On Tue, 19 Mar 2024 08:13:02 GMT, Daniel Jeliński <djelin...@openjdk.org> wrote:
>> JDK server does not send a dummy change_cipher_spec record after >> HelloRetryRequest message. >> >> According to RFC 8446 (Middlebox Compatibility Mode), if the client sends a >> non-empty session ID in the ClientHello message, the server sends a dummy >> change_cipher_spec (CCS) record immediately after its first handshake >> message. This may either be after a ServerHello or a HelloRetryRequest. >> >> https://datatracker.ietf.org/doc/html/rfc8446#appendix-D.4 > > src/java.base/share/classes/sun/security/ssl/ServerHello.java line 804: > >> 802: shc.conContext.outputRecord.changeWriteCiphers( >> 803: SSLWriteCipher.nullTlsWriteCipher(), >> 804: (clientHello.sessionId.length() != 0)); > > Suggestion: > > if (clientHello.sessionId.length() != 0) { > shc.conContext.outputRecord.encodeChangeCipherSpec(); > } Unfortunately, we lack separate properties to control named groups in both the server and client. When running server and client threads in the same JVM, manipulating client hello packets to prompt the server to trigger HRR becomes exceedingly challenging. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/18372#discussion_r1529948640
