Issue when connecting to TLSv1 server
Thomas Lußnig
lussnig at suche.org
Fri Feb 5 23:34:09 UTC 2016
Hi,
i checked the server with
https://dev.ssllabs.com/ssltest/analyze.html?d=nfe-homologacao.sefazrs.rs.gov.br
the result is more than bad. I think you should use SSL Context and
define what cipher/protocol you allow
and check the security.property that there is no restriction on key length.
Gruß Thomas
Am 06.02.2016 um 00:18 schrieb Langer, Christoph:
>
> Hi,
>
> while supporting an app development team, I’m facing a tough TLS issue
> – maybe you experts have an idea.
>
> They try to open an HTTPS connection to the server URL
> https://nfe-homologacao.sefazrs.rs.gov.br:443/ws/NfeAutorizacao/NFeAutorizacao.asmx.
> This is a Web Service of some Brazilian financial authority. So, what
> I’m basically doing is this:
>
> --code snippet--
>
> URL url = new
> URL("https://nfe-homologacao.sefazrs.rs.gov.br:443/ws/NfeAutorizacao/NFeAutorizacao.asmx");
>
> HttpsURLConnection con = (HttpsURLConnection)url.openConnection();
>
> con.setHostnameVerifier(new DefaultHostnameVerifier());
>
> // optional default is GET
>
> con.setRequestMethod("GET");
>
> System.out.println("Sending 'GET' request to URL: " + url);
>
> int responseCode = con.getResponseCode();
>
> System.out.println("Response Code: " + responseCode);
>
> --end code snippet—
>
> I expect it to return “403 – not authorized”.
>
> The coding will work with JDK7. However, with JDK8, I get this type of
> exception:
>
> java.net.SocketException: Unrecognized Windows Sockets error: 0: recv
> failed
>
> at java.net.SocketInputStream.socketRead0(Native Method)
>
> at
> java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
>
> at java.net.SocketInputStream.read(SocketInputStream.java:170)
>
> at java.net.SocketInputStream.read(SocketInputStream.java:141)
>
> at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
>
> at sun.security.ssl.InputRecord.read(InputRecord.java:503)
>
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>
> at
> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930)
>
> at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
>
> at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
>
> at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
>
> at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
>
> at
> sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:704)
>
> at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
>
> at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:675)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1536)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
>
> at
> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
>
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
>
> …
>
> I can get it to work in JDK8 by forcing it to TLSv1 only, e.g. by
> setting property -Djdk.tls.client.protocols=TLSv1.
>
> For JDK9 I even get a different exception:
>
> javax.net.ssl.SSLException: java.nio.BufferOverflowException
>
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:214)
>
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1948)
>
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1900)
>
> at
> sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1883)
>
> at
> sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1809)
>
> at sun.security.ssl.AppInputStream.read(AppInputStream.java:173)
>
> at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
>
> at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
>
> at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
>
> at
> sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:704)
>
> at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
>
> at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:675)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1534)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1439)
>
> at
> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
>
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:319)
>
> at
> com.sap.cl.HttpsURLConnectionTest.sendGETRequest(HttpsURLConnectionTest.java:42)
>
> at
> com.sap.cl.HttpsURLConnectionTest.main(HttpsURLConnectionTest.java:63)
>
> Caused by: java.nio.BufferOverflowException
>
> at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:206)
>
> at
> sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:226)
>
> at
> sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:178)
>
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1012)
>
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:957)
>
> at sun.security.ssl.AppInputStream.read(AppInputStream.java:159)
>
> ... 12 more
>
> I’ve debugged a lot today and tried to get something out of the
> javax.net.debug output but I didn’t get any further with this –
> probably due to my lack of understanding the details of TLS
> communication and its implementation. I know the server is using some
> legacy protocol but still I think it should work.
>
> Maybe someone has any helpful idea? Is it a bug? You can simply try to
> run my test code snippet and should see the issue immediately…
>
> Thanks
>
> Christoph
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20160206/14e5ff27/attachment.htm>
More information about the security-dev
mailing list