Read jdk.tls.maxHandshakeMessageSize system property every SSLContext init

peterdettman · peterdettman · commit b5fb49702b5e · 2025-10-06T19:42:10.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ContextData.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ContextData.java
@@ -36,6 +36,7 @@ final class ContextData
     private final ProvSSLSessionContext serverSessionContext;
     private final NamedGroupInfo.PerContext namedGroups;
     private final SignatureSchemeInfo.PerContext signatureSchemes;
+    private final int maxHandshakeMessageSize;
 
     ContextData(boolean fipsMode, JcaTlsCrypto crypto, BCX509ExtendedKeyManager x509KeyManager,
         BCX509ExtendedTrustManager x509TrustManager, Map<String, CipherSuiteInfo> supportedCipherSuites,
@@ -56,6 +57,8 @@ final class ContextData
         this.serverSessionContext = new ProvSSLSessionContext(this);
         this.namedGroups = NamedGroupInfo.createPerContext(fipsMode, crypto);
         this.signatureSchemes = SignatureSchemeInfo.createPerContext(fipsMode, crypto, namedGroups);
+        this.maxHandshakeMessageSize = PropertyUtils.getIntegerSystemProperty(
+            "jdk.tls.maxHandshakeMessageSize", 32768, 1024, Integer.MAX_VALUE);
     }
 
     int[] getActiveCipherSuites(JcaTlsCrypto crypto, ProvSSLParameters sslParameters,
@@ -191,9 +194,9 @@ ProvSSLParameters getDefaultSSLParameters(boolean isClient)
         return new ProvSSLParameters(this, implGetDefaultCipherSuites(isClient), implGetDefaultProtocols(isClient));
     }
 
-    ProvSSLParameters getSupportedSSLParameters(boolean isClient)
+    int getMaxHandshakeMessageSize()
     {
-        return new ProvSSLParameters(this, getSupportedCipherSuites(), getSupportedProtocols());
+        return maxHandshakeMessageSize;
     }
 
     NamedGroupInfo.PerConnection getNamedGroupsClient(ProvSSLParameters sslParameters,
@@ -213,6 +216,11 @@ ProvSSLSessionContext getServerSessionContext()
         return serverSessionContext;
     }
 
+    List<SignatureSchemeInfo> getSignatureSchemes(Vector<SignatureAndHashAlgorithm> sigAndHashAlgs)
+    {
+        return SignatureSchemeInfo.getSignatureSchemes(signatureSchemes, sigAndHashAlgs);
+    }
+
     SignatureSchemeInfo.PerConnection getSignatureSchemesClient(ProvSSLParameters sslParameters,
         ProtocolVersion[] activeProtocolVersions, NamedGroupInfo.PerConnection namedGroups)
     {
@@ -227,11 +235,6 @@ SignatureSchemeInfo.PerConnection getSignatureSchemesServer(ProvSSLParameters ss
             namedGroups);
     }
 
-    List<SignatureSchemeInfo> getSignatureSchemes(Vector<SignatureAndHashAlgorithm> sigAndHashAlgs)
-    {
-        return SignatureSchemeInfo.getSignatureSchemes(signatureSchemes, sigAndHashAlgs);
-    }
-
     String[] getSupportedCipherSuites()
     {
         return JsseUtils.getKeysArray(supportedCipherSuites);
@@ -267,6 +270,11 @@ String[] getSupportedProtocols()
         return JsseUtils.getKeysArray(supportedProtocols);
     }
 
+    ProvSSLParameters getSupportedSSLParameters(boolean isClient)
+    {
+        return new ProvSSLParameters(this, getSupportedCipherSuites(), getSupportedProtocols());
+    }
+
     BCX509ExtendedKeyManager getX509KeyManager()
     {
         return x509KeyManager;
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/JsseUtils.java b/tls/src/main/java/org/bouncycastle/jsse/provider/JsseUtils.java
@@ -72,8 +72,6 @@ abstract class JsseUtils
         PropertyUtils.getBooleanSystemProperty("jdk.tls.allowLegacyMasterSecret", true);
     private static final boolean provTlsAllowLegacyResumption =
         PropertyUtils.getBooleanSystemProperty("jdk.tls.allowLegacyResumption", false);
-    private static final int provTlsMaxHandshakeMessageSize =
-        PropertyUtils.getIntegerSystemProperty("jdk.tls.maxHandshakeMessageSize", 32768, 1024, Integer.MAX_VALUE);
     private static final boolean provTlsRequireCloseNotify =
         PropertyUtils.getBooleanSystemProperty("com.sun.net.ssl.requireCloseNotify", true);
     private static final boolean provTlsUseCompatibilityMode =
@@ -290,11 +288,6 @@ static boolean equals(Object a, Object b)
         return a == b || (null != a && null != b && a.equals(b));
     }
 
-    static int getMaxHandshakeMessageSize()
-    {
-        return provTlsMaxHandshakeMessageSize;
-    }
-
     static int getMaxInboundCertChainLenClient()
     {
         return provTlsClientMaxInboundCertChainLen;
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsClient.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsClient.java
@@ -402,7 +402,7 @@ public int getMaxCertificateChainLength()
     @Override
     public int getMaxHandshakeMessageSize()
     {
-        return JsseUtils.getMaxHandshakeMessageSize();
+        return manager.getContextData().getMaxHandshakeMessageSize();
     }
 
     @Override
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java
@@ -452,7 +452,7 @@ public int getMaxCertificateChainLength()
     @Override
     public int getMaxHandshakeMessageSize()
     {
-        return JsseUtils.getMaxHandshakeMessageSize();
+        return manager.getContextData().getMaxHandshakeMessageSize();
     }
 
     public synchronized boolean isHandshakeComplete()

