8208209: Improve TLS connection stability again
Reviewed-by: xuelei
This commit is contained in:
Adam Petcher
parent
c29276cc0d
commit
1c4396ebae
@ -35,6 +35,7 @@ import java.util.Collections;
|
|||||||
import java.util.LinkedList;
|
import java.util.LinkedList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Locale;
|
import java.util.Locale;
|
||||||
|
import java.util.Objects;
|
||||||
import javax.net.ssl.SSLException;
|
import javax.net.ssl.SSLException;
|
||||||
import javax.net.ssl.SSLHandshakeException;
|
import javax.net.ssl.SSLHandshakeException;
|
||||||
import javax.net.ssl.SSLPeerUnverifiedException;
|
import javax.net.ssl.SSLPeerUnverifiedException;
|
||||||
@ -510,6 +511,23 @@ final class ClientHello {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ensure that the endpoint identification algorithm matches the
|
||||||
|
// one in the session
|
||||||
|
String identityAlg = chc.sslConfig.identificationProtocol;
|
||||||
|
if (session != null && identityAlg != null) {
|
||||||
|
String sessionIdentityAlg =
|
||||||
|
session.getIdentificationProtocol();
|
||||||
|
if (!Objects.equals(identityAlg, sessionIdentityAlg)) {
|
||||||
|
if (SSLLogger.isOn &&
|
||||||
|
SSLLogger.isOn("ssl,handshake,verbose")) {
|
||||||
|
SSLLogger.finest("Can't resume, endpoint id" +
|
||||||
|
" algorithm does not match, requested: " +
|
||||||
|
identityAlg + ", cached: " + sessionIdentityAlg);
|
||||||
|
}
|
||||||
|
session = null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (session != null) {
|
if (session != null) {
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
|
||||||
SSLLogger.finest("Try resuming session", session);
|
SSLLogger.finest("Try resuming session", session);
|
||||||
@ -1011,6 +1029,23 @@ final class ClientHello {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ensure that the endpoint identification algorithm matches the
|
||||||
|
// one in the session
|
||||||
|
String identityAlg = shc.sslConfig.identificationProtocol;
|
||||||
|
if (resumingSession && identityAlg != null) {
|
||||||
|
String sessionIdentityAlg =
|
||||||
|
previous.getIdentificationProtocol();
|
||||||
|
if (!Objects.equals(identityAlg, sessionIdentityAlg)) {
|
||||||
|
if (SSLLogger.isOn &&
|
||||||
|
SSLLogger.isOn("ssl,handshake,verbose")) {
|
||||||
|
SSLLogger.finest("Can't resume, endpoint id" +
|
||||||
|
" algorithm does not match, requested: " +
|
||||||
|
identityAlg + ", cached: " + sessionIdentityAlg);
|
||||||
|
}
|
||||||
|
resumingSession = false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// So far so good. Note that the handshake extensions may reset
|
// So far so good. Note that the handshake extensions may reset
|
||||||
// the resuming options later.
|
// the resuming options later.
