Apache
/
httpcomponents-client
mirror of https://github.com/apache/httpcomponents-client.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Removed dodgy work-around for resumed TLS sessions given that JDK-8212885 fix has been ported to Java 11 and released in Oracle JDK 11.0.3

This commit is contained in:
Oleg Kalnichevski 2019-04-19 19:33:05 +02:00
parent d601aff61d
commit 934a6d5e77
1 changed files with 1 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
View File

@ -39,9 +39,6 @@ import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;
import org.apache.hc.core5.http.ParseException;
import org.apache.hc.core5.http.ProtocolVersion;
import org.apache.hc.core5.http.ssl.TLS;
import org.slf4j.Logger;
final class TlsSessionValidator {
@ -100,29 +97,7 @@ final class TlsSessionValidator {
}
if (hostnameVerifier != null) {
final Certificate[] certs;
try {
certs = sslsession.getPeerCertificates();
} catch (final SSLPeerUnverifiedException ex) {
// FIXME: This is very dodgy.
// If peer certificates are unavailable and the TLS version is 1.3 or greater
// _assume_ this is due to PSK (pre-shared key) TLS session resumption
// Resumed TLS sessions do not include server certificates.
// The issue is considered a bug in Java Security libraries and
// is being tracked as JDK-8212885
try {
final ProtocolVersion tls = TLS.parse(sslsession.getProtocol());
if (tls.greaterEquals(TLS.V_1_3.version)) {
return;
}
throw ex;
} catch (final ParseException ex2) {
throw ex;
}
}
final Certificate[] certs = sslsession.getPeerCertificates();
if (certs.length < 1) {
throw new SSLPeerUnverifiedException("Peer certificate chain is empty");
}