[8u] RFR : TLSv1.3 protocol support
Alexey Bakhtin
alexey at azul.com
Fri Mar 27 14:54:24 UTC 2020
Hello Andrew, Volker
This patch of TLSv1.3 backport for JDK8u is based on the TLSv1.3 implementation for JDK11.06 and OpenJSSE provider implementation version v1.1.2
OpenJSSE is an open source pluggable security provider for TLSv1.3 protocol in JDK8u.
OpenJSSE provider version 1.1.0 was released in July 2019 and based on the JDK11.04 TLSv1.3 implementation. Subsequent versions of the OpenJSSE provider were created by backporting TLS related fixes from JDK11.05 and JDK11.06. The history of these backports is available at https://github.com/openjsse/openjsse/commits/master
The latest version of OpenJSSE v1.1.2 contains almost all TLS related bug fixes available in JDK11.06
This patch was created by merging TLS related source code from JDK11.06 to JDK8u MR3. Then I used OpenJSSE version 1.1.2 code base to implement backport from JDK11 to JDK8. Also, I verified that new TLSv1.3 code for JDK8 is semantically identical to OpenJSSE version 1.1.2.
After that I removed DTLS support from the new TLSv1.3 implementation and added back TLS_KRB5 support removed by JDK-8196584.
Separate patch for TLS_KRB5 support is available at: http://cr.openjdk.java.net/~abakhtin/rfc2712/webrev.v0/
As soon as I did not backport TLSv1.3 implementation patch by patch, the bug list I provided is not fully accurate. It is just list of TLSv1.3 related bugs from Initial implementation till JDK11.06 GA. As Andrew mentioned, some of the bugs already backported to JDK8. It is:
- 8208350: Disable all DES cipher suites
- 8211883: Disable anon and NULL cipher suites
- 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
- 8210985: Update the default SSL session cache size to 20480
- 8218863: Better endpoint checks
- 8216039: TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange
- 8227758: More valid PKIX processing
- 8218873: Improve JSSE endpoint checking
- 8228825: Enhance ECDSA operations
- 8218580: endpoint identification algorithm should be case-insensitive
Some of these bugs should be re-backported in the new implementation - e.g. 8218873, 8228825, 8218580
The rest of these bugs should be verified after new implementation is applied.
Thank you
Alexey
> On 25 Mar 2020, at 22:16, Volker Simonis <volker.simonis at gmail.com> wrote:
>
> Hi Andrew, Aleksey,
>
> it seems we have little "deadlock" here and I can somehow understand
> both positions. Aleksey/Azul already did the whole backport and
> already have the code running in their 8u version. On the other hand I
> also understand Andrew because reviewing such a huge change is really
> very hard if not impossible and I can understand that he as a
> maintainer is reluctant to merge in a change which can not be
> reasonably reviewed and understood.
>
> The question is now how we can solve this problem. I think the list of
> included bug fixes you've provided is definitely helpful Aleksey. I'm
> just wondering how you managed to get to the big patch you are now
> proposing for inclusion? When doing this downport internally at Azul,
> haven' you also applied all the listed changes one by one and if yes,
> maybe it is not that hard to provide the corresponding patches? Or
> have you just taken the complete 11u implementation, adapted it for 8u
> and just found which changes have contributed to the 11u code later?
>
> Maybe describing your original downport process can help us to better
> understand your patch?
>
> Thank you and best regards,
> Volker
>
> On Wed, Mar 25, 2020 at 3:36 AM Andrew Hughes <gnu.andrew at redhat.com> wrote:
>>
>> On 23/03/2020 09:12, Alexey Bakhtin wrote:
>>> Hello All,
>>>
>>> Could you please review the updated patch for TLSv1.3 protocol support in JDK8u
>>> This version includes support of TLS_KRB5 cipher suites according to RFC2712.
