Skip to content

TKSS-1199: Backport JDK-8349594: Enhance TLS protocol support #1200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
johnshajiang merged 1 commit into from
Jul 16, 2025
Merged

TKSS-1199: Backport JDK-8349594: Enhance TLS protocol support #1200

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/CertificateMessage.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1100,6 +1100,15 @@ public void consume(ConnectionContext context,

// clean up this consumer
hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE.id);

// Ensure that the Certificate message has not been sent w/o
// an EncryptedExtensions preceding
if (hc.handshakeConsumers.containsKey(
SSLHandshake.ENCRYPTED_EXTENSIONS.id)) {
throw hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected Certificate handshake message");
}

T13CertificateMessage cm = new T13CertificateMessage(hc, message);
if (hc.sslConfig.isClientMode) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
Expand Down
10 changes: 9 additions & 1 deletion kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/CertificateVerify.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -1168,6 +1168,14 @@ public void consume(ConnectionContext context,
// Clean up this consumer
hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);

// Ensure that the Certificate Verify message has not been sent w/o
// a Certificate message preceding
if (hc.handshakeConsumers.containsKey(
SSLHandshake.CERTIFICATE.id)) {
throw hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected Certificate Verify handshake message");
}

T13CertificateVerifyMessage cvm =
new T13CertificateVerifyMessage(hc, message);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
Expand Down
10 changes: 9 additions & 1 deletion kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/Finished.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -899,6 +899,14 @@ public void consume(ConnectionContext context,

private void onConsumeFinished(ClientHandshakeContext chc,
ByteBuffer message) throws IOException {
// Ensure that the Finished message has not been sent w/o
// an EncryptedExtensions preceding
if (chc.handshakeConsumers.containsKey(
SSLHandshake.ENCRYPTED_EXTENSIONS.id)) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected Finished handshake message");
}

// Make sure that any expected CertificateVerify message
// has been received and processed.
if (!chc.isResumption) {
Expand Down
Loading