Java 11 RC build - HTTPS handshake failure against a previously working server

Jaikiran Pai jai.forums2013 at gmail.com
Sat Aug 25 14:04:13 UTC 2018 

Hi Xuelei,


On 25/08/18 7:20 PM, Xuelei Fan wrote:
> Sending "supported_groups" in ServerHello does not comply to the
> extension specification.

Agreed. However, given that both the client and server are using TLSv1.2
and this seems to be "working" before the newer TLSv1.3 changes, even in
recent JDK versions, is there a way the implementation could workaround
this so as to allow JDK 11 to communicate with such servers?

> Is it possible the HTTPS server fix this problem?

I don't have access or control over that server, so don't really know
how it's configured or whether it can be fixed. It's a pretty frequently
used Maven repository hosted by the JBoss (Red Hat middleware) project
team. I suspect, it's not just limited to this server and could be a
common issue with some other servers too.


> I filed a bug in OpenJDK for the tracking:
>   https://bugs.openjdk.java.net/browse/JDK-8209965

Thank you.

-Jaikiran

>
> Thanks,
> Xuelei
>
> On 8/25/2018 5:03 AM, Jaikiran Pai wrote:
>> As noted in that exception message, it appears that the server is
>> sending a "supported_groups" extension in its ServerHello message
>> (TLSv1.2). Reading about it, this seems to be a common issue with
>> certain servers and certain SSL implementations have added support to be
>> lenient with such servers
>> https://github.com/openssl/openssl/pull/4463/files
>>
>> -Jaikiran
>>
>>
>> On 25/08/18 11:58 AM, Jaikiran Pai wrote:
>>> While testing the recently released RC of JDK11 against the Apache Ant
>>> project, I happened to run into an odd error. I have now been able to
>>> reproduce this using the following, pretty trivial code:
>>>
>>> import java.net.URL;
>>> import java.io.InputStream;
>>>
>>> public class Fetch {
>>>       public static void main(final String[] args) throws Exception {
>>>           final URL targetURL = new
>>> URL("https://repository.jboss.org/nexus/content/groups/public/javax/media/jai-core/1.1.3/jai-core-1.1.3.pom");
>>>
>>>           try (final InputStream is =
>>> targetURL.openConnection().getInputStream()) {
>>>               is.read();
>>>           }
>>>           System.out.println("Done");
>>>       }
>>> }
>>>
>>> All it does is opens a (HTTPS) connection against an endpoint to read
>>> some content. This code works fine in Java 8 and even Java 10. I'm
>>> pretty sure this was working fine even in Java 11 early access builds,
>>> but I don't have any such build/binary at hand to be certain.
>>>
>>> However, using the latest (OpenJDK) RC of Java 11 (both on Mac OS and
>>> Linux) downloaded from[1]:
>>>
>>> openjdk version "11" 2018-09-25
>>> OpenJDK Runtime Environment 18.9 (build 11+28)
>>> OpenJDK 64-Bit Server VM 18.9 (build 11+28, mixed mode)
>>>
>>> it fails with:
>>>
>>>
>>> Exception in thread "main" javax.net.ssl.SSLHandshakeException:
>>> extension (10) should not be presented in server_hello
>>>      at
>>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>>      at
>>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>>      at
>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>>
>>>      at
>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
>>>
>>>      at
>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
>>>
>>>      at
>>> java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:71)
>>>      at
>>> java.base/sun.security.ssl.ServerHello$ServerHelloMessage.<init>(ServerHello.java:173)
>>>
>>>      at
>>> java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:864)
>>>
>>>      at
>>> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
>>>      at
>>> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
>>>
>>>      at
>>> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
>>>
>>>      at
>>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
>>>
>>>      at
>>> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>>      at
>>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>>
>>>      at
>>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>>
>>>      at
>>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>>
>>>      at
>>> java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
>>>
>>>      at
>>> java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>>>
>>>      at
>>> java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
>>>
>>>      at
>>> java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
>>>
>>>      at
>>> java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
>>>
>>>      at Fetch.main(Fetch.java:7)
>>>
>>>
>>> [1] http://jdk.java.net/11/
>>>
>>> -Jaikiran
>>>
>>>
>>>
>>>
>>

More information about the security-dev mailing list