8208209: Improve TLS connection stability again
Reviewed-by: xuelei
This commit is contained in:
Adam Petcher
parent
c29276cc0d
commit
1c4396ebae
@ -35,6 +35,7 @@ import java.util.Collections;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Objects;
|
||||
import javax.net.ssl.SSLException;
|
||||
import javax.net.ssl.SSLHandshakeException;
|
||||
import javax.net.ssl.SSLPeerUnverifiedException;
|
||||
@ -510,6 +511,23 @@ final class ClientHello {
|
||||
}
|
||||
}
|
||||
|
||||
// ensure that the endpoint identification algorithm matches the
|
||||
// one in the session
|
||||
String identityAlg = chc.sslConfig.identificationProtocol;
|
||||
if (session != null && identityAlg != null) {
|
||||
String sessionIdentityAlg =
|
||||
session.getIdentificationProtocol();
|
||||
if (!Objects.equals(identityAlg, sessionIdentityAlg)) {
|
||||
if (SSLLogger.isOn &&
|
||||
SSLLogger.isOn("ssl,handshake,verbose")) {
|
||||
SSLLogger.finest("Can't resume, endpoint id" +
|
||||
" algorithm does not match, requested: " +
|
||||
identityAlg + ", cached: " + sessionIdentityAlg);
|
||||
}
|
||||
session = null;
|
||||
}
|
||||
}
|
||||
|
||||
if (session != null) {
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
|
||||
SSLLogger.finest("Try resuming session", session);
|
||||
@ -1011,6 +1029,23 @@ final class ClientHello {
|
||||
}
|
||||
}
|
||||
|
||||
// ensure that the endpoint identification algorithm matches the
|
||||
// one in the session
|
||||
String identityAlg = shc.sslConfig.identificationProtocol;
|
||||
if (resumingSession && identityAlg != null) {
|
||||
String sessionIdentityAlg =
|
||||
previous.getIdentificationProtocol();
|
||||
if (!Objects.equals(identityAlg, sessionIdentityAlg)) {
|
||||
if (SSLLogger.isOn &&
|
||||
SSLLogger.isOn("ssl,handshake,verbose")) {
|
||||
SSLLogger.finest("Can't resume, endpoint id" +
|
||||
" algorithm does not match, requested: " +
|
||||
identityAlg + ", cached: " + sessionIdentityAlg);
|
||||
}
|
||||
resumingSession = false;
|
||||
}
|
||||
}
|
||||
|
||||
// So far so good. Note that the handshake extensions may reset
|
||||
// the resuming options later.
|
||||
shc.isResumption = resumingSession;
|
||||
|
||||
@ -32,6 +32,7 @@ import java.util.List;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Locale;
|
||||
import java.util.Arrays;
|
||||
import java.util.Objects;
|
||||
import java.util.Optional;
|
||||
import java.util.Collection;
|
||||
import javax.crypto.Mac;
|
||||
@ -170,7 +171,7 @@ final class PreSharedKeyExtension {
|
||||
|
||||
int getIdsEncodedLength() {
|
||||
int idEncodedLength = 0;
|
||||
for (PskIdentity curId : identities) {
|
||||
for(PskIdentity curId : identities) {
|
||||
idEncodedLength += curId.getEncodedLength();
|
||||
}
|
||||
|
||||
@ -193,7 +194,7 @@ final class PreSharedKeyExtension {
|
||||
byte[] buffer = new byte[encodedLength];
|
||||
ByteBuffer m = ByteBuffer.wrap(buffer);
|
||||
Record.putInt16(m, idsEncodedLength);
|
||||
for (PskIdentity curId : identities) {
|
||||
for(PskIdentity curId : identities) {
|
||||
curId.writeEncoded(m);
|
||||
}
|
||||
Record.putInt16(m, bindersEncodedLength);
|
||||
@ -443,6 +444,23 @@ final class PreSharedKeyExtension {
|
||||
}
|
||||
}
|
||||
|
||||
// ensure that the endpoint identification algorithm matches the
|
||||
// one in the session
|
||||
String identityAlg = shc.sslConfig.identificationProtocol;
|
||||
if (result && identityAlg != null) {
|
||||
String sessionIdentityAlg = s.getIdentificationProtocol();
|
||||
if (!Objects.equals(identityAlg, sessionIdentityAlg)) {
|
||||
if (SSLLogger.isOn &&
|
||||
SSLLogger.isOn("ssl,handshake,verbose")) {
|
||||
|
||||
SSLLogger.finest("Can't resume, endpoint id" +
|
||||
" algorithm does not match, requested: " +
|
||||
identityAlg + ", cached: " + sessionIdentityAlg);
|
||||
}
|
||||
result = false;
|
||||
}
|
||||
}
|
||||
|
||||
// Ensure cipher suite can be negotiated
|
||||
if (result && (!shc.isNegotiable(s.getSuite()) ||
|
||||
!clientHello.cipherSuites.contains(s.getSuite()))) {
|
||||
|
||||
@ -132,6 +132,10 @@ final class SSLSessionImpl extends ExtendedSSLSession {
|
||||
// Counter used to create unique nonces in NewSessionTicket
|
||||
private BigInteger ticketNonceCounter = BigInteger.ONE;
|
||||
|
||||
// The endpoint identification algorithm used to check certificates
|
||||
// in this session.
|
||||
private final String identificationProtocol;
|
||||
|
||||
/*
|
||||
* Create a new non-rejoinable session, using the default (null)
|
||||
* cipher spec. This constructor returns a session which could
|
||||
@ -149,6 +153,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
|
||||
this.requestedServerNames = Collections.<SNIServerName>emptyList();
|
||||
this.useExtendedMasterSecret = false;
|
||||
this.creationTime = System.currentTimeMillis();
|
||||
this.identificationProtocol = null;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -198,6 +203,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
|
||||
(!hc.negotiatedProtocol.useTLS13PlusSpec());
|
||||
}
|
||||
this.creationTime = creationTime;
|
||||
this.identificationProtocol = hc.sslConfig.identificationProtocol;
|
||||
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("session")) {
|
||||
SSLLogger.finest("Session initialized: " + this);
|
||||
@ -259,6 +265,10 @@ final class SSLSessionImpl extends ExtendedSSLSession {
|
||||
return ticketAgeAdd;
|
||||
}
|
||||
|
||||
String getIdentificationProtocol() {
|
||||
return this.identificationProtocol;
|
||||
}
|
||||
|
||||
/*
|
||||
* Get the PSK identity. Take care not to use it in multiple connections.
|
||||
*/
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user