Google Git
Sign in
boringssl / boringssl / fa81cc65dd39c990bb68cc1fbb44329dd05d96e2^! / .
commitfa81cc65dd39c990bb68cc1fbb44329dd05d96e2[log] [tgz]
authorDavid Benjamin <davidben@google.com>Wed Jan 16 18:11:46 2019 -0600
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Wed Jan 23 20:00:38 2019 +0000
tree1f146718097941f4a0170c2bf2b29c8f2ea5df11
parentc47f7936d0ec1a9c6c0a5fad1787c6acd7c25fc9 [diff]
Update comments around JDK11 workaround.

11.0.2 has since been released, but we are now aware of several more
bugs, so the workaround is unlikely to be removable for the foreseeable
future.

Change-Id: I8e7edcba2f002d0558a21e607306ddf9a205bfb3
Reviewed-on: https://boringssl-review.googlesource.com/c/34484
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index c107cbd..5cfaae9 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -3794,12 +3794,12 @@
 // mechanism would have aborted |ssl|'s handshake and zero otherwise.
 OPENSSL_EXPORT int SSL_is_tls13_downgrade(const SSL *ssl);
 
-// SSL_set_jdk11_workaround configures whether to workaround a bug in JDK 11's
-// TLS 1.3 implementation. Prior to 11.0.2, JDK 11 fails to send SNI in
-// connections which offer a TLS 1.3 session. Enabling this workaround will
-// disable TLS 1.3 on such clients.
+// SSL_set_jdk11_workaround configures whether to workaround various bugs in
+// JDK 11's TLS 1.3 implementation by disabling TLS 1.3 for such clients.
 //
-// See also https://bugs.openjdk.java.net/browse/JDK-8211806.
+// https://bugs.openjdk.java.net/browse/JDK-8211806
+// https://bugs.openjdk.java.net/browse/JDK-8212885
+// https://bugs.openjdk.java.net/browse/JDK-8213202
 OPENSSL_EXPORT void SSL_set_jdk11_workaround(SSL *ssl, int enable);
 
 

diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index 15ba2b0..cb4e9d1 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc

@@ -402,8 +402,7 @@
 }
 
 // is_probably_jdk11_with_tls13 returns whether |client_hello| was probably sent
-// from a JDK 11 client (11.0.1 or earlier) with both TLS 1.3 and a prior
-// version enabled.
+// from a JDK 11 client with both TLS 1.3 and a prior version enabled.
 static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) {
   // JDK 11 ClientHellos contain a number of unusual properties which should
   // limit false positives.