Just fix a missprint: It should be -Djdk.tls.client.enableCAExtension=true in the reproducer: $JAVA_HOME/bin/java -Djdk.tls.client.enableCAExtension=true -Djavax.net.ssl.trustStore=./cacerts -Djavax.net.ssl.trustStorePassword=changeit HttpsClient https://www.google.com
> On 14 May 2020, at 13:52, Alexey Bakhtin <ale...@azul.com> wrote: > > Hello Xuelei, > > I’ve posted a reproducer for described issue: > http://cr.openjdk.java.net/~abakhtin/8206925/ > > The test passed and returns code=200 from the server in case of CA extension > disabled on the client side: > $JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=./cacerts > -Djavax.net.ssl.trustStorePassword=changeit HttpsClient https://www.google.com > > The test fails with “fatal alert: illegal_parameter” in case of CA extension > enabled on the client side: > java -Djavax.net.debug=none -Djdk.tls.client.enableCAExtension=false > -Djavax.net.ssl.trustStore=./cacerts > -Djavax.net.ssl.trustStorePassword=changeit HttpsClient https://www.google.com > > I would suggest to control number of CA in the ClientHello message. It could > be done with additional system property. Default value should allow to send > ClientHello message in a single record. Application can enlarge it if the > server supports ClientHello in several TLS records. > > Thank you > Alexey > >> On 13 May 2020, at 13:00, Alexey Bakhtin <ale...@azul.com> wrote: >> >> Hello Xuelei, >> >> I’m not a reviewer but I have some comment which could be helpful for your >> implementation. >> We’ve developed CA Extension in the OpenJSSE provider [1] and found an issue >> with a third party server implementations. >> According to RFC-8446 specification [2] the maximum size of the CA extension >> is 2^16 bytes. The maximum TLS record size is 2^14 bytes. In case of >> handshake message is bigger then maximum TLS record size, it should be >> splitted into several records. In fact, some server implementations does not >> allow ClientHello message bigger than the Maximum TLS record size and aborts >> connection immediately with “illegal_parameter” fatal alert. >> This issue can be easily reproduced on the client side: >> 1) put additional certificates into cacerts file, about 200 certs in total, >> 2) enable certificate_authorities extension in the ClientHello message >> 3) connect to https://www.google.com >> >> [1] - >> https://github.com/openjsse/openjsse/blob/master/src/main/java/org/openjsse/sun/security/ssl/CertificateAuthorityExtension.java >> [2] - https://tools.ietf.org/html/rfc8446#page-45 >> >> Thank you >> Alexey >
signature.asc
Description: Message signed with OpenPGP
