New src/java.base/share/classes/sun/security/ssl/ClientHandshakeContext.java

   1 /*
   2  * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import java.io.IOException;
  29 import java.security.cert.X509Certificate;
  30 
  31 import sun.security.ssl.ClientHello.ClientHelloMessage;
  32 
  33 class ClientHandshakeContext extends HandshakeContext {
  34     /*
  35      * Allow unsafe server certificate change?
  36      *
  37      * Server certificate change during SSL/TLS renegotiation may be considered
  38      * unsafe, as described in the Triple Handshake attacks:
  39      *
  40      *     https://secure-resumption.com/tlsauth.pdf
  41      *
  42      * Endpoint identification (See
  43      * SSLParameters.getEndpointIdentificationAlgorithm()) is a pretty nice
  44      * guarantee that the server certificate change in renegotiation is legal.
  45      * However, endpoing identification is only enabled for HTTPS and LDAP
  46      * over SSL/TLS by default.  It is not enough to protect SSL/TLS
  47      * connections other than HTTPS and LDAP.
  48      *
  49      * The renegotiation indication extension (See RFC 5746) is a pretty
  50      * strong guarantee that the endpoints on both client and server sides
  51      * are identical on the same connection.  However, the Triple Handshake
  52      * attacks can bypass this guarantee if there is a session-resumption
  53      * handshake between the initial full handshake and the renegotiation
  54      * full handshake.
  55      *
  56      * Server certificate change may be unsafe and should be restricted if
  57      * endpoint identification is not enabled and the previous handshake is
  58      * a session-resumption abbreviated initial handshake, unless the
  59      * identities represented by both certificates can be regraded as the
  60      * same (See isIdentityEquivalent()).
  61      *
  62      * Considering the compatibility impact and the actual requirements to
  63      * support server certificate change in practice, the system property,
  64      * jdk.tls.allowUnsafeServerCertChange, is used to define whether unsafe
  65      * server certificate change in renegotiation is allowed or not.  The
  66      * default value of the system property is "false".  To mitigate the
  67      * compactibility impact, applications may want to set the system
  68      * property to "true" at their own risk.
  69      *
  70      * If the value of the system property is "false", server certificate
  71      * change in renegotiation after a session-resumption abbreviated initial
  72      * handshake is restricted (See isIdentityEquivalent()).
  73      *
  74      * If the system property is set to "true" explicitly, the restriction on
  75      * server certificate change in renegotiation is disabled.
  76      */
  77     static final boolean allowUnsafeServerCertChange =
  78             Utilities.getBooleanProperty(
  79                     "jdk.tls.allowUnsafeServerCertChange", false);
  80 
  81     /*
  82      * the reserved server certificate chain in previous handshaking
  83      *
  84      * The server certificate chain is only reserved if the previous
  85      * handshake is a session-resumption abbreviated initial handshake.
  86      */
  87     X509Certificate[] reservedServerCerts = null;
  88 
  89     X509Certificate[] deferredCerts;
  90 
  91     ClientHelloMessage initialClientHelloMsg = null;
  92 
  93     ClientHandshakeContext(SSLContextImpl sslContext,
  94             TransportContext conContext) throws IOException {
  95         super(sslContext, conContext);
  96     }
  97 
  98     @Override
  99     void kickstart() throws IOException {
 100         if (kickstartMessageDelivered) {
 101             return;
 102         }
 103 
 104         SSLHandshake.kickstart(this);
 105         kickstartMessageDelivered = true;
 106     }
 107 }