Java 11 RC build - HTTPS handshake failure against a previously working server
Jaikiran Pai
jai.forums2013 at gmail.com
Sun Aug 26 13:19:34 UTC 2018
I have now applied the patch to the JDK11 repo on top of:
hg sum
parent: 51151:1ddf9a99e4ad tip
Added tag jdk-11+28 for changeset 76072a077ee1
branch: default
and built the new images and run the testsuite against this version. The
tests passed without any issues. Ran the sample code from my original
mail, against this patched JDK 11 version and that too passed.
-Jaikiran
On 25/08/18 9:58 PM, Jaikiran Pai wrote:
> Hi Xuelei,
>
> I had the JDK 12 repo checked out already with the latest code as of today:
>
> hg sum
> parent: 51538:a716460217ed
> 8209911: More blob types in hs_err printout
> branch: default
>
> I applied the patch you had attached in this thread against this and
> built it afresh.
>
> With this new image, I was able to run the Apache Ant testsuite (the one
> which was originally and still fails with JDK 11 RC build) without any
> issues. I even ran the sample program that I had listed in this thread
> against this patched 12.x build and that too went fine. I verified that
> the patch has indeed taken effect by enabling javax.net.debug logging
> and I do indeed see the new log:
>
> javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:57.860
> IST|PreSharedKeyExtension.java:606|No session to resume.
> javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:57.860
> IST|SSLExtensions.java:250|Ignore, context unavailable extension:
> pre_shared_key
> javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:57.864
> IST|ClientHello.java:633|Produced ClientHello handshake message (
> "ClientHello": {
> "client version" : "TLSv1.2",
> ....
> }
> )
> ....
> javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:57.865
> IST|SSLSocketOutputRecord.java:241|WRITE: TLS13 handshake, length = 446
> javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:58.664
> IST|SSLSocketInputRecord.java:213|READ: TLSv1.2 handshake, length = 99
> javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:58.664
> IST|SSLSocketInputRecord.java:249|READ: TLSv1.2 handshake, length = 99
> javax.net.ssl|WARNING|01|main|2018-08-25 21:20:58.665
> IST|SSLExtensions.java:79|Buggy supported_groups in ServerHello
> javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:58.667
> IST|ServerHello.java:862|Consuming ServerHello handshake message (
> "ServerHello": {
> "server version" : "TLSv1.2",
> "random" : "4C 62 53 A1 56 4D 82 EE 3A 44 E3 25 0D 2F BD
> CB 02 EE FD 3B 8E 4E D1 2B 52 5F AD 5B 0B B5 BC 98",
> "session id" : "A9 BC 19 7D 36 84 25 F8 6B 77 3F 1D 93 5E B4
> 52 DE AE 41 90 67 2B F2 80 BB 85 3B BE 36 A1 F3 1C",
> "cipher suite" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
> "compression methods" : "00",
> "extensions" : [
> "renegotiation_info (65,281)": {
> "renegotiated connection": [<no renegotiated connection>]
> },
> "server_name (0)": {
> <empty extension_data field>
> },
> "ec_point_formats (11)": {
> "formats": [uncompressed]
> }
> ]
> }
> )
>
>
> As for trying this against the JDK 11 repo, I have initiated a clone,
> but it's going to take a while (as expected). I don't expect it to
> finish soon, so I'm going to let it clone overnight and I will apply
> this patch against that repo too and run this same testsuite against it.
> I don't expect it to fail but I just want to make sure there aren't any
> surprises. I will send out a note once that's done tomorrow.
>
> I'll anyway be running some more extensive testsuites, over the next few
> days, with this patched version and see how it goes.
>
> Thank you very much for the quick response and the patch.
>
> -Jaikiran
>
> On 25/08/18 8:18 PM, Xuelei Fan wrote:
>> Hi Jaikiran,
>>
>> Thank you very much for the help!
>>
>> JDK 12 repo (JDK repo):
>> http://hg.openjdk.java.net/jdk/jdk
>>
>> JDK 11 repo:
>> http://hg.openjdk.java.net/jdk/jdk11
>>
>> The patch should work for both repositories.
>>
>> Thanks,
>> Xuelei
>>
>>
>> On 8/25/2018 7:44 AM, Jaikiran Pai wrote:
>>> Hi Xuelei,
>>>
>>> I can definitely build JDK 12 (jdk repo) from source and apply your
>>> attached patch and give it a try. As for JDK 11, I haven't been
>>> following the version control discussions/process, does it have a
>>> separate repo now? Or is it some branch within jdk repo itself? Either
>>> way, once I know the right repo location, I can (and in fact prefer)
>>> building that repo with this patch to give it a try.
>>>
>>> -Jaikiran
>>>
>>>
>>> On 25/08/18 8:10 PM, Xuelei Fan wrote:
>>>> Hi Jaikiran,
>>>>
>>>> Could you build JDK 11 or JDK 12 from source code? I had a patch to
>>>> tolerate the extension in ServerHello handshake message. Please let
>>>> me know if it works or not.
