TLSv1.3 fails to read cert chain after HTTP redirect

Daniel Christensen Daniel.Christensen at microfocus.com
Mon Oct 8 21:34:07 UTC 2018


I have a custom HostnameVerifier that attempts to examine the certificate chain using SSLSession#getPeerCertificates(). After upgrading to Java 11, where it seems that TLSv1.3 is used by default, I am seeing that getPeerCertificates() throws an SSLPeerUnverifiedException after an HTTP redirect has occurred. If I force the protocol to TLSv1.2 this does not occur. If there is no redirect, then this does not occur.

Is this a bug in Java or a change in behavior with TLSv1.3?

The code below demonstrates the problem when 'protocol' is either 'TLS' or 'TLSv1.3' and path is '/redirect'.

doTest("TLSv1.3", "/redirect"); // Fails with SSLPeerUnverifiedException
doTest("TLSv1.3", "/content"); // Succeeds
doTest("TLSv1.2", "/redirect"); // Succeeds
doTest("TLSv1.2", "/content"); // Succeeds

    private void doTest(String protocol, String path) throws IOException, NoSuchAlgorithmException, KeyManagementException
    {
	    whenHttp(server)
			    .match(get("/redirect"))
			    .then(status(HttpStatus.MOVED_PERMANENTLY_301), contentType("text/html"), header("Location", "/content"), stringContent("redirected"));
	    whenHttp(server)
			    .match(get("/content"))
			    .then(ok(), contentType("text/html"), stringContent("ok"));

	    URL url = new URL("https", "localhost", server.getPort(), path);
	    HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
	    SSLContext ctx = SSLContext.getInstance(protocol);
	    TrustManager[] tms = {new X509TrustManager()
	    {
		    @Override public void checkClientTrusted(X509Certificate[] chain, String authType){}
		    @Override public void checkServerTrusted(X509Certificate[] chain, String authType){}
		    @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
	    }};
	    ctx.init(null, tms, new SecureRandom());
	    conn.setSSLSocketFactory(ctx.getSocketFactory());
	    conn.setHostnameVerifier(new HostnameVerifier()
	    {
		    @Override
		    public boolean verify(String hostname, SSLSession session)
		    {
			    java.security.cert.Certificate[] chain = null;
			    try
			    {
				    chain = session.getPeerCertificates();
			    }
			    catch (SSLPeerUnverifiedException e)
			    {
				    throw new RuntimeException(e);
			    }
			    return true;
		    }
	    });
	    int status = conn.getResponseCode();
	    assertEquals(200, status);
    }


Thanks,
Dan

Daniel L. Christensen
Distinguished Engineer
Micro Focus
http://www.microfocus.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20181008/80ac82f5/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Daniel Christensen.vcf
Type: application/octet-stream
Size: 2640 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20181008/80ac82f5/DanielChristensen.vcf>


More information about the security-dev mailing list