-
Bug
-
Resolution: Fixed
-
P4
-
1.4.0
-
None
-
hopper
-
generic
-
generic
In addition to the general I/O rewrite we would like to do,
we should examine JSSE for faulty error handling, bounds checking,
etc.
<From the bouncy castle mailing list-address in comments>
I found the reference JSSE implementation to be of about the same quality
as the reference JCE - it works, but it's slow and buggy. For
instance, you can take down an SSLServerSocket by sending a ClientHello
record with offset and length fields that are bogus (it'll throw an
ArrayIndexOutOfBoundsException). They don't seem to do bounds checking
anywhere (that's just my personal favorite).
Aside from the general performance and bug issues, it wasn't suitable for
me because I wished to plug in a Batch RSA library that I'd written, run
my SSL server in fixed memory, and extend the supported cipher suites to
include blowfish.
- Mike
###@###.### 2001-11-05
we should examine JSSE for faulty error handling, bounds checking,
etc.
<From the bouncy castle mailing list-address in comments>
I found the reference JSSE implementation to be of about the same quality
as the reference JCE - it works, but it's slow and buggy. For
instance, you can take down an SSLServerSocket by sending a ClientHello
record with offset and length fields that are bogus (it'll throw an
ArrayIndexOutOfBoundsException). They don't seem to do bounds checking
anywhere (that's just my personal favorite).
Aside from the general performance and bug issues, it wasn't suitable for
me because I wished to plug in a Batch RSA library that I'd written, run
my SSL server in fixed memory, and extend the supported cipher suites to
include blowfish.
- Mike
###@###.### 2001-11-05
- relates to
-
-
- Closed
-