>>>>
>>>> If there are any other JDK 11 TLS problems with Apache Ant project,
>>>> I'd like to know as well.
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
>>>> On 8/25/2018 7:04 AM, Jaikiran Pai wrote:
>>>>> Hi Xuelei,
>>>>>
>>>>>
>>>>> On 25/08/18 7:20 PM, Xuelei Fan wrote:
>>>>>> Sending "supported_groups" in ServerHello does not comply to the
>>>>>> extension specification.
>>>>> Agreed. However, given that both the client and server are using
>>>>> TLSv1.2
>>>>> and this seems to be "working" before the newer TLSv1.3 changes,
>>>>> even in
>>>>> recent JDK versions, is there a way the implementation could
>>>>> workaround
>>>>> this so as to allow JDK 11 to communicate with such servers?
>>>>>
>>>>>> Is it possible the HTTPS server fix this problem?
>>>>> I don't have access or control over that server, so don't really know
>>>>> how it's configured or whether it can be fixed. It's a pretty
>>>>> frequently
>>>>> used Maven repository hosted by the JBoss (Red Hat middleware) project
>>>>> team. I suspect, it's not just limited to this server and could be a
>>>>> common issue with some other servers too.
>>>>>
>>>>>
>>>>>> I filed a bug in OpenJDK for the tracking:
>>>>>> https://bugs.openjdk.java.net/browse/JDK-8209965
>>>>> Thank you.
>>>>>
>>>>> -Jaikiran
>>>>>
>>>>>> Thanks,
>>>>>> Xuelei
>>>>>>
>>>>>> On 8/25/2018 5:03 AM, Jaikiran Pai wrote:
>>>>>>> As noted in that exception message, it appears that the server is
>>>>>>> sending a "supported_groups" extension in its ServerHello message
>>>>>>> (TLSv1.2). Reading about it, this seems to be a common issue with
>>>>>>> certain servers and certain SSL implementations have added support
>>>>>>> to be
>>>>>>> lenient with such servers
>>>>>>> https://github.com/openssl/openssl/pull/4463/files
>>>>>>>
>>>>>>> -Jaikiran
>>>>>>>
>>>>>>>
>>>>>>> On 25/08/18 11:58 AM, Jaikiran Pai wrote:
>>>>>>>> While testing the recently released RC of JDK11 against the Apache
>>>>>>>> Ant
>>>>>>>> project, I happened to run into an odd error. I have now been
>>>>>>>> able to
>>>>>>>> reproduce this using the following, pretty trivial code:
>>>>>>>>
>>>>>>>> import java.net.URL;
>>>>>>>> import java.io.InputStream;
>>>>>>>>
>>>>>>>> public class Fetch {
>>>>>>>> public static void main(final String[] args) throws
>>>>>>>> Exception {
>>>>>>>> final URL targetURL = new
>>>>>>>> URL("https://repository.jboss.org/nexus/content/groups/public/javax/media/jai-core/1.1.3/jai-core-1.1.3.pom");
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> try (final InputStream is =
>>>>>>>> targetURL.openConnection().getInputStream()) {
>>>>>>>> is.read();
>>>>>>>> }
>>>>>>>> System.out.println("Done");
>>>>>>>> }
>>>>>>>> }
>>>>>>>>
>>>>>>>> All it does is opens a (HTTPS) connection against an endpoint to
>>>>>>>> read
>>>>>>>> some content. This code works fine in Java 8 and even Java 10. I'm
>>>>>>>> pretty sure this was working fine even in Java 11 early access
>>>>>>>> builds,
>>>>>>>> but I don't have any such build/binary at hand to be certain.
>>>>>>>>
>>>>>>>> However, using the latest (OpenJDK) RC of Java 11 (both on Mac
>>>>>>>> OS and
>>>>>>>> Linux) downloaded from[1]:
>>>>>>>>
>>>>>>>> openjdk version "11" 2018-09-25
>>>>>>>> OpenJDK Runtime Environment 18.9 (build 11+28)
>>>>>>>> OpenJDK 64-Bit Server VM 18.9 (build 11+28, mixed mode)
>>>>>>>>
>>>>>>>> it fails with:
>>>>>>>>
>>>>>>>>
>>>>>>>> Exception in thread "main" javax.net.ssl.SSLHandshakeException:
>>>>>>>> extension (10) should not be presented in server_hello
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:71)
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.ServerHello$ServerHelloMessage.<init>(ServerHello.java:173)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:864)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> at Fetch.main(Fetch.java:7)
>>>>>>>>
>>>>>>>>
>>>>>>>> [1] http://jdk.java.net/11/
>>>>>>>>
>>>>>>>> -Jaikiran
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>
>
More information about the security-dev
mailing list