Not possible to disable new TLS extensions for TLS 1.2 connections
Xue-Lei Fan
xuelei.fan at oracle.com
Fri Jan 4 20:06:42 UTC 2019
Hi Amir,
What's the certificate used in the connection? It looks like a
certificate issue per the debug log:
"unable to find valid certification path to requested target"
Please feel free file a bug if the certificate is not restricted by the
signature_algorithms and signature_algorithms_cert extension.
Thanks,
Xuelei
On 1/3/2019 8:24 PM, Amir Khassaia wrote:
> Greetings,
>
> Can extra security properties controlling new TLS extensions be added to
> make some of the JSSE handshake more configurable?
>
> I'm finding some misbehaviour caused indirectly with an existing TLS
> client when moving to OpenJDK 11 whereas it works fine with 8,9,10, note
> that TLS 1.3 is not used, this is purely a compatibility of TLS 1.2
> request where some of the extensions can be optional.
>
> Whilst it doesn't appear the JSSE implementation is doing anything out
> of compliance with the standard it seems to present a case of an
> existing endpoint whose interop is now affected and there could be many
> misbehaved implementations out there, perhaps ones in hardware etc, that
> may not handle unknown extensions well.
>
> For me the endpoint in question is doing XMPP+STARTTLS on
> talk.google.com:5222 <http://talk.google.com:5222>
>
> Through wireshark/client hello dumps the main difference seems to be
> ordering of extensions and presence of extra two extensions:
>
> 1) Extension: supported_versions (len=3)
> Type: supported_versions (43)
> Length: 3
> Supported Versions length: 2
> Supported Version: TLS 1.2 (0x0303)
>
> 2) Extension: signature_algorithms_cert (len=34)
> Type: signature_algorithms_cert (50)
> Length: 34
> Signature Hash Algorithms Length: 32
> Signature Hash Algorithms (16 algorithms)
> Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
> Signature Hash Algorithm Hash: SHA384 (5)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
> Signature Hash Algorithm Hash: SHA512 (6)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (4)
> Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (5)
> Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (6)
> Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (9)
> Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (10)
> Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (11)
> Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
> Signature Hash Algorithm Hash: SHA384 (5)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
> Signature Hash Algorithm Hash: SHA512 (6)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA256 DSA (0x0402)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: DSA (2)
> Signature Algorithm: ecdsa_sha1 (0x0203)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA1 DSA (0x0202)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: DSA (2)
>
> This triggers a completely bizarre SNI bug but nevertheless it works
> just fine as soon as JRE is swapped out.
>
> Debug output of failed case
>
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:53.937
> AEDT|SSLCipher.java:437|jdk.tls.keyLimits: entry = AES/GCM/NoPadding
> KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
> javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.273
> AEDT|ServerNameExtension.java:255|Unable to indicate server name
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.273
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> server_name
> javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.314
> AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not
> supported by the underlying providers
> javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.314
> AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not
> supported by the underlying providers
> javax.net.ssl|INFO|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.327
> AEDT|AlpnExtension.java:161|No available application protocols
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.327
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> application_layer_protocol_negotiation
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.328
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> renegotiation_info
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.353
> AEDT|ClientHello.java:651|Produced ClientHello handshake message (
> "ClientHello": {
> "client version" : "TLSv1.2",
> "random" : "3B 9C 31 FA 55 2B 09 81 5F 12 82 25 AD A6 47
> 8E 76 CA 80 BF 72 BB 6D 84 EF 92 3E 9E EC 7A D5 13",
> "session id" : "",
> "cipher suites" :
> "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),
> TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),
> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E),
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032),
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),
> TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D),
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),
> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028),
> TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D),
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026),
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A),
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A),
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),
> TLS_RSA_WITH_AES_256_CBC_SHA(0x0035),
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005),
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F),
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
> TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025),
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009),
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),
> TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004),
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E),
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
> "compression methods" : "00",
> "extensions" : [
> "status_request (5)": {
> "certificate status type": ocsp
