< prev index next >

src/java.base/share/classes/sun/security/ssl/Alert.java

Print this page
rev 52900 : 8232581: Improve TLS verification
Reviewed-by: xuelei, rhalade, mschoene


 256                 } else {
 257                     throw tc.fatal(alert,
 258                             "Received fatal close_notify alert", true, null);
 259                 }
 260             } else if ((level == Level.WARNING) && (alert != null)) {
 261                 // Terminate the connection if an alert with a level of warning
 262                 // is received during handshaking, except the no_certificate
 263                 // warning.
 264                 if (alert.handshakeOnly && (tc.handshakeContext != null)) {
 265                     // It's OK to get a no_certificate alert from a client of
 266                     // which we requested client authentication.  However,
 267                     // if we required it, then this is not acceptable.
 268                      if (tc.sslConfig.isClientMode ||
 269                             alert != Alert.NO_CERTIFICATE ||
 270                             (tc.sslConfig.clientAuthType !=
 271                                     ClientAuthType.CLIENT_AUTH_REQUESTED)) {
 272                         throw tc.fatal(Alert.HANDSHAKE_FAILURE,
 273                             "received handshake warning: " + alert.description);
 274                     } else {
 275                         // Otherwise ignore the warning but remove the
 276                         // CertificateVerify handshake consumer so the state
 277                         // machine doesn't expect it.


 278                         tc.handshakeContext.handshakeConsumers.remove(
 279                                 SSLHandshake.CERTIFICATE_VERIFY.id);
 280                     }
 281                 }  // Otherwise, ignore the warning
 282             } else {    // fatal or unknown
 283                 String diagnostic;
 284                 if (alert == null) {
 285                     alert = Alert.UNEXPECTED_MESSAGE;
 286                     diagnostic = "Unknown alert description (" + am.id + ")";
 287                 } else {
 288                     diagnostic = "Received fatal alert: " + alert.description;
 289                 }
 290 
 291                 throw tc.fatal(alert, diagnostic, true, null);
 292             }
 293         }
 294     }
 295 }


 256                 } else {
 257                     throw tc.fatal(alert,
 258                             "Received fatal close_notify alert", true, null);
 259                 }
 260             } else if ((level == Level.WARNING) && (alert != null)) {
 261                 // Terminate the connection if an alert with a level of warning
 262                 // is received during handshaking, except the no_certificate
 263                 // warning.
 264                 if (alert.handshakeOnly && (tc.handshakeContext != null)) {
 265                     // It's OK to get a no_certificate alert from a client of
 266                     // which we requested client authentication.  However,
 267                     // if we required it, then this is not acceptable.
 268                     if (tc.sslConfig.isClientMode ||
 269                             alert != Alert.NO_CERTIFICATE ||
 270                             (tc.sslConfig.clientAuthType !=
 271                                     ClientAuthType.CLIENT_AUTH_REQUESTED)) {
 272                         throw tc.fatal(Alert.HANDSHAKE_FAILURE,
 273                             "received handshake warning: " + alert.description);
 274                     } else {
 275                         // Otherwise ignore the warning but remove the
 276                         // Certificate and CertificateVerify handshake
 277                         // consumer so the state machine doesn't expect it.
 278                         tc.handshakeContext.handshakeConsumers.remove(
 279                                 SSLHandshake.CERTIFICATE.id);
 280                         tc.handshakeContext.handshakeConsumers.remove(
 281                                 SSLHandshake.CERTIFICATE_VERIFY.id);
 282                     }
 283                 }  // Otherwise, ignore the warning
 284             } else {    // fatal or unknown
 285                 String diagnostic;
 286                 if (alert == null) {
 287                     alert = Alert.UNEXPECTED_MESSAGE;
 288                     diagnostic = "Unknown alert description (" + am.id + ")";
 289                 } else {
 290                     diagnostic = "Received fatal alert: " + alert.description;
 291                 }
 292 
 293                 throw tc.fatal(alert, diagnostic, true, null);
 294             }
 295         }
 296     }
 297 }
< prev index next >