You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by ol...@apache.org on 2019/05/23 12:02:29 UTC
[httpcomponents-client] 01/01: Removed dodgy work-around for
resumed TLS sessions given that JDK-8212885 fix has been ported to Java 11
and released in Oracle JDK 11.0.3
This is an automated email from the ASF dual-hosted git repository.
olegk pushed a commit to branch JDK-8212885
in repository https://gitbox.apache.org/repos/asf/httpcomponents-client.git
commit 94f9dd90d14ae3dfa4dd22919103eb8c8224de4f
Author: Oleg Kalnichevski <ol...@apache.org>
AuthorDate: Fri Apr 19 19:33:05 2019 +0200
Removed dodgy work-around for resumed TLS sessions given that JDK-8212885 fix has been ported to Java 11 and released in Oracle JDK 11.0.3
---
.../hc/client5/http/ssl/TlsSessionValidator.java | 27 +---------------------
1 file changed, 1 insertion(+), 26 deletions(-)
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
index 1901909..8ddea11 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
@@ -39,8 +39,6 @@ import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;
-import org.apache.hc.core5.http.ParseException;
-import org.apache.hc.core5.http.ProtocolVersion;
import org.slf4j.Logger;
final class TlsSessionValidator {
@@ -99,30 +97,7 @@ final class TlsSessionValidator {
}
if (hostnameVerifier != null) {
- final Certificate[] certs;
- try {
- certs = sslsession.getPeerCertificates();
- } catch (final SSLPeerUnverifiedException ex) {
-
- // FIXME: This is very dodgy.
- // If peer certificates are unavailable and the TLS version is 1.3 or greater
- // _assume_ this is due to PSK (pre-shared key) TLS session resumption
- // Resumed TLS sessions do not include server certificates.
-
- // The issue is considered a bug in Java Security libraries and
- // is being tracked as JDK-8212885
-
- try {
- final ProtocolVersion tls = TLS.parse(sslsession.getProtocol());
- if (tls.greaterEquals(TLS.V_1_3.version)) {
- return;
- } else {
- throw ex;
- }
- } catch (final ParseException ex2) {
- throw ex;
- }
- }
+ final Certificate[] certs = sslsession.getPeerCertificates();
if (certs.length < 1) {
throw new SSLPeerUnverifiedException("Peer ceritifate chain is empty");
}