--- old/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java 2017-10-06 17:48:36.583246298 -0300 +++ new/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java 2017-10-06 17:48:36.484246357 -0300 @@ -850,6 +850,35 @@ handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg()); } + if (useExtendedMasterSecretExtension) { + // check Extended Master Secret extension + ExtendedMasterSecretExtension extendedMasterSecretExtension = (ExtendedMasterSecretExtension) + mesg.extensions.get(ExtensionType.EXT_EXTENDED_MASTER_SECRET); + if (extendedMasterSecretExtension != null) { + if (resumingSession) { + if (!session.getUseExtendedMasterSecret()) { + // Full-handshake was not using Extended Master Secret + // However, Extended Master Secret was received on + // session resumption. + throw new SSLHandshakeException( + "Unexpected Extended Master Secret extension on session resumption"); + } + } else { + session.setUseExtendedMasterSecret(); + } + } else { + if (resumingSession) { + if (session.getUseExtendedMasterSecret()) { + // Full-handshake was using Extended Master Secret + // However, Extended Master Secret was not received + // on session resumption. + throw new SSLHandshakeException( + "Extended Master Secret extension missing on session resumption"); + } + } + } + } + m1.cipherSuite = cipherSuite; m1.sessionId = session.getSessionId(); m1.compression_method = session.getCompression(); @@ -886,6 +915,12 @@ m1.extensions.add(maxFragLenExt); } + if (useExtendedMasterSecretExtension) { + if (session.getUseExtendedMasterSecret()) { + m1.extensions.add(new ExtendedMasterSecretExtension()); + } + } + StaplingParameters staplingParams = processStapling(mesg); if (staplingParams != null) { // We now can safely assert status_request[_v2] in our