>>> Kerberos cipher suites are enabled for TLSv1.2 protocol and below only
>>>
>>> Webrev: http://cr.openjdk.java.net/~dcherepanov/tls1.3/webrev.v2/
>>>
>>> Regards
>>> Alexey
>>>
>>> On 6 Mar 2020, at 13:19, Alexey Bakhtin <alexey at azul.com<mailto:alexey at azul.com>> wrote:
>>>
>>> Hello Andrew,
>>>
>>> This webrev covers bug fixes from the initial TLSv1.3 implementation (JDK-8196584) till OpenJDK 11.0.6-ga repository state :
>>>
>>> 8196584: TLS 1.3 Implementation
>>> 8206355: SSLSessionImpl.getLocalPrincipal() throws NPE
>>> 8207029: Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21
>>> 8206929: Check session context for TLS 1.3 session resumption
>>> 8207250: setUseClientMode post handshake with the same value as before does not throw IAE
>>> 8207223: SSL Handshake failures are reported with more generic SSLException
>>> 8207237: SSLSocket#setEnabledCipherSuites is accepting empty string
>>> 8208166: Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029
>>> 8207009: TLS 1.3 half-close and synchronization issues
>>> 8206176: Remove the temporary tls13VN field
>>> 8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
>>> 8209916: NPE in SupportedGroupsExtension
>>> 8210846: TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
>>> 8208209: Improve TLS connection stability again
>>> 8208350: Disable all DES cipher suites
>>> 8209916: NPE in SupportedGroupsExtension
>>> 8210846: TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
>>> 8210334: TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
>>> 8211806: TLS 1.3 handshake server name indication is missing on a session resume
>>> 8211883: Disable anon and NULL cipher suites
>>> 8209965: The "supported_groups" extension in ServerHellos
>>> 8210974: No extensions debug log for ClientHello
>>> 8212885: TLS 1.3 resumed session does not retain peer certificate chain
>>> 8213202: Possible race condition in TLS 1.3 session resumption
>>> 8214688: TLS 1.3 session resumption with hello retry request failed with “illegal_parameter"
>>> 8217579: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
>>> 8214129: SSL session resumption/SNI with TLS1.2 causes StackOverflowError
>>> 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers
>>> 8214339: SSLSocketImpl erroneously wraps SocketException
>>> 8210989: RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2
>>> 8215443: The use of TransportContext.fatal() leads to bad coding style
>>> 8215790: Delegated task created by SSLEngine throws java.nio.BufferUnderflowException
>>> 8219389: Delegated task created by SSLEngine throws BufferUnderflowException
>>> 8216045: The size of key_exchange may be wrong on FFDHE
>>> 8210985: Update the default SSL session cache size to 20480
>>> 8221253: TLSv1.3 may generate TLSInnerPlainText longer than 2^14+1 bytes
>>> 8148188: Enhance the security libraries to record events of interest
>>> 8215281: Use String.isEmpty() when applicable in java.base
>>> 8216326: SSLSocket stream close() does not close the associated socket
>>> 8218863: Better endpoint checks
>>> 8218873: Improve JSSE endpoint checking
>>> 8222678: Improve TLS negotiation
>>> 8216039: TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange
>>> 8223482: Unsupported ciphersuites may be offered by a TLS client
>>> 8214098: sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards.
>>> 8228825: Enhance ECDSA operations
>>> 8218580: endpoint identification algorithm should be case-insensitive
>>> 8200381: Typos in javadoc - missing verb "be" and alike
>>> 8211866: TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
>>> 8212738: Incorrectly named signature scheme ecdsa_secp512r1_sha512
>>> 8212752: Typo in SSL log message related to inactive/disabled signature scheme
>>> 8214321: Misleading code in SSLCipher
>>> 8215524: Finished message validation failure should be decrypt_error alert
>>> 8217610: TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
>>> 8233954: UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
>>> 8225766: Curve in certificate should not affect signature scheme when using TLSv1.3
>>> 8229728: Implement negotiation parameters
>>> 8231780: Better TLS messaging support
>>> 8227758: More valid PKIX processing
>>> 8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
>>>
>>> Regards
>>> Alexey
>>>
>>> On 6 Mar 2020, at 09:49, Andrew Hughes <gnu.andrew at redhat.com<mailto:gnu.andrew at redhat.com>> wrote:
>>>
>>> On 05/03/2020 20:08, Alexey Bakhtin wrote:
>>> Hello All,
>>>
>>> Could you please review the initial implementation of TLSv1.3 protocol support in JDK8u.
>>> Most of these changes are direct copies of TLS implementation from OpenJDK 11.0.6-ga, but adjusted for JDK 8u.
>>> This is a single patch for all functionality including tests, so it could be easily applied to the current state of jdk8u and tested. If required, the patch can be divided into smaller reviews for different functional parts or features.
