Not possible to disable new TLS extensions for TLS 1.2 connections
Xuelei Fan
xuelei.fan at oracle.com
Mon Jan 21 18:02:24 UTC 2019
Hi Amir,
I can see the problem for incompatible impl. Would you mind submit an
OpenJDK enhancement for a workaround?
Thanks & Regards,
Xuelei
On 1/20/2019 4:10 PM, Amir Khassaia wrote:
> Xuelei,
>
> I have a sample socket client for the device TLS issue but its not
> very helpful as any socket client created on top of JDK will do, the
> last problem was apparent only when talking to a specific hardware
> device which refused to negotiate TLS session (I've seen several odd
> TLS implementations that were intolerant to Java changes in various
> ways over the years and compatibility could always be assured through
> config changes, this time around less so).
>
> Some of the hardware TLS stacks can range from small oddities to being
> completely broken by small changes as they can contain outdated and
> poorly implemented TLS stacks that are very sensitive so even a small
> change can break them and thats why its always important to have
> levers provided to control almost every aspect of the handshake.
>
> I have a sample in my gist
> (https://gist.github.com/amir-khassaia/04347ca88526f4b958b3326968a905c0),
> apologies its in Kotlin. When ran with java 8, 9, 10 there were no
> issues. With java 11 this worked on most devices but I've had a device
> at a remote location that was not in my control that I've had to
> diagnose the handshake failure on using java 11 it was intolerant to
> TLS 1.2 client hello from Java 11 but fine with TLS 1.1 as the new
> extensions are not present. It would be fine with TLS 1.2 client hello
> from Java 10 and earlier as I mentioned.
>
> Javax.net.debug output
> -------------------------------
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.395
> AEDT|SSLCipher.java:437|jdk.tls.keyLimits: entry = AES/GCM/NoPadding
> KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433
> AEDT|ServerNameExtension.java:255|Unable to indicate server name
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> server_name
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> status_request
> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443
> AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not
> supported by the underlying providers
> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444
> AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not
> supported by the underlying providers
> javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449
> AEDT|AlpnExtension.java:161|No available application protocols
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> application_layer_protocol_negotiation
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> status_request_v2
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453
> AEDT|ClientHello.java:651|Produced ClientHello handshake message (
> "ClientHello": {
> "client version" : "TLSv1.2",
> "random" : "1A BA E8 FC 59 00 AB DF 9A 1A 07 94 24 7F
> 34 3D 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68",
> "session id" : "",
> "cipher suites" :
> "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
> TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
> TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
> "compression methods" : "00",
> "extensions" : [
> "supported_groups (10)": {
> "versions": [secp256r1, secp384r1, secp521r1, secp160k1]
> },
> "ec_point_formats (11)": {
> "formats": [uncompressed]
> },
> "signature_algorithms (13)": {
> "signature schemes": [ecdsa_secp256r1_sha256,
> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
> rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224,
> rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
> },
> "signature_algorithms_cert (50)": {
> "signature schemes": [ecdsa_secp256r1_sha256,
> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
> rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224,
> rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
> },
> "extended_master_secret (23)": {
> <empty>
> },
> "supported_versions (43)": {
> "versions": [TLSv1.2, TLSv1.1]
> },
> "renegotiation_info (65,281)": {
> "renegotiated connection": [<no renegotiated connection>]
> }
> ]
> }
> )
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455
> AEDT|Alert.java:232|Received alert message (
> "Alert": {
> "level" : "fatal",
> "description": "handshake_failure"
> }
> )
> javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456
> AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Received
> fatal alert: handshake_failure (
> "throwable" : {
> javax.net.ssl.SSLHandshakeException: Received fatal alert:
> handshake_failure
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
> at
> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
> at
> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
> at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
> at
> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
> at
> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
> at
> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
> at SslSocketClient.main(SslSocketClient.kt:47)}
>
> )
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
> AEDT|SSLSocketImpl.java:1361|close the underlying socket
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
> AEDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
> Exception in thread "main" javax.net.ssl.SSLHandshakeException:
> Received fatal alert: handshake_failure
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
> at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
> at
> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
> at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
> at
> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
> at
> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
> at
> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
> at SslSocketClient.main(SslSocketClient.kt:47)
>
>
>
>
> Wireshark TLS 1.2 Java 8 client hello
> -------------------------------------------------
> Secure Sockets Layer
> TLSv1.2 Record Layer: Handshake Protocol: Client Hello
> Content Type: Handshake (22)
> Version: TLS 1.2 (0x0303)
> Length: 157
> Handshake Protocol: Client Hello
> Handshake Type: Client Hello (1)
> Length: 153
> Version: TLS 1.2 (0x0303)
> Random: 5c34044c709feae39585e4db8e41b0170fbf9fa428b38941...