> "OCSP status request": {
> "responder_id": <empty>
> "request extensions": {
> <empty>
> }
> }
> },
> "supported_groups (10)": {
> "versions": [secp256r1, secp384r1, secp521r1, sect283k1,
> sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1,
> ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
> },
> "ec_point_formats (11)": {
> "formats": [uncompressed]
> },
> "signature_algorithms (13)": {
> "signature schemes": [ecdsa_secp256r1_sha256,
> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
> rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1,
> rsa_pkcs1_sha1, dsa_sha1]
> },
> "signature_algorithms_cert (50)": {
> "signature schemes": [ecdsa_secp256r1_sha256,
> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
> rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1,
> rsa_pkcs1_sha1, dsa_sha1]
> },
> "status_request_v2 (17)": {
> "cert status request": {
> "certificate status type": ocsp_multi
> "OCSP status request": {
> "responder_id": <empty>
> "request extensions": {
> <empty>
> }
> }
> }
> },
> "extended_master_secret (23)": {
> <empty>
> },
> "supported_versions (43)": {
> "versions": [TLSv1.2]
> }
> ]
> }
> )
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.521
> AEDT|ServerHello.java:866|Consuming ServerHello handshake message (
> "ServerHello": {
> "server version" : "TLSv1.2",
> "random" : "5C 2E DF 63 7B 0F C0 81 8C 3D 26 84 4B C1 51
> AB 82 8A 3A DF 4D F3 91 4E 45 34 D5 33 CA 1B 59 8E",
> "session id" : "C8 38 09 76 0A CF 61 C2 2D 29 37 F1 74 31 36
> FD 2A 00 6A C7 B9 FE 85 9C 16 F6 7B 9F 10 27 70 51",
> "cipher suite" : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
> "compression methods" : "00",
> "extensions" : [
> "extended_master_secret (23)": {
> <empty>
> },
> "renegotiation_info (65,281)": {
> "renegotiated connection": [<no renegotiated connection>]
> },
> "ec_point_formats (11)": {
> "formats": [uncompressed]
> }
> ]
> }
> )
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.522
> AEDT|SSLExtensions.java:148|Ignore unavailable extension: supported_versions
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.522
> AEDT|ServerHello.java:962|Negotiated protocol version: TLSv1.2
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.523
> AEDT|SSLExtensions.java:167|Consumed extension: renegotiation_info
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.524
> AEDT|SSLExtensions.java:148|Ignore unavailable extension: server_name
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.535
> AEDT|SSLExtensions.java:148|Ignore unavailable extension:
> max_fragment_length
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.536
> AEDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.536
> AEDT|SSLExtensions.java:167|Consumed extension: ec_point_formats
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.536
> AEDT|SSLExtensions.java:148|Ignore unavailable extension: status_request_v2
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.537
> AEDT|SSLExtensions.java:167|Consumed extension: extended_master_secret
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.537
> AEDT|SSLExtensions.java:167|Consumed extension: renegotiation_info
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.538
> AEDT|SSLExtensions.java:182|Ignore unavailable extension: server_name
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.538
> AEDT|SSLExtensions.java:182|Ignore unavailable extension:
> max_fragment_length
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.538
> AEDT|SSLExtensions.java:182|Ignore unavailable extension: status_request
> javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.538
> AEDT|SSLExtensions.java:190|Ignore impact of unsupported extension:
> ec_point_formats
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.540
> AEDT|SSLExtensions.java:182|Ignore unavailable extension:
> application_layer_protocol_negotiation
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.540
> AEDT|SSLExtensions.java:182|Ignore unavailable extension: status_request_v2
> javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.543
> AEDT|SSLExtensions.java:190|Ignore impact of unsupported extension:
> extended_master_secret
> javax.net.ssl|WARNING|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.543
> AEDT|SSLExtensions.java:190|Ignore impact of unsupported extension:
> renegotiation_info
> javax.net.ssl|DEBUG|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.553
> AEDT|CertificateMessage.java:358|Consuming server Certificate handshake
> message (
> "Certificates": [
> "certificate" : {
> "version" : "v3",
> "serial number" : "00 90 76 89 18 E9 33 93 A0",
> "signature algorithm": "SHA256withRSA",
> "issuer" : "CN=invalid2.invalid, OU="No SNI provided;
> please fix your client."",
> "not before" : "2015-01-01 11:00:00.000 AEDT",
> "not after" : "2030-01-01 11:00:00.000 AEDT",
> "subject" : "CN=invalid2.invalid, OU="No SNI provided;
> please fix your client."",
> "subject public key" : "RSA",
> "extensions" : [
> {
> ObjectId: 2.5.29.19 Criticality=true
> BasicConstraints:[
> CA:true
> PathLen:2147483647
> ]
> },
> {
> ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> serverAuth
> clientAuth
> ]
> },
> {
> ObjectId: 2.5.29.15 Criticality=true
> KeyUsage [
> DigitalSignature
> Key_Encipherment
> Key_CertSign
> ]
> },
> {
> ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: BB 0F 38 96 6F 3E BE 4F 2B 46 D0 41 6A D4 AC B5
> ..8.o>.O+F.Aj...
> ]
> ]
> }
> ]}
> ]
> )
> javax.net.ssl|ERROR|0F|Smack Packet Reader (0)|2019-01-04 15:21:55.615
> AEDT|TransportContext.java:313|Fatal (CERTIFICATE_UNKNOWN): PKIX path
> building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target (
> "throwable" : {
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> I'm triggering this indirectly via use of XMPP library so I don't have a
> clean JSSE only sample (but it simply creates an SSLSocket from the
> default SSLContext and calls startHandshake)
>
> Regards,
> Amir
>
More information about the security-dev
mailing list