8222678: Improve TLS negotiation
authorjnimeh
Thu, 02 May 2019 17:43:26 -0700
changeset 55715 e2af6324d67c
parent 55714 e17ec6bc670a
child 55716 a5d52b0e3798
8222678: Improve TLS negotiation Reviewed-by: mullan, rhalade, mschoene
src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
src/java.base/share/classes/sun/security/ssl/CertificateStatus.java
src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java
src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java
--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java	Tue Apr 23 08:34:51 2019 +0800
+++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java	Thu May 02 17:43:26 2019 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -724,12 +724,14 @@
             // Update the context.
             chc.handshakeExtensions.put(
                     SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
-            chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id,
-                    SSLHandshake.CERTIFICATE_STATUS);
 
             // Since we've received a legitimate status_request in the
             // ServerHello, stapling is active if it's been enabled.
             chc.staplingActive = chc.sslContext.isStaplingEnabled(true);
+            if (chc.staplingActive) {
+                chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id,
+                    SSLHandshake.CERTIFICATE_STATUS);
+            }
 
             // No impact on session resumption.
         }
@@ -1079,12 +1081,16 @@
             // Update the context.
             chc.handshakeExtensions.put(
                     SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
-            chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id,
-                    SSLHandshake.CERTIFICATE_STATUS);
 
             // Since we've received a legitimate status_request in the
-            // ServerHello, stapling is active if it's been enabled.
+            // ServerHello, stapling is active if it's been enabled.  If it
+            // is active, make sure we add the CertificateStatus message
+            // consumer.
             chc.staplingActive = chc.sslContext.isStaplingEnabled(true);
+            if (chc.staplingActive) {
+                chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id,
+                    SSLHandshake.CERTIFICATE_STATUS);
+            }
 
             // No impact on session resumption.
         }
--- a/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java	Tue Apr 23 08:34:51 2019 +0800
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java	Thu May 02 17:43:26 2019 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -330,6 +330,15 @@
             // clean up this consumer
             chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
 
+            SSLConsumer certStatCons = chc.handshakeConsumers.remove(
+                    SSLHandshake.CERTIFICATE_STATUS.id);
+            if (certStatCons != null) {
+                // Stapling was active but no certificate status message
+                // was sent.  We need to run the absence handler which will
+                // check the certificate chain.
+                CertificateStatus.handshakeAbsence.absent(context, null);
+            }
+
             T10CertificateRequestMessage crm =
                     new T10CertificateRequestMessage(chc, message);
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -647,6 +656,15 @@
             // clean up this consumer
             chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
 
+            SSLConsumer certStatCons = chc.handshakeConsumers.remove(
+                    SSLHandshake.CERTIFICATE_STATUS.id);
+            if (certStatCons != null) {
+                // Stapling was active but no certificate status message
+                // was sent.  We need to run the absence handler which will
+                // check the certificate chain.
+                CertificateStatus.handshakeAbsence.absent(context, null);
+            }
+
             T12CertificateRequestMessage crm =
                     new T12CertificateRequestMessage(chc, message);
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
--- a/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java	Tue Apr 23 08:34:51 2019 +0800
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java	Thu May 02 17:43:26 2019 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -287,12 +287,16 @@
             }
 
             // Pin the received responses to the SSLSessionImpl.  It will
-            // be retrieved by the X509TrustManagerImpl during the certficicate
+            // be retrieved by the X509TrustManagerImpl during the certificate
             // checking phase.
             chc.handshakeSession.setStatusResponses(cst.encodedResponses);
 
             // Now perform the check
             T12CertificateConsumer.checkServerCerts(chc, chc.deferredCerts);
+
+            // Update the handshake consumers to remove this message, indicating
+            // that it has been processed.
+            chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_STATUS.id);
         }
     }
 
--- a/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java	Tue Apr 23 08:34:51 2019 +0800
+++ b/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java	Thu May 02 17:43:26 2019 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -133,6 +133,15 @@
             // The consuming happens in client side only.
             ClientHandshakeContext chc = (ClientHandshakeContext)context;
 
+            SSLConsumer certStatCons = chc.handshakeConsumers.remove(
+                    SSLHandshake.CERTIFICATE_STATUS.id);
+            if (certStatCons != null) {
+                // Stapling was active but no certificate status message
+                // was sent.  We need to run the absence handler which will
+                // check the certificate chain.
+                CertificateStatus.handshakeAbsence.absent(context, null);
+            }
+
             // clean up this consumer
             chc.handshakeConsumers.clear();
 
--- a/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java	Tue Apr 23 08:34:51 2019 +0800
+++ b/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java	Thu May 02 17:43:26 2019 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -92,6 +92,15 @@
             // clean up this consumer
             chc.handshakeConsumers.remove(SSLHandshake.SERVER_KEY_EXCHANGE.id);
 
+            SSLConsumer certStatCons = chc.handshakeConsumers.remove(
+                    SSLHandshake.CERTIFICATE_STATUS.id);
+            if (certStatCons != null) {
+                // Stapling was active but no certificate status message
+                // was sent.  We need to run the absence handler which will
+                // check the certificate chain.
+                CertificateStatus.handshakeAbsence.absent(context, null);
+            }
+
             SSLKeyExchange ke = SSLKeyExchange.valueOf(
                     chc.negotiatedCipherSuite.keyExchange,
                     chc.negotiatedProtocol);