|
||||||
shc.isResumption = resumingSession;
|
shc.isResumption = resumingSession;
|
||||||
|
|||||||
@ -32,6 +32,7 @@ import java.util.List;
|
|||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Locale;
|
import java.util.Locale;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
|
import java.util.Objects;
|
||||||
import java.util.Optional;
|
import java.util.Optional;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import javax.crypto.Mac;
|
import javax.crypto.Mac;
|
||||||
@ -170,7 +171,7 @@ final class PreSharedKeyExtension {
|
|||||||
|
|
||||||
int getIdsEncodedLength() {
|
int getIdsEncodedLength() {
|
||||||
int idEncodedLength = 0;
|
int idEncodedLength = 0;
|
||||||
for (PskIdentity curId : identities) {
|
for(PskIdentity curId : identities) {
|
||||||
idEncodedLength += curId.getEncodedLength();
|
idEncodedLength += curId.getEncodedLength();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -193,7 +194,7 @@ final class PreSharedKeyExtension {
|
|||||||
byte[] buffer = new byte[encodedLength];
|
byte[] buffer = new byte[encodedLength];
|
||||||
ByteBuffer m = ByteBuffer.wrap(buffer);
|
ByteBuffer m = ByteBuffer.wrap(buffer);
|
||||||
Record.putInt16(m, idsEncodedLength);
|
Record.putInt16(m, idsEncodedLength);
|
||||||
for (PskIdentity curId : identities) {
|
for(PskIdentity curId : identities) {
|
||||||
curId.writeEncoded(m);
|
curId.writeEncoded(m);
|
||||||
}
|
}
|
||||||
Record.putInt16(m, bindersEncodedLength);
|
Record.putInt16(m, bindersEncodedLength);
|
||||||
@ -443,6 +444,23 @@ final class PreSharedKeyExtension {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ensure that the endpoint identification algorithm matches the
|
||||||
|
// one in the session
|
||||||
|
String identityAlg = shc.sslConfig.identificationProtocol;
|
||||||
|
if (result && identityAlg != null) {
|
||||||
|
String sessionIdentityAlg = s.getIdentificationProtocol();
|
||||||
|
if (!Objects.equals(identityAlg, sessionIdentityAlg)) {
|
||||||
|
if (SSLLogger.isOn &&
|
||||||
|
SSLLogger.isOn("ssl,handshake,verbose")) {
|
||||||
|
|
||||||
|
SSLLogger.finest("Can't resume, endpoint id" +
|
||||||
|
" algorithm does not match, requested: " +
|
||||||
|
identityAlg + ", cached: " + sessionIdentityAlg);
|
||||||
|
}
|
||||||
|
result = false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Ensure cipher suite can be negotiated
|
// Ensure cipher suite can be negotiated
|
||||||
if (result && (!shc.isNegotiable(s.getSuite()) ||
|
if (result && (!shc.isNegotiable(s.getSuite()) ||
|
||||||
!clientHello.cipherSuites.contains(s.getSuite()))) {
|
!clientHello.cipherSuites.contains(s.getSuite()))) {
|
||||||
|
|||||||
@ -132,6 +132,10 @@ final class SSLSessionImpl extends ExtendedSSLSession {
|
|||||||
// Counter used to create unique nonces in NewSessionTicket
|
// Counter used to create unique nonces in NewSessionTicket
|
||||||
private BigInteger ticketNonceCounter = BigInteger.ONE;
|
private BigInteger ticketNonceCounter = BigInteger.ONE;
|
||||||
|
|
||||||
|
// The endpoint identification algorithm used to check certificates
|
||||||
|
// in this session.
|
||||||
|
private final String identificationProtocol;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Create a new non-rejoinable session, using the default (null)
|
* Create a new non-rejoinable session, using the default (null)
|
||||||
* cipher spec. This constructor returns a session which could
|
* cipher spec. This constructor returns a session which could
|
||||||
@ -149,6 +153,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
|
|||||||
this.requestedServerNames = Collections.<SNIServerName>emptyList();
|
this.requestedServerNames = Collections.<SNIServerName>emptyList();
|
||||||
this.useExtendedMasterSecret = false;
|
this.useExtendedMasterSecret = false;
|
||||||
this.creationTime = System.currentTimeMillis();
|
this.creationTime = System.currentTimeMillis();
|
||||||
|
this.identificationProtocol = null;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -198,6 +203,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
|
|||||||
(!hc.negotiatedProtocol.useTLS13PlusSpec());
|
(!hc.negotiatedProtocol.useTLS13PlusSpec());
|
||||||
}
|
}
|
||||||
this.creationTime = creationTime;
|
this.creationTime = creationTime;
|
||||||
|
this.identificationProtocol = hc.sslConfig.identificationProtocol;
|
||||||
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("session")) {
|
if (SSLLogger.isOn && SSLLogger.isOn("session")) {
|
||||||
SSLLogger.finest("Session initialized: " + this);
|
SSLLogger.finest("Session initialized: " + this);
|
||||||
@ -259,6 +265,10 @@ final class SSLSessionImpl extends ExtendedSSLSession {
|
|||||||
return ticketAgeAdd;
|
return ticketAgeAdd;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
String getIdentificationProtocol() {
|
||||||
|
return this.identificationProtocol;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Get the PSK identity. Take care not to use it in multiple connections.
|
* Get the PSK identity. Take care not to use it in multiple connections.
|
||||||
*/
|
*/
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user