> GMT Unix Time: Jan 8, 2019 13:00:44.000000000 AUS
> Eastern Daylight Time
> Random Bytes:
> 709feae39585e4db8e41b0170fbf9fa428b38941983ddb53...
> Session ID Length: 0
> Cipher Suites Length: 44
> Cipher Suites (22 suites)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc023)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> (0xc027)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc025)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
> (0xc029)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> (0xc009)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> (0xc02b)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> (0xc02f)
> Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> (0xc02d)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
> (0xc031)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> Compression Methods Length: 1
> Compression Methods (1 method)
> Compression Method: null (0)
> Extensions Length: 68
> Extension: supported_groups (len=22)
> Type: supported_groups (10)
> Length: 22
> Supported Groups List Length: 20
> Supported Groups (10 groups)
> Supported Group: secp256r1 (0x0017)
> Supported Group: secp384r1 (0x0018)
> Supported Group: secp521r1 (0x0019)
> Supported Group: sect283k1 (0x0009)
> Supported Group: sect283r1 (0x000a)
> Supported Group: sect409k1 (0x000b)
> Supported Group: sect409r1 (0x000c)
> Supported Group: sect571k1 (0x000d)
> Supported Group: sect571r1 (0x000e)
> Supported Group: secp256k1 (0x0016)
> Extension: ec_point_formats (len=2)
> Type: ec_point_formats (11)
> Length: 2
> EC point formats Length: 1
> Elliptic curves point formats (1)
> EC point format: uncompressed (0)
> Extension: signature_algorithms (len=28)
> Type: signature_algorithms (13)
> Length: 28
> Signature Hash Algorithms Length: 26
> Signature Hash Algorithms (13 algorithms)
> Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
> Signature Hash Algorithm Hash: SHA512 (6)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
> Signature Hash Algorithm Hash: SHA512 (6)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
> Signature Hash Algorithm Hash: SHA384 (5)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
> Signature Hash Algorithm Hash: SHA384 (5)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA256 DSA (0x0402)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: DSA (2)
> Signature Algorithm: SHA224 ECDSA (0x0303)
> Signature Hash Algorithm Hash: SHA224 (3)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: SHA224 RSA (0x0301)
> Signature Hash Algorithm Hash: SHA224 (3)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA224 DSA (0x0302)
> Signature Hash Algorithm Hash: SHA224 (3)
> Signature Hash Algorithm Signature: DSA (2)
> Signature Algorithm: ecdsa_sha1 (0x0203)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA1 DSA (0x0202)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: DSA (2)
> Extension: extended_master_secret (len=0)
> Type: extended_master_secret (23)
> Length: 0
>
>
>
> Wireshark Java 11 TLS 1.2 Client hello
> ----------------------------------------------------
> Secure Sockets Layer
> TLSv1.2 Record Layer: Handshake Protocol: Client Hello
> Content Type: Handshake (22)
> Version: TLS 1.2 (0x0303)
> Length: 185
> Handshake Protocol: Client Hello
> Handshake Type: Client Hello (1)
> Length: 181
> Version: TLS 1.2 (0x0303)
> Random: 37f32691301b6b9d45bb62c6268915819881b8ebd95f152c...
> GMT Unix Time: Sep 30, 1999 19:00:01.000000000 AUS
> Eastern Standard Time
> Random Bytes:
> 301b6b9d45bb62c6268915819881b8ebd95f152c41c7e483...
