You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@hc.apache.org by ol...@apache.org on 2019/04/19 17:33:30 UTC

[httpcomponents-client] 01/01: Removed dodgy work-around for resumed TLS sessions given that JDK-8212885 fix has been ported to Java 11 and released in Oracle JDK 11.0.3

This is an automated email from the ASF dual-hosted git repository.

olegk pushed a commit to branch JDK-8212885
in repository https://gitbox.apache.org/repos/asf/httpcomponents-client.git

commit c9fa657da5f3ef2a098295f2ecacd69053d9bb1c
Author: Oleg Kalnichevski <ol...@apache.org>
AuthorDate: Fri Apr 19 19:33:05 2019 +0200

    Removed dodgy work-around for resumed TLS sessions given that JDK-8212885 fix has been ported to Java 11 and released in Oracle JDK 11.0.3
---
 .../hc/client5/http/ssl/TlsSessionValidator.java   | 27 +---------------------
 1 file changed, 1 insertion(+), 26 deletions(-)

diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
index 1901909..8ddea11 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
@@ -39,8 +39,6 @@ import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.security.auth.x500.X500Principal;
 
-import org.apache.hc.core5.http.ParseException;
-import org.apache.hc.core5.http.ProtocolVersion;
 import org.slf4j.Logger;
 
 final class TlsSessionValidator {
@@ -99,30 +97,7 @@ final class TlsSessionValidator {
         }
 
         if (hostnameVerifier != null) {
-            final Certificate[] certs;
-            try {
-                certs = sslsession.getPeerCertificates();
-            } catch (final SSLPeerUnverifiedException ex) {
-
-                // FIXME: This is very dodgy.
-                // If peer certificates are unavailable and the TLS version is 1.3 or greater
-                // _assume_ this is due to PSK (pre-shared key) TLS session resumption
-                // Resumed TLS sessions do not include server certificates.
-
-                // The issue is considered a bug in Java Security libraries and
-                // is being tracked as JDK-8212885
-
-                try {
-                    final ProtocolVersion tls = TLS.parse(sslsession.getProtocol());
-                    if (tls.greaterEquals(TLS.V_1_3.version)) {
-                        return;
-                    } else {
-                        throw ex;
-                    }
-                } catch (final ParseException ex2) {
-                    throw ex;
-                }
-            }
+            final Certificate[] certs = sslsession.getPeerCertificates();
             if (certs.length < 1) {
                 throw new SSLPeerUnverifiedException("Peer ceritifate chain is empty");
             }