You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by ol...@apache.org on 2019/05/23 12:02:28 UTC
[httpcomponents-client] branch JDK-8212885 updated (c9fa657 ->
94f9dd9)
This is an automated email from the ASF dual-hosted git repository.
olegk pushed a change to branch JDK-8212885
in repository https://gitbox.apache.org/repos/asf/httpcomponents-client.git.
discard c9fa657 Removed dodgy work-around for resumed TLS sessions given that JDK-8212885 fix has been ported to Java 11 and released in Oracle JDK 11.0.3
new 94f9dd9 Removed dodgy work-around for resumed TLS sessions given that JDK-8212885 fix has been ported to Java 11 and released in Oracle JDK 11.0.3
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (c9fa657)
\
N -- N -- N refs/heads/JDK-8212885 (94f9dd9)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
[httpcomponents-client] 01/01: Removed dodgy work-around for
resumed TLS sessions given that JDK-8212885 fix has been ported to Java 11
and released in Oracle JDK 11.0.3
Posted by ol...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
olegk pushed a commit to branch JDK-8212885
in repository https://gitbox.apache.org/repos/asf/httpcomponents-client.git
commit 94f9dd90d14ae3dfa4dd22919103eb8c8224de4f
Author: Oleg Kalnichevski <ol...@apache.org>
AuthorDate: Fri Apr 19 19:33:05 2019 +0200
Removed dodgy work-around for resumed TLS sessions given that JDK-8212885 fix has been ported to Java 11 and released in Oracle JDK 11.0.3
---
.../hc/client5/http/ssl/TlsSessionValidator.java | 27 +---------------------
1 file changed, 1 insertion(+), 26 deletions(-)
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
index 1901909..8ddea11 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
@@ -39,8 +39,6 @@ import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;
-import org.apache.hc.core5.http.ParseException;
-import org.apache.hc.core5.http.ProtocolVersion;
import org.slf4j.Logger;
final class TlsSessionValidator {
@@ -99,30 +97,7 @@ final class TlsSessionValidator {
}
if (hostnameVerifier != null) {
- final Certificate[] certs;
- try {
- certs = sslsession.getPeerCertificates();
- } catch (final SSLPeerUnverifiedException ex) {
-
- // FIXME: This is very dodgy.
- // If peer certificates are unavailable and the TLS version is 1.3 or greater
- // _assume_ this is due to PSK (pre-shared key) TLS session resumption
- // Resumed TLS sessions do not include server certificates.
-
- // The issue is considered a bug in Java Security libraries and
- // is being tracked as JDK-8212885
-
- try {
- final ProtocolVersion tls = TLS.parse(sslsession.getProtocol());
- if (tls.greaterEquals(TLS.V_1_3.version)) {
- return;
- } else {
- throw ex;
- }
- } catch (final ParseException ex2) {
- throw ex;
- }
- }
+ final Certificate[] certs = sslsession.getPeerCertificates();
if (certs.length < 1) {
throw new SSLPeerUnverifiedException("Peer ceritifate chain is empty");
}