> Session ID Length: 0
> Cipher Suites Length: 10
> Cipher Suites (5 suites)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc023)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> (0xc027)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
> (0xc029)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> Compression Methods Length: 1
> Compression Methods (1 method)
> Compression Method: null (0)
> Extensions Length: 130
> Extension: supported_groups (len=10)
> Type: supported_groups (10)
> Length: 10
> Supported Groups List Length: 8
> Supported Groups (4 groups)
> Supported Group: secp256r1 (0x0017)
> Supported Group: secp384r1 (0x0018)
> Supported Group: secp521r1 (0x0019)
> Supported Group: secp160k1 (0x000f)
> Extension: ec_point_formats (len=2)
> Type: ec_point_formats (11)
> Length: 2
> EC point formats Length: 1
> Elliptic curves point formats (1)
> EC point format: uncompressed (0)
> Extension: signature_algorithms (len=42)
> Type: signature_algorithms (13)
> Length: 42
> Signature Hash Algorithms Length: 40
> Signature Hash Algorithms (20 algorithms)
> Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
> Signature Hash Algorithm Hash: SHA384 (5)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
> Signature Hash Algorithm Hash: SHA512 (6)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (4)
> Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (5)
> Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (6)
> Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (9)
> Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (10)
> Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (11)
> Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
> Signature Hash Algorithm Hash: SHA384 (5)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
> Signature Hash Algorithm Hash: SHA512 (6)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA256 DSA (0x0402)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: DSA (2)
> Signature Algorithm: SHA224 ECDSA (0x0303)
> Signature Hash Algorithm Hash: SHA224 (3)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: SHA224 RSA (0x0301)
> Signature Hash Algorithm Hash: SHA224 (3)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA224 DSA (0x0302)
> Signature Hash Algorithm Hash: SHA224 (3)
> Signature Hash Algorithm Signature: DSA (2)
> Signature Algorithm: ecdsa_sha1 (0x0203)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA1 DSA (0x0202)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: DSA (2)
> Signature Algorithm: MD5 RSA (0x0101)
> Signature Hash Algorithm Hash: MD5 (1)
> Signature Hash Algorithm Signature: RSA (1)
> Extension: signature_algorithms_cert (len=42)
> Type: signature_algorithms_cert (50)
> Length: 42
> Signature Hash Algorithms Length: 40
> Signature Hash Algorithms (20 algorithms)
> Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
> Signature Hash Algorithm Hash: SHA384 (5)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
> Signature Hash Algorithm Hash: SHA512 (6)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (4)
> Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (5)
> Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (6)
> Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (9)
> Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (10)
> Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
> Signature Hash Algorithm Hash: Unknown (8)
> Signature Hash Algorithm Signature: Unknown (11)
> Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
> Signature Hash Algorithm Hash: SHA384 (5)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
> Signature Hash Algorithm Hash: SHA512 (6)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA256 DSA (0x0402)
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: DSA (2)
> Signature Algorithm: SHA224 ECDSA (0x0303)
> Signature Hash Algorithm Hash: SHA224 (3)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: SHA224 RSA (0x0301)
> Signature Hash Algorithm Hash: SHA224 (3)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA224 DSA (0x0302)
> Signature Hash Algorithm Hash: SHA224 (3)
> Signature Hash Algorithm Signature: DSA (2)
> Signature Algorithm: ecdsa_sha1 (0x0203)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Algorithm: SHA1 DSA (0x0202)
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: DSA (2)
> Signature Algorithm: MD5 RSA (0x0101)
> Signature Hash Algorithm Hash: MD5 (1)
> Signature Hash Algorithm Signature: RSA (1)
> Extension: extended_master_secret (len=0)
> Type: extended_master_secret (23)
> Length: 0
> Extension: supported_versions (len=5)
> Type: supported_versions (43)
> Length: 5
> Supported Versions length: 4
> Supported Version: TLS 1.2 (0x0303)
> Supported Version: TLS 1.1 (0x0302)
> Extension: renegotiation_info (len=1)
> Type: renegotiation_info (65281)
> Length: 1
> Renegotiation Info extension
> Renegotiation info extension length: 0
>
>
>
>
>
>
> On Mon, Jan 21, 2019 at 10:37 AM Xuelei Fan <xuelei.fan at oracle.com
> <mailto:xuelei.fan at oracle.com>> wrote:
>
> Hi Amir,
>
> Normally, the extension should have no impact if it cannot be
> recognized by the server. It's good to be able to disable
> extensions if not needed. I need to evaluate the priority of it
> although. Did you have a simple test code that I can reproduce
> the issue?
>
> Thanks,
>
> Xuelei
>
> On 1/20/2019 3:03 PM, Amir Khassaia wrote:
>> Greetings Xuelei,
>> To follow up on this, the certificate in the connection is a red
>> herring and not important. It's actually a very unusual behaviour
>> by talk.google.com <http://talk.google.com/> endpoint to
>> encapsulate an error message inside a certificate.
>>
>> As per the output I included:
>> /"certificate" : { />/ "version" : "v3", />/ "serial number" : "00 90 76 89 18 E9 33 93 A0", />/ "signature algorithm": "SHA256withRSA", />/ "issuer" : "CN=invalid2.invalid, OU="No SNI
>> provided; />/please fix your client."", />/ "not before" : "2015-01-01 11:00:00.000 AEDT", />/ "not after" : "2030-01-01 11:00:00.000 AEDT", />/ "subject" : "CN=invalid2.invalid, OU="No SNI
>> provided; />/please fix your client."",/
>> //
>> This certificate simply masks the TLS interoperability issue as
>> an untrusted certificate issue.
>> The fact is, some of the extensions sent by JSSE are changes to
>> TLS 1.2 to support TLS 1.3, this however affects some clients
>> adversely in practice and usually JDK provides properties to turn
>> new enhancements off and work around such behaviour, for the
>> extensions I mentioned this is not provided and hence they are
>> always sent for client sockets unless TLSv1.2 is not in use.
