Issue when connecting to TLSv1 server
Bradford Wetmore
bradford.wetmore at oracle.com
Mon Feb 8 19:13:20 UTC 2016
I looked at this last week and added a few more bits of info today.
Without the debug logs, it's hard to see what's going on.
Brad
On 2/5/2016 5:05 PM, Xuelei Fan wrote:
> Thanks for the report. I filed a bug for further evaluation:
>
> https://bugs.openjdk.java.net/browse/JDK-8149169
>
> Regards,
> Xuelei
>
> On 2/6/2016 7:18 AM, Langer, Christoph wrote:
>> Hi,
>>
>>
>>
>> while supporting an app development team, I’m facing a tough TLS issue –
>> maybe you experts have an idea.
>>
>>
>>
>> They try to open an HTTPS connection to the server URL
>> https://nfe-homologacao.sefazrs.rs.gov.br:443/ws/NfeAutorizacao/NFeAutorizacao.asmx.
>> This is a Web Service of some Brazilian financial authority. So, what
>> I’m basically doing is this:
>>
>>
>>
>> --code snippet--
>>
>> URL url = new
>> URL("https://nfe-homologacao.sefazrs.rs.gov.br:443/ws/NfeAutorizacao/NFeAutorizacao.asmx");
>>
>> HttpsURLConnection con = (HttpsURLConnection)url.openConnection();
>>
>> con.setHostnameVerifier(new DefaultHostnameVerifier());
>>
>>
>>
>> // optional default is GET
>>
>> con.setRequestMethod("GET");
>>
>>
>>
>> System.out.println("Sending 'GET' request to URL: " + url);
>>
>> int responseCode = con.getResponseCode();
>>
>> System.out.println("Response Code: " + responseCode);
>>
>> --end code snippet—
>>
>>
>>
>> I expect it to return “403 – not authorized”.
>>
>>
>>
>> The coding will work with JDK7. However, with JDK8, I get this type of
>> exception:
>>
>>
>>
>> java.net.SocketException: Unrecognized Windows Sockets error: 0: recv failed
>>
>> at java.net.SocketInputStream.socketRead0(Native Method)
>>
>> at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
>>
>> at java.net.SocketInputStream.read(SocketInputStream.java:170)
>>
>> at java.net.SocketInputStream.read(SocketInputStream.java:141)
>>
>> at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
>>
>> at sun.security.ssl.InputRecord.read(InputRecord.java:503)
>>
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>>
>> at
>> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930)
>>
>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
>>
>> at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
>>
>> at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
>>
>> at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
>>
>> at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:704)
>>
>> at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
>>
>> at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:675)
>>
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1536)
>>
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
>>
>> at
>> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
>>
>> at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
>>
>> …
>>
>>
>>
>> I can get it to work in JDK8 by forcing it to TLSv1 only, e.g. by
>> setting property -Djdk.tls.client.protocols=TLSv1.
>>
>>
>>
>> For JDK9 I even get a different exception:
>>
>> javax.net.ssl.SSLException: java.nio.BufferOverflowException
>>
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:214)
>>
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1948)
>>
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1900)
>>
>> at
>> sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1883)
>>
>> at
>> sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1809)
>>
>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:173)
>>
>> at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
>>
>> at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
>>
>> at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
>>
>> at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:704)
>>
>> at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
>>
>> at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:675)
>>
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1534)
>>
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1439)
>>
>> at
>> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
>>
>> at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:319)
>>
>> at
>> com.sap.cl.HttpsURLConnectionTest.sendGETRequest(HttpsURLConnectionTest.java:42)
>>
>> at
>> com.sap.cl.HttpsURLConnectionTest.main(HttpsURLConnectionTest.java:63)
>>
>> Caused by: java.nio.BufferOverflowException
>>
>> at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:206)
>>
>> at
>> sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:226)
>>
>> at
>> sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:178)
>>
>> at
>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1012)
>>
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:957)
>>
>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:159)
>>
>> ... 12 more
>>
>>
>>
>> I’ve debugged a lot today and tried to get something out of the
>> javax.net.debug output but I didn’t get any further with this – probably
>> due to my lack of understanding the details of TLS communication and its
>> implementation. I know the server is using some legacy protocol but
>> still I think it should work.
>>
>>
>>
>> Maybe someone has any helpful idea? Is it a bug? You can simply try to
>> run my test code snippet and should see the issue immediately…
>>
>>
>>
>> Thanks
>>
>> Christoph
>>
>>
>>
>
More information about the security-dev
mailing list