Not possible to disable new TLS extensions for TLS 1.2 connections

Amir Khassaia amir.khassaia at gmail.com
Fri Jan 4 04:24:10 UTC 2019


Greetings,

Can extra security properties controlling new TLS extensions be added to
make some of the JSSE handshake more configurable?

I'm finding some misbehaviour caused indirectly with an existing TLS client
when moving to OpenJDK 11 whereas it works fine with 8,9,10, note that TLS
1.3 is not used, this is purely a compatibility of TLS 1.2 request where
some of the extensions can be optional.

Whilst it doesn't appear the JSSE implementation is doing anything out of
compliance with the standard it seems to present a case of an existing
endpoint whose interop is now affected and there could be many misbehaved
implementations out there, perhaps ones in hardware etc, that may not
handle unknown extensions well.

For me the endpoint in question is doing XMPP+STARTTLS on
talk.google.com:5222

Through wireshark/client hello dumps the main difference seems to be
ordering of extensions and presence of extra two extensions:

1)  Extension: supported_versions (len=3)
            Type: supported_versions (43)
            Length: 3
            Supported Versions length: 2
            Supported Version: TLS 1.2 (0x0303)

2) Extension: signature_algorithms_cert (len=34)
            Type: signature_algorithms_cert (50)
            Length: 34
            Signature Hash Algorithms Length: 32
            Signature Hash Algorithms (16 algorithms)
                Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (4)
                Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (5)
                Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (6)
                Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (9)
                Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (10)
                Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
                    Signature Hash Algorithm Hash: Unknown (8)
                    Signature Hash Algorithm Signature: Unknown (11)
                Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                    Signature Hash Algorithm Hash: SHA384 (5)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                    Signature Hash Algorithm Hash: SHA512 (6)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Algorithm: SHA256 DSA (0x0402)
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: DSA (2)
                Signature Algorithm: ecdsa_sha1 (0x0203)
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: ECDSA (3)
                Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Algorithm: SHA1 DSA (0x0202)
                    Signature Hash Algorithm Hash: SHA1 (2)
                    Signature Hash Algorithm Signature: DSA (2)

This triggers a completely bizarre SNI bug but nevertheless it works just
fine as soon as JRE is swapped out.

Debug output of failed case

javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:53.937
AEDT|SSLCipher.java:437|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding
KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.273
AEDT|ServerNameExtension.java:255|Unable to indicate server name
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.273
AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
server_name
javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.314
AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not
supported by the underlying providers
javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.314
AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported
by the underlying providers
javax.net.ssl|INFO|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.327
AEDT|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.327
AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
application_layer_protocol_negotiation
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.328
AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
renegotiation_info
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.353
AEDT|ClientHello.java:651|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "3B 9C 31 FA 55 2B 09 81 5F 12 82 25 AD A6 47 8E
76 CA 80 BF 72 BB 6D 84 EF 92 3E 9E EC 7A D5 13",
  "session id"          : "",
  "cipher suites"       :
"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),
TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E),
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032),
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),
TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D),
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028),
TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D),
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026),
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),
TLS_RSA_WITH_AES_256_CBC_SHA(0x0035),
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005),
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025),
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),
TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004),
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),
TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1,
sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048,
ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,
ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384,
rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384,
rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,
dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,
ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384,
rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384,
rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,
dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    }
  ]
}
)
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.521
AEDT|ServerHello.java:866|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "5C 2E DF 63 7B 0F C0 81 8C 3D 26 84 4B C1 51 AB
82 8A 3A DF 4D F3 91 4E 45 34 D5 33 CA 1B 59 8E",
  "session id"          : "C8 38 09 76 0A CF 61 C2 2D 29 37 F1 74 31 36 FD
2A 00 6A C7 B9 FE 85 9C 16 F6 7B 9F 10 27 70 51",
  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
  "compression methods" : "00",
  "extensions"          : [
    "extended_master_secret (23)": {
      <empty>
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    }
  ]
}
)
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.522
AEDT|SSLExtensions.java:148|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.522
AEDT|ServerHello.java:962|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.523
AEDT|SSLExtensions.java:167|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.524
AEDT|SSLExtensions.java:148|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.535
AEDT|SSLExtensions.java:148|Ignore unavailable extension:
max_fragment_length
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.536
AEDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.536
AEDT|SSLExtensions.java:167|Consumed extension: ec_point_formats
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.536
AEDT|SSLExtensions.java:148|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.537
AEDT|SSLExtensions.java:167|Consumed extension: extended_master_secret
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.537
AEDT|SSLExtensions.java:167|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.538
AEDT|SSLExtensions.java:182|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.538
AEDT|SSLExtensions.java:182|Ignore unavailable extension:
max_fragment_length
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.538
AEDT|SSLExtensions.java:182|Ignore unavailable extension: status_request
javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.538
AEDT|SSLExtensions.java:190|Ignore impact of unsupported extension:
ec_point_formats
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.540
AEDT|SSLExtensions.java:182|Ignore unavailable extension:
application_layer_protocol_negotiation
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.540
AEDT|SSLExtensions.java:182|Ignore unavailable extension: status_request_v2
javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.543
AEDT|SSLExtensions.java:190|Ignore impact of unsupported extension:
extended_master_secret
javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.543
AEDT|SSLExtensions.java:190|Ignore impact of unsupported extension:
renegotiation_info
javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.553
AEDT|CertificateMessage.java:358|Consuming server Certificate handshake
message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "00 90 76 89 18 E9 33 93 A0",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=invalid2.invalid, OU="No SNI provided;
please fix your client."",
    "not before"         : "2015-01-01 11:00:00.000 AEDT",
    "not  after"         : "2030-01-01 11:00:00.000 AEDT",
    "subject"            : "CN=invalid2.invalid, OU="No SNI provided;
please fix your client."",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
          clientAuth
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          DigitalSignature
          Key_Encipherment
          Key_CertSign
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: BB 0F 38 96 6F 3E BE 4F   2B 46 D0 41 6A D4 AC B5
..8.o>.O+F.Aj...
        ]
        ]
      }
    ]}
]
)
javax.net.ssl|ERROR|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.615
AEDT|TransportContext.java:313|Fatal (CERTIFICATE_UNKNOWN): PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target (
"throwable" : {
  sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

I'm triggering this indirectly via use of XMPP library so I don't have a
clean JSSE only sample (but it simply creates an SSLSocket from the default
SSLContext and calls startHandshake)

Regards,
Amir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190104/50e441cf/attachment.htm>


More information about the security-dev mailing list