--- a/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java Tue May 15 14:54:04 2018 -0400
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java Tue May 15 13:01:37 2018 -0700
@@ -436,7 +436,8 @@
// DO NOT need to check allowUnsafeServerCertChange here. We only
// reserve server certificates when allowUnsafeServerCertChange is
// flase.
- if (chc.reservedServerCerts != null) {
+ if (chc.reservedServerCerts != null &&
+ !chc.handshakeSession.useExtendedMasterSecret) {
// It is not necessary to check the certificate update if
// endpoint identification is enabled.
String identityAlg = chc.sslConfig.identificationProtocol;
--- a/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java Tue May 15 14:54:04 2018 -0400
+++ b/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java Tue May 15 13:01:37 2018 -0700
@@ -29,8 +29,6 @@
import java.io.IOException;
import java.nio.ByteBuffer;
import javax.net.ssl.SSLProtocolException;
-import static sun.security.ssl.SSLConfiguration.allowLegacyMasterSecret;
-import static sun.security.ssl.SSLConfiguration.allowLegacyResumption;
import static sun.security.ssl.SSLExtension.CH_EXTENDED_MASTER_SECRET;
import sun.security.ssl.SSLExtension.ExtensionConsumer;
import static sun.security.ssl.SSLExtension.SH_EXTENDED_MASTER_SECRET;
@@ -116,7 +114,9 @@
ClientHandshakeContext chc = (ClientHandshakeContext)context;
// Is it a supported and enabled extension?
- if (!chc.sslConfig.isAvailable(CH_EXTENDED_MASTER_SECRET)) {
+ if (!chc.sslConfig.isAvailable(CH_EXTENDED_MASTER_SECRET) ||
+ !SSLConfiguration.useExtendedMasterSecret ||
+ !chc.conContext.protocolVersion.useTLS10PlusSpec()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Ignore unavailable extended_master_secret extension");
@@ -157,7 +157,9 @@
ServerHandshakeContext shc = (ServerHandshakeContext)context;
// Is it a supported and enabled extension?
- if (!shc.sslConfig.isAvailable(CH_EXTENDED_MASTER_SECRET)) {
+ if (!shc.sslConfig.isAvailable(CH_EXTENDED_MASTER_SECRET) ||
+ !SSLConfiguration.useExtendedMasterSecret ||
+ !shc.negotiatedProtocol.useTLS10PlusSpec()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Ignore unavailable extension: " +
CH_EXTENDED_MASTER_SECRET.name);
@@ -213,7 +215,8 @@
ServerHandshakeContext shc = (ServerHandshakeContext)context;
// Is it a supported and enabled extension?
- if (!shc.sslConfig.isAvailable(CH_EXTENDED_MASTER_SECRET)) {
+ if (!shc.sslConfig.isAvailable(CH_EXTENDED_MASTER_SECRET) ||
+ !SSLConfiguration.useExtendedMasterSecret) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Ignore unavailable extension: " +
CH_EXTENDED_MASTER_SECRET.name);
@@ -221,7 +224,8 @@
return; // ignore the extension
}
- if (!allowLegacyMasterSecret) {
+ if (shc.negotiatedProtocol.useTLS10PlusSpec() &&
+ !SSLConfiguration.allowLegacyMasterSecret) {
// For full handshake, if the server receives a ClientHello
// without the extension, it SHOULD abort the handshake if
// it does not wish to interoperate with legacy clients.
@@ -245,7 +249,7 @@
// For abbreviated handshake request, if neither the
// original session nor the new ClientHello uses the
// extension, the server SHOULD abort the handshake.
- if (!allowLegacyResumption) {
+ if (!SSLConfiguration.allowLegacyResumption) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing Extended Master Secret extension " +
"on session resumption");
@@ -355,8 +359,8 @@
// The producing happens in client side only.
ClientHandshakeContext chc = (ClientHandshakeContext)context;
- if (SSLConfiguration.useExtendedMasterSecret
- && !SSLConfiguration.allowLegacyMasterSecret) {
+ if (SSLConfiguration.useExtendedMasterSecret &&
+ !SSLConfiguration.allowLegacyMasterSecret) {
// For full handshake, if a client receives a ServerHello
// without the extension, it SHOULD abort the handshake if
// it does not wish to interoperate with legacy servers.
@@ -374,7 +378,8 @@
"Missing Extended Master Secret extension " +
"on session resumption");
} else if (SSLConfiguration.useExtendedMasterSecret &&
- !SSLConfiguration.allowLegacyResumption) {
+ !SSLConfiguration.allowLegacyResumption &&
+ chc.negotiatedProtocol.useTLS10PlusSpec()) {
// Unlikely, abbreviated handshake should be discarded.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Extended Master Secret extension is required");
--- a/src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java Tue May 15 14:54:04 2018 -0400
+++ b/src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java Tue May 15 13:01:37 2018 -0700
@@ -90,7 +90,8 @@
@Override
public int messageLength() {
- return 2 + cookie.length; // 2: the length of protocol version
+ return 3 + cookie.length; // 2: the length of protocol version
+ // +1: the cookie length
}
@Override
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java Tue May 15 14:54:04 2018 -0400
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java Tue May 15 13:01:37 2018 -0700
@@ -264,7 +264,7 @@
// extensions defined in RFC 7627
CH_EXTENDED_MASTER_SECRET (0x0017, "extended_master_secret",
SSLHandshake.CLIENT_HELLO,
- ProtocolVersion.PROTOCOLS_10_12,
+ ProtocolVersion.PROTOCOLS_TO_12,
ExtendedMasterSecretExtension.chNetworkProducer,
ExtendedMasterSecretExtension.chOnLoadConcumer,
ExtendedMasterSecretExtension.chOnLoadAbsence,
@@ -272,7 +272,7 @@
ExtendedMasterSecretExtension.emsStringize),
SH_EXTENDED_MASTER_SECRET (0x0017, "extended_master_secret",
SSLHandshake.SERVER_HELLO,
- ProtocolVersion.PROTOCOLS_10_12,
+ ProtocolVersion.PROTOCOLS_TO_12,
ExtendedMasterSecretExtension.shNetworkProducer,
ExtendedMasterSecretExtension.shOnLoadConcumer,
ExtendedMasterSecretExtension.shOnLoadAbsence,
@@ -628,10 +628,6 @@
// extensions.remove(CH_STATUS_REQUEST_V2);
// }
- if (!SSLConfiguration.useExtendedMasterSecret) {
- extensions.remove(CH_EXTENDED_MASTER_SECRET);
- }
-
defaults = Collections.unmodifiableCollection(extensions);
}
}
@@ -678,13 +674,6 @@
//
// extensions.remove(SH_STATUS_REQUEST_V2);
// }
-
-/*
- if (!SSLConfiguration.useExtendedMasterSecret) {
- extensions.remove(CH_EXTENDED_MASTER_SECRET);
- extensions.remove(SH_EXTENDED_MASTER_SECRET);
- }
-*/
defaults = Collections.unmodifiableCollection(extensions);
}
}
--- a/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java Tue May 15 14:54:04 2018 -0400
+++ b/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java Tue May 15 13:01:37 2018 -0700
@@ -187,7 +187,8 @@
* Record a new session, using a given cipher spec, session ID,
* and creation time
*/
- SSLSessionImpl(HandshakeContext hc, CipherSuite cipherSuite, SessionId id, long creationTime) {
+ SSLSessionImpl(HandshakeContext hc,
+ CipherSuite cipherSuite, SessionId id, long creationTime) {
this.creationTime = creationTime;
this.protocolVersion = hc.negotiatedProtocol;
this.sessionId = id;