>>
>> The impact to us is that upgrading to JDK11 means for some
>> endpoints or devices that are not 100% compliant to the spec the
>> security is reduced as we have to now work around to drop
>> connections to these to TLSv1.1 or TLS1.0 or not to move to Java
>> 11 at all.
>> My request is simply to have all of the new extensions
>> configurable on individual basis so that they can be turned off
>> if needed for compatibility just like most other security
>> enhancements that were delivered in the past.
>> It appears some of the issues can come from
>>
>> - inclusion of RSASSA-PSS alg in TLS 1.2 handshakes but these can
>> disabled at least
>>
>> -signature_algorithms_cert and supported_versions extensions
>> which seem to be hardcoded for TLS 1.2 (I was not able to
>> conclusively identify which of these caused my troubles)
>>
>> https://tools.ietf.org/html/rfc8446#section-1.3 does say that TLS
>> 1.2 clients are affected but in an optional manner.Just today
>> I've encountered another Java 11 interop issue with TLS but this
>> time with a physical device which can have a long shelf life yet
>> running a simple client socket handshake abruptly terminates the
>> connection upon client hello (no server_hello at all), and
>> downgrading the JRE below 11 works fine. I'm including a trace
>> for that as well: javax.net.ssl|DEBUG|01|main|2019-01-08
>> 13:40:14.395 AEDT|SSLCipher.java:437|jdk.tls.keyLimits: entry =
>> AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE =
>> 137438953472
>>
>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433
>> AEDT|ServerNameExtension.java:255|Unable to indicate server name
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>> extension: server_name
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>> extension: status_request
>>
>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443
>> AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is
>> not supported by the underlying providers
>>
>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444
>> AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not
>> supported by the underlying providers
>>
>> javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449
>> AEDT|AlpnExtension.java:161|No available application protocols
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>> extension: application_layer_protocol_negotiation
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>> extension: status_request_v2
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453
>> AEDT|ClientHello.java:651|Produced ClientHello handshake message (
>>
>> "ClientHello": {
>>
>> "client version" : "TLSv1.2",
>>
>> "random" : "1A BA E8 FC 59 00 AB DF 9A 1A 07 94 24
>> 7F 34 3D 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68",
>>
>> "session id" : "",
>>
>> "cipher suites" :
>> "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
>> TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
>> TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
>>
>> "compression methods" : "00",
>>
>> "extensions" : [
>>
>> "supported_groups (10)": {
>>
>> "versions": [secp256r1, secp384r1, secp521r1, secp160k1]
>>
>> },
>>
>> "ec_point_formats (11)": {
>>
>> "formats": [uncompressed]
>>
>> },
>>
>> "signature_algorithms (13)": {
>>
>> "signature schemes": [ecdsa_secp256r1_sha256,
>> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>> rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,
>> rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,
>> rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256,
>> ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1,
>> dsa_sha1, rsa_md5]
>>
>> },
>>
>> "signature_algorithms_cert (50)": {
>>
>> "signature schemes": [ecdsa_secp256r1_sha256,
>> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>> rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,
>> rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,
>> rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256,
>> ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1,
>> dsa_sha1, rsa_md5]
>>
>> },
>>
>> "extended_master_secret (23)": {
>>
>> <empty>
>>
>> },
>>
>> "supported_versions (43)": {
>>
>> "versions": [TLSv1.2, TLSv1.1]
>>
>> },
>>
>> "renegotiation_info (65,281)": {
>>
>> "renegotiated connection": [<no renegotiated connection>]
>>
>> }
>>
>> ]
>>
>> }
>>
>> )
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455
>> AEDT|Alert.java:232|Received alert message (
>>
>> "Alert": {
>>
>> "level" : "fatal",
>>
>> "description": "handshake_failure"
>>
>> }
>>
>> )
>>
>> javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456
>> AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE):
>> Received fatal alert: handshake_failure (
>>
>> "throwable" : {
>>
>> javax.net.ssl.SSLHandshakeException: Received fatal alert:
>> handshake_failure
>>
>> at
>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>
>> at
>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>
>> at
>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>
>> at
>> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>
>> at
>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>
>> at
>> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>
>> at SslSocketClient.main(SslSocketClient.kt:47)}
>>
>>
>> )
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>> AEDT|SSLSocketImpl.java:1361|close the underlying socket
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>> AEDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
>>
>> Exception in thread "main" javax.net.ssl.SSLHandshakeException:
>> Received fatal alert: handshake_failure
>>
>> at
>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>
>> at
>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>
>> at
>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>
>> at
>> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>
>> at
>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>
>> at
>> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>
>> at SslSocketClient.main(SslSocketClient.kt:47)
>>
>>
>>
>>
>> I've sent my reply earlier but neither got it posted nor denied
>> notification so trying again.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190121/e41186aa/attachment.htm>
More information about the security-dev
mailing list