On 5/24/22 8:20 AM, Ben Smyth wrote:
TL;DR: Why does a client report HandshakeStatus.FINISHED twice? Can
production of NewSessionTicket be disabled?
SSLEngine with post handshake messages returns HandshakeStatus.FINISHED.
I believe because the FINISHED definition is "The SSLEngine has just
finished handshaking."
A client (respectively server) becomes ready to encrypt application data
upon completing their side of handshaking: "Once a side has sent its
Finished message and has received and validated the Finished message
from its peer, it may begin to send and receive Application Data over
the connection" (RFC8446); a client completes handshaking upon wrapping
a FINISHED message and a server completes upon unwrapping such a
message. (There's an exception for 0-RTT data, and another for a server
operating with reduced security.)
Before TLS 1.3 and PostHandshake messages, the usage for FINISHED was
clearly only during the handshake process and more tied to the Finished
message. This decision was made back when TLS 1.3 was first put into the
codebase, so I don't remember discussions that occurred about this. But
I'm not aware of a rule that that HandshakeStatus.FINISHED was directly
linked to the finished message.
KeyUpdate and NewSessionTicket call finishPostHandshake() which sets the
handshake status.
Personally, I don't have a strong feeling which is the better status to
pass, and since TLS 1.3 was integrated, I haven't heard of issues with it.
Javadoc advises HandshakeStatus.FINISHED is reported when "a call to
SSLEngine.wrap() / unwrap() ... finishes a handshake." As expected,
* OpenJDK SSLEngine.wrap() reports HandshakeStatus.FINISHED on wrapping
a client's (TLS) FINISHED message.
By comparison, rather than report (server) handshake completion upon
unwrapping a client's (TLS) FINISHED message, HandshakeStatus.NEED_WRAP
is reported, a NewSessionTicket is produced on wrapping and
* OpenJDK SSLEngine.wrap() reports HandshakeStatus.FINISHED on wrapping
a server's (TLS) NewSessionTicket message.
Upon receipt of which,
* OpenJDK SSLEngine.unwrap() reports HandshakeStatus.FINISHED on
unwrapping a server's (TLS) NewSessionTicket message.
What does finishing a handshake mean in SSLEngine parlance? (I don't
understand why a client should report finishing twice.) Can production
of NewSessionTicket be disabled?
I don't think there is a way to prevent the jsse client from sending a
PSK extension that triggers the NewSessionTicket.
Tony
