Session resumption without server side state was added under
[JDK-8211018](https://bugs.openjdk.org/browse/JDK-8211018).
While it is TLSv1.2 session resumption, the client hello message is being
parsed in SSLSessionImpl for each extensions.
Customer has reported handshake failure and is reproducible locally with
exception NegativeArraySizeExceptions when there is ServerNameIndication with
size > 127.
According to RFC 3546, the host_name limit allowed is 255.
With a sample testcase when the host_name length is > 127, exception is thrown:
javax.net.ssl|DEBUG|71|Thread-1|2025-04-06 17:13:07.278
UTC|ClientHello.java:825|Negotiated protocol version: TLSv1.2
javax.net.ssl|WARNING|71|Thread-1|2025-04-06 17:13:07.281
UTC|SSLSocketImpl.java:1672|handling exception (
"throwable" : {
java.lang.NegativeArraySizeException: -1
at
java.base/sun.security.ssl.SSLSessionImpl.<init>(SSLSessionImpl.java:399)
at
java.base/sun.security.ssl.SessionTicketExtension$T12CHSessionTicketConsumer.consume(SessionTicketExtension.java:468)
e.g.
int l = buf.get();
b = new byte[l]; <-------------------- NegativeArraySizeException thrown here
when > 127
For TLSv1.3, its not an issue until length > 255.
According to RFC 5077, PSK identity length allowed is <0..2^16-1> and so its
value conversion being taken care of under this change.
Master secret is allowed for 48 bytes - master_secret[48], shouldnt be an issue.
-------------
Commit messages:
- 8350830: Values converted incorrectly when reading TLS session tickets
Changes: https://git.openjdk.org/jdk/pull/24535/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=24535&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8350830
Stats: 398 lines in 3 files changed: 395 ins; 0 del; 3 mod
Patch: https://git.openjdk.org/jdk/pull/24535.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/24535/head:pull/24535
PR: https://git.openjdk.org/jdk/pull/24535
