1 /* 2 * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.io.IOException; 29 import java.security.cert.X509Certificate; 30 31 import sun.security.ssl.ClientHello.ClientHelloMessage; 32 33 class ClientHandshakeContext extends HandshakeContext { 34 /* 35 * Allow unsafe server certificate change? 36 * 37 * Server certificate change during SSL/TLS renegotiation may be considered 38 * unsafe, as described in the Triple Handshake attacks: 39 * 40 * https://secure-resumption.com/tlsauth.pdf 41 * 42 * Endpoint identification (See 43 * SSLParameters.getEndpointIdentificationAlgorithm()) is a pretty nice 44 * guarantee that the server certificate change in renegotiation is legal. 45 * However, endpoing identification is only enabled for HTTPS and LDAP 46 * over SSL/TLS by default. It is not enough to protect SSL/TLS 47 * connections other than HTTPS and LDAP. 48 * 49 * The renegotiation indication extension (See RFC 5746) is a pretty 50 * strong guarantee that the endpoints on both client and server sides 51 * are identical on the same connection. However, the Triple Handshake 52 * attacks can bypass this guarantee if there is a session-resumption 53 * handshake between the initial full handshake and the renegotiation 54 * full handshake. 55 * 56 * Server certificate change may be unsafe and should be restricted if 57 * endpoint identification is not enabled and the previous handshake is 58 * a session-resumption abbreviated initial handshake, unless the 59 * identities represented by both certificates can be regraded as the 60 * same (See isIdentityEquivalent()). 61 * 62 * Considering the compatibility impact and the actual requirements to 63 * support server certificate change in practice, the system property, 64 * jdk.tls.allowUnsafeServerCertChange, is used to define whether unsafe 65 * server certificate change in renegotiation is allowed or not. The 66 * default value of the system property is "false". To mitigate the 67 * compactibility impact, applications may want to set the system 68 * property to "true" at their own risk. 69 * 70 * If the value of the system property is "false", server certificate 71 * change in renegotiation after a session-resumption abbreviated initial 72 * handshake is restricted (See isIdentityEquivalent()). 73 * 74 * If the system property is set to "true" explicitly, the restriction on 75 * server certificate change in renegotiation is disabled. 76 */ 77 static final boolean allowUnsafeServerCertChange = 78 Utilities.getBooleanProperty( 79 "jdk.tls.allowUnsafeServerCertChange", false); 80 81 /* 82 * the reserved server certificate chain in previous handshaking 83 * 84 * The server certificate chain is only reserved if the previous 85 * handshake is a session-resumption abbreviated initial handshake. 86 */ 87 X509Certificate[] reservedServerCerts = null; 88 89 X509Certificate[] deferredCerts; 90 91 ClientHelloMessage initialClientHelloMsg = null; 92 93 ClientHandshakeContext(SSLContextImpl sslContext, 94 TransportContext conContext) throws IOException { 95 super(sslContext, conContext); 96 } 97 98 @Override 99 void kickstart() throws IOException { 100 if (kickstartMessageDelivered) { 101 return; 102 } 103 104 SSLHandshake.kickstart(this); 105 kickstartMessageDelivered = true; 106 } 107 }