check the certificate chain. + CertificateStatus.handshakeAbsence.absent(context, null); + } + T12CertificateRequestMessage crm = new T12CertificateRequestMessage(chc, message); if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { diff -r e17ec6bc670a -r e2af6324d67c src/java.base/share/classes/sun/security/ssl/CertificateStatus.java --- a/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java Tue Apr 23 08:34:51 2019 +0800 +++ b/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java Thu May 02 17:43:26 2019 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -287,12 +287,16 @@ } // Pin the received responses to the SSLSessionImpl. It will - // be retrieved by the X509TrustManagerImpl during the certficicate + // be retrieved by the X509TrustManagerImpl during the certificate // checking phase. chc.handshakeSession.setStatusResponses(cst.encodedResponses); // Now perform the check T12CertificateConsumer.checkServerCerts(chc, chc.deferredCerts); + + // Update the handshake consumers to remove this message, indicating + // that it has been processed. + chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_STATUS.id); } } diff -r e17ec6bc670a -r e2af6324d67c src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java --- a/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java Tue Apr 23 08:34:51 2019 +0800 +++ b/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java Thu May 02 17:43:26 2019 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -133,6 +133,15 @@ // The consuming happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; + SSLConsumer certStatCons = chc.handshakeConsumers.remove( + SSLHandshake.CERTIFICATE_STATUS.id); + if (certStatCons != null) { + // Stapling was active but no certificate status message + // was sent. We need to run the absence handler which will + // check the certificate chain. + CertificateStatus.handshakeAbsence.absent(context, null); + } + // clean up this consumer chc.handshakeConsumers.clear(); diff -r e17ec6bc670a -r e2af6324d67c src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java --- a/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java Tue Apr 23 08:34:51 2019 +0800 +++ b/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java Thu May 02 17:43:26 2019 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -92,6 +92,15 @@ // clean up this consumer chc.handshakeConsumers.remove(SSLHandshake.SERVER_KEY_EXCHANGE.id); + SSLConsumer certStatCons = chc.handshakeConsumers.remove( + SSLHandshake.CERTIFICATE_STATUS.id); + if (certStatCons != null) { + // Stapling was active but no certificate status message + // was sent. We need to run the absence handler which will + // check the certificate chain. + CertificateStatus.handshakeAbsence.absent(context, null); + } + SSLKeyExchange ke = SSLKeyExchange.valueOf( chc.negotiatedCipherSuite.keyExchange, chc.negotiatedProtocol);