Java 11 RC build - HTTPS handshake failure against a previously working server

Xuelei Fan xuelei.fan at oracle.com
Sat Aug 25 13:50:50 UTC 2018


Sending "supported_groups" in ServerHello does not comply to the 
extension specification.  Is it possible the HTTPS server fix this problem?

I filed a bug in OpenJDK for the tracking:
   https://bugs.openjdk.java.net/browse/JDK-8209965

Thanks,
Xuelei

On 8/25/2018 5:03 AM, Jaikiran Pai wrote:
> As noted in that exception message, it appears that the server is
> sending a "supported_groups" extension in its ServerHello message
> (TLSv1.2). Reading about it, this seems to be a common issue with
> certain servers and certain SSL implementations have added support to be
> lenient with such servers https://github.com/openssl/openssl/pull/4463/files
> 
> -Jaikiran
> 
> 
> On 25/08/18 11:58 AM, Jaikiran Pai wrote:
>> While testing the recently released RC of JDK11 against the Apache Ant
>> project, I happened to run into an odd error. I have now been able to
>> reproduce this using the following, pretty trivial code:
>>
>> import java.net.URL;
>> import java.io.InputStream;
>>
>> public class Fetch {
>>       public static void main(final String[] args) throws Exception {
>>           final URL targetURL = new
>> URL("https://repository.jboss.org/nexus/content/groups/public/javax/media/jai-core/1.1.3/jai-core-1.1.3.pom");
>>           try (final InputStream is =
>> targetURL.openConnection().getInputStream()) {
>>               is.read();
>>           }
>>           System.out.println("Done");
>>       }
>> }
>>
>> All it does is opens a (HTTPS) connection against an endpoint to read
>> some content. This code works fine in Java 8 and even Java 10. I'm
>> pretty sure this was working fine even in Java 11 early access builds,
>> but I don't have any such build/binary at hand to be certain.
>>
>> However, using the latest (OpenJDK) RC of Java 11 (both on Mac OS and
>> Linux) downloaded from[1]:
>>
>> openjdk version "11" 2018-09-25
>> OpenJDK Runtime Environment 18.9 (build 11+28)
>> OpenJDK 64-Bit Server VM 18.9 (build 11+28, mixed mode)
>>
>> it fails with:
>>
>>
>> Exception in thread "main" javax.net.ssl.SSLHandshakeException:
>> extension (10) should not be presented in server_hello
>>      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>      at
>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>      at
>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
>>      at
>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
>>      at
>> java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:71)
>>      at
>> java.base/sun.security.ssl.ServerHello$ServerHelloMessage.<init>(ServerHello.java:173)
>>      at
>> java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:864)
>>      at
>> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
>>      at
>> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
>>      at
>> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
>>      at
>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
>>      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>      at
>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>      at
>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>      at
>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>      at
>> java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
>>      at
>> java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>>      at
>> java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
>>      at
>> java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
>>      at
>> java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
>>      at Fetch.main(Fetch.java:7)
>>
>>
>> [1] http://jdk.java.net/11/
>>
>> -Jaikiran
>>
>>
>>
>>
> 



More information about the security-dev mailing list