>>>
>>> There is a difference between JDK11 and JDK8 public API, so it is not possible to implement all TLS related features available in JDK11.
>>> Below is a list of features included/excluded from the proposed 8u TLS 1.3 backport:
>>>
>>> 1. DTLS support (JEP-219) [2] [3]
>>> - JDK8 does not have public API required for DTLS implementation
>>> - All DTLS related code is removed from the 8u TLS 1.3 backport
>>>
>>> 2. OCSP Stapling implementation (JEP-249) [4] [5]
>>> - This feature introduces new public API in the javax.net.ssl.ExtendedSSLSession class
>>> - OCSP Stapling can be supported in 8u TLS 1.3 without additional API.
>>> - Proposed patch includes OCSP Stapling implementation but it is disabled by default. It can be enabled by “jdk.tls.client.enableStatusRequestExtension” System Property
>>>
>>> 3. ChaCha20 and Poly1305 CipherSuite support (JEP-329) [6] [7] [8]
>>> - Chacha20-Poly1305 AEAD cipher suites can be supported in 8u TLS 1.3 without additional public API
>>> - Chacha20-Poly1305 cipher suite support is not backported to JDK11 so it is not included in the 8u TLS 1.3 backport
>>> - Support of Chacha20-Poly1305 cipher suites could be added later by separate patch
>>>
>>> 4. Authenticator on a HttpURLConnection (JDK-8169495) [9]
>>> - This feature can not be supported in 8u TLS 1.3 backport without additional public API
>>> - The code for this feature was removed from the 8u TLS 1.3 backport
>>>
>>> 5. TLS_KRB5 cipher suites (RFC 2712) [10]
>>> - JDK8 includes support for TLS_KRB5 cipher suites according to RFC2712
>>> - OpenJDK 11.0.6-ga does not support TLS_KRB5 cipher suites
>>> - Proposed 8u TLS 1.3 backport DOES NOT support TLS_KRB5 cipher suites
>>> - Support for TLS_KRB5 cipher suites will be added later as part of this or separate review
>>>
>>> Webrev : http://cr.openjdk.java.net/~dcherepanov/tls1.3/webrev.v1/
>>>
>>> [1] https://openjdk.java.net/jeps/332
>>> [2] https://openjdk.java.net/jeps/219
>>> [3] https://bugs.openjdk.java.net/browse/JDK-8043758
>>> [4] https://openjdk.java.net/jeps/249
>>> [5] https://bugs.openjdk.java.net/browse/JDK-8046321
>>> [6] https://openjdk.java.net/jeps/329
>>> [7] https://bugs.openjdk.java.net/browse/JDK-8153028
>>> [8] https://bugs.openjdk.java.net/browse/JDK-8140466
>>> [9] https://bugs.openjdk.java.net/browse/JDK-8169495
>>> [10] https://tools.ietf.org/html/rfc2712
>>>
>>>
>>> Regards,
>>> Alexey
>>>
>>>
>>> Which bugs are being backported by this webrev?
>>>
>>> Thanks,
>>> --
>>> Andrew :)
>>>
>>> Senior Free Java Software Engineer
>>> Red Hat, Inc. (http://www.redhat.com<http://www.redhat.com/>)
>>>
>>> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
>>> Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
>>>
>>>
>>>
>>
>> This list of bugs doesn't look accurate to me. I've not been through
>> them all, but a number stand out to me as I've included them in 8u for
>> security updates. At least 8208350, 8210985 & 8228825 are already present.
>>
>> I think it would be preferable to focus on backporting the first of
>> these bugs (which seems to be the main TLS 1.3 implementation), and then
>> work from there. It seems unreasonable to expect someone to review such
>> a mammoth number of fixes in one patch
>>
>> Backporting one or two fixes in one patch makes it much easier to
>> compare with the original and see what changes need to be made for 8u.
>> It also makes it easier to exclude changes we don't want.
>>
>> I expect me trying to untangle all the bugs in this patch would involve
>> nearly as much work as just backporting them myself.
>>
>> Thanks,
>> --
>> Andrew :)
>>
>> Senior Free Java Software Engineer
>> Red Hat, Inc. (http://www.redhat.com)
>>
>> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
>> Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
>>
More information about the jdk8u-dev
mailing list