升级到TLSv1.3时SSLEngine使用情况的变化 [英] Changes in SSLEngine usage when going up to TLSv1.3

问题描述

Java 11的发布具有 TLSv1.3 支持，默认情况下使用.

Java 11 was released with TLSv1.3 support, used by default.

在HTTPS和SSL套接字的上下文中它可以正常工作，但是似乎在使用 SSLEngine 时，由于 TLSv1.3 行为的变化，还存在其他障碍.

It works OK in context of HTTPS and SSL sockets, but it seems that when using SSLEngine there are additional hurdles due to changes in TLSv1.3 behavior.

因此，通过使用 SSLEngine 的 NIO 实现了可靠的通信实现，当启用 TLSv1.3 时，该通信不再起作用.没有明显的错误，以异常或SSL错误的形式出现，两个节点将只是来回发送包装消息/包装消息，并最终超时.

So there is a robust implementation of communication via NIO using SSLEngine that no longer works when TLSv1.3 is enabled. There are no obvious errors, in form of exceptions or SSL errors, two nodes will just send wrap/unwrap messages back and forth and eventually timeout.

我对使用TLSv1.2的SSLEngine和使用TLSv1.3的SSLEngine之间的行为更改的确切列表以及可能的迁移列表感兴趣.不幸的是，Java 11的SSLEngine javadocs没有此信息-Java 11中没有新方法，也没有对TLSv1.3的引用.

I am interested in an exact list of behavior changes between SSLEngine using TLSv1.2 and SSLEngine using TLSv1.3, and if possible a migration checklist between these. Unfortunately, SSLEngine javadocs of Java 11 does not have this information - no new methods in Java 11 and no reference to TLSv1.3.

推荐答案

最后，我们需要在握手完成后从缓冲区读取剩余数据，将其拆开并更新握手状态.看起来像是我们以前没有处理过的边缘情况.

In the end we needed to read the remaining data from buffer after handshake is finished, unwrap it and update handshake status. Looks like an edge case which we did not handle previously.

相关提交: IGNITE-111.3修复了支持TLS的通信

这篇关于升级到TLSv1.3时SSLEngine使用情况的变化的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！