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ final class ContextData`
`36`	`36`	`private final ProvSSLSessionContext serverSessionContext;`
`37`	`37`	`private final NamedGroupInfo.PerContext namedGroups;`
`38`	`38`	`private final SignatureSchemeInfo.PerContext signatureSchemes;`
	`39`	`+ private final int maxHandshakeMessageSize;`
`39`	`40`
`40`	`41`	`ContextData(boolean fipsMode, JcaTlsCrypto crypto, BCX509ExtendedKeyManager x509KeyManager,`
`41`	`42`	`BCX509ExtendedTrustManager x509TrustManager, Map<String, CipherSuiteInfo> supportedCipherSuites,`
`@@ -56,6 +57,8 @@ final class ContextData`
`56`	`57`	`this.serverSessionContext = new ProvSSLSessionContext(this);`
`57`	`58`	`this.namedGroups = NamedGroupInfo.createPerContext(fipsMode, crypto);`
`58`	`59`	`this.signatureSchemes = SignatureSchemeInfo.createPerContext(fipsMode, crypto, namedGroups);`
	`60`	`+ this.maxHandshakeMessageSize = PropertyUtils.getIntegerSystemProperty(`
	`61`	`+ "jdk.tls.maxHandshakeMessageSize", 32768, 1024, Integer.MAX_VALUE);`
`59`	`62`	`}`
`60`	`63`
`61`	`64`	`int[] getActiveCipherSuites(JcaTlsCrypto crypto, ProvSSLParameters sslParameters,`
`@@ -191,9 +194,9 @@ ProvSSLParameters getDefaultSSLParameters(boolean isClient)`
`191`	`194`	`return new ProvSSLParameters(this, implGetDefaultCipherSuites(isClient), implGetDefaultProtocols(isClient));`
`192`	`195`	`}`
`193`	`196`
`194`		`- ProvSSLParameters getSupportedSSLParameters(boolean isClient)`
	`197`	`+ int getMaxHandshakeMessageSize()`
`195`	`198`	`{`
`196`		`- return new ProvSSLParameters(this, getSupportedCipherSuites(), getSupportedProtocols());`
	`199`	`+ return maxHandshakeMessageSize;`
`197`	`200`	`}`
`198`	`201`
`199`	`202`	`NamedGroupInfo.PerConnection getNamedGroupsClient(ProvSSLParameters sslParameters,`
`@@ -213,6 +216,11 @@ ProvSSLSessionContext getServerSessionContext()`
`213`	`216`	`return serverSessionContext;`
`214`	`217`	`}`
`215`	`218`
	`219`	`+ List<SignatureSchemeInfo> getSignatureSchemes(Vector<SignatureAndHashAlgorithm> sigAndHashAlgs)`
	`220`	`+ {`
	`221`	`+ return SignatureSchemeInfo.getSignatureSchemes(signatureSchemes, sigAndHashAlgs);`
	`222`	`+ }`
	`223`	`+`
`216`	`224`	`SignatureSchemeInfo.PerConnection getSignatureSchemesClient(ProvSSLParameters sslParameters,`
`217`	`225`	`ProtocolVersion[] activeProtocolVersions, NamedGroupInfo.PerConnection namedGroups)`
`218`	`226`	`{`
`@@ -227,11 +235,6 @@ SignatureSchemeInfo.PerConnection getSignatureSchemesServer(ProvSSLParameters ss`
`227`	`235`	`namedGroups);`
`228`	`236`	`}`
`229`	`237`
`230`		`- List<SignatureSchemeInfo> getSignatureSchemes(Vector<SignatureAndHashAlgorithm> sigAndHashAlgs)`
`231`		`- {`
`232`		`- return SignatureSchemeInfo.getSignatureSchemes(signatureSchemes, sigAndHashAlgs);`
`233`		`- }`
`234`		`-`
`235`	`238`	`String[] getSupportedCipherSuites()`
`236`	`239`	`{`
`237`	`240`	`return JsseUtils.getKeysArray(supportedCipherSuites);`
`@@ -267,6 +270,11 @@ String[] getSupportedProtocols()`
`267`	`270`	`return JsseUtils.getKeysArray(supportedProtocols);`
`268`	`271`	`}`
`269`	`272`
	`273`	`+ ProvSSLParameters getSupportedSSLParameters(boolean isClient)`
	`274`	`+ {`
	`275`	`+ return new ProvSSLParameters(this, getSupportedCipherSuites(), getSupportedProtocols());`
	`276`	`+ }`
	`277`	`+`
`270`	`278`	`BCX509ExtendedKeyManager getX509KeyManager()`
`271`	`279`	`{`
`272`	`280`	`return x509KeyManager;`
Original file line number	Diff line number	Diff line change
`@@ -402,7 +402,7 @@ public int getMaxCertificateChainLength()`
`402`	`402`	`@Override`
`403`	`403`	`public int getMaxHandshakeMessageSize()`
`404`	`404`	`{`
`405`		`- return JsseUtils.getMaxHandshakeMessageSize();`
	`405`	`+ return manager.getContextData().getMaxHandshakeMessageSize();`
`406`	`406`	`}`
`407`	`407`
`408`	`408`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -452,7 +452,7 @@ public int getMaxCertificateChainLength()`
`452`	`452`	`@Override`
`453`	`453`	`public int getMaxHandshakeMessageSize()`
`454`	`454`	`{`
`455`		`- return JsseUtils.getMaxHandshakeMessageSize();`
	`455`	`+ return manager.getContextData().getMaxHandshakeMessageSize();`
`456`	`456`	`}`
`457`	`457`
`458`	`458`	`public synchronized boolean isHandshakeComplete()`