Hello Xuelei, I’ve posted a reproducer for described issue: http://cr.openjdk.java.net/~abakhtin/8206925/
The test passed and returns code=200 from the server in case of CA extension disabled on the client side: $JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=./cacerts -Djavax.net.ssl.trustStorePassword=changeit HttpsClient https://www.google.com The test fails with “fatal alert: illegal_parameter” in case of CA extension enabled on the client side: java -Djavax.net.debug=none -Djdk.tls.client.enableCAExtension=false -Djavax.net.ssl.trustStore=./cacerts -Djavax.net.ssl.trustStorePassword=changeit HttpsClient https://www.google.com I would suggest to control number of CA in the ClientHello message. It could be done with additional system property. Default value should allow to send ClientHello message in a single record. Application can enlarge it if the server supports ClientHello in several TLS records. Thank you Alexey > On 13 May 2020, at 13:00, Alexey Bakhtin <ale...@azul.com> wrote: > > Hello Xuelei, > > I’m not a reviewer but I have some comment which could be helpful for your > implementation. > We’ve developed CA Extension in the OpenJSSE provider [1] and found an issue > with a third party server implementations. > According to RFC-8446 specification [2] the maximum size of the CA extension > is 2^16 bytes. The maximum TLS record size is 2^14 bytes. In case of > handshake message is bigger then maximum TLS record size, it should be > splitted into several records. In fact, some server implementations does not > allow ClientHello message bigger than the Maximum TLS record size and aborts > connection immediately with “illegal_parameter” fatal alert. > This issue can be easily reproduced on the client side: > 1) put additional certificates into cacerts file, about 200 certs in total, > 2) enable certificate_authorities extension in the ClientHello message > 3) connect to https://www.google.com > > [1] - > https://github.com/openjsse/openjsse/blob/master/src/main/java/org/openjsse/sun/security/ssl/CertificateAuthorityExtension.java > [2] - https://tools.ietf.org/html/rfc8446#page-45 > > Thank you > Alexey
signature.asc
Description: Message signed with OpenPGP
