geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anthony Baker <aba...@pivotal.io>
Subject Re: [DISCUSS]: SSL and jdk11
Date Wed, 24 Oct 2018 18:59:45 GMT
If possible I don’t think we should have any code that is conditional based on TLS version.

Anthony


> On Oct 24, 2018, at 11:41 AM, Owen Nichols <onichols@pivotal.io> wrote:
> 
> If Geode code is tightly coupled to the TLS protocol version, might be good to have some
tests that explicitly test how Geode handles both TLSv1.2 and TLSv1.3 connections, when running
under Java version that supports TLSv1.3
> 
> The code example you gave looks like it is just debug logging that is getting the session
prematurely, should be easy to fix (or conditionalize on TLS version)?
> 
> 
>> On Oct 24, 2018, at 11:26 AM, Dan Smith <dsmith@pivotal.io> wrote:
>> 
>> (2) seems like the only reasonable option. We don't want to get stuck not
>> being able to support newer TLS versions!
>> 
>> -Dan
>> 
>> On Wed, Oct 24, 2018 at 11:23 AM Jinmei Liao <jiliao@pivotal.io> wrote:
>> 
>>> Most of our SSL tests failed with jdk11 because jdk11 includes an
>>> implementation of TLS1.3 protocol, so if tcpServer is started with no
>>> specific protocol (like "any"), then TLS1.3 will be used in the SSL
>>> handshake, the TLS1.3 specs states:
>>> Sessions[edit
>>> <https://wiki.openssl.org/index.php?title=TLS1.3&action=edit&section=5>]
>>> 
>>> In TLSv1.2 and below a session is established as part of the handshake.
>>> This session can then be used in a subsequent connection to achieve an
>>> abbreviated handshake. Applications might typically obtain a handle on the
>>> session after a handshake has completed using the SSL_get1_session()
>>> <https://www.openssl.org/docs/manmaster/man3/SSL_get1_session.html>
>>> function
>>> (or similar).
>>> 
>>> In TLSv1.3 sessions are not established until after the main handshake has
>>> completed. The server sends a separate post-handshake message to the client
>>> containing the session details. Typically this will happen soon after the
>>> handshake has completed, but it could be sometime later (or not at all).
>>> 
>>> Our SocketCreator has code that calls getSession immediately after a
>>> handshake, which is only compliant with TLS1.2 protocol:
>>> 
>>> sslSocket.startHandshake();
>>> SSLSession session = sslSocket.getSession();
>>> Certificate[] peer = session.getPeerCertificates();
>>> if (logger.isDebugEnabled()) {
>>> logger.debug("SSL Connection from peer []",
>>>     ((X509Certificate) peer[0]).getSubjectDN());
>>> }
>>> 
>>> 
>>> So the question is how to fix this in jdk11, here are some proposals:
>>> 1) fix our test by specifying the protocol to be TLSv1.2 specifically.
>>> 2) fix our code to not call getSession after startHandshake() since that
>>> information is only used in a debug message.
>>> 
>>> Any suggestions?
>>> 
>>> 
>>> 
>>> --
>>> 
>>> Cheers
>>> 
>>> Jinmei
>>> 
> 


Mime
View raw message