Not possible to disable new TLS extensions for TLS 1.2 connections

Xuelei Fan xuelei.fan at oracle.com
Mon Jan 21 18:02:24 UTC 2019


Hi Amir,

I can see the problem for incompatible impl.  Would you mind submit an 
OpenJDK enhancement for a workaround?

Thanks & Regards,

Xuelei

On 1/20/2019 4:10 PM, Amir Khassaia wrote:
> Xuelei,
>
> I have a sample socket client for the device TLS issue but its not 
> very helpful as any socket client created on top of JDK will do, the 
> last problem was apparent only when talking to a specific hardware 
> device which refused to negotiate TLS session (I've seen several odd 
> TLS implementations that were intolerant to Java changes in various 
> ways over the years and compatibility could always be assured through 
> config changes, this time around less so).
>
> Some of the hardware TLS stacks can range from small oddities to being 
> completely broken by small changes as they can contain outdated and 
> poorly implemented TLS stacks that are very sensitive so even a small 
> change can break them and thats why its always important to have 
> levers provided to control almost every aspect of the handshake.
>
> I have a sample in my gist 
> (https://gist.github.com/amir-khassaia/04347ca88526f4b958b3326968a905c0), 
> apologies its in Kotlin. When ran with java 8, 9, 10 there were no 
> issues. With java 11 this worked on most devices but I've had a device 
> at a remote location that was not in my control that I've had to 
> diagnose the handshake failure on using java 11 it was intolerant to 
> TLS 1.2 client hello from Java 11 but fine with TLS 1.1 as the new 
> extensions are not present. It would be fine with TLS 1.2 client hello 
> from Java 10 and earlier as I mentioned.
>
> Javax.net.debug output
> -------------------------------
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.395 
> AEDT|SSLCipher.java:437|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding 
> KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433 
> AEDT|ServerNameExtension.java:255|Unable to indicate server name
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433 
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: 
> server_name
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433 
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: 
> status_request
> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443 
> AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not 
> supported by the underlying providers
> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444 
> AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not 
> supported by the underlying providers
> javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449 
> AEDT|AlpnExtension.java:161|No available application protocols
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449 
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: 
> application_layer_protocol_negotiation
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450 
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: 
> status_request_v2
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453 
> AEDT|ClientHello.java:651|Produced ClientHello handshake message (
> "ClientHello": {
>   "client version"      : "TLSv1.2",
>   "random"              : "1A BA E8 FC 59 00 AB DF 9A 1A 07 94 24 7F 
> 34 3D 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68",
>   "session id"          : "",
>   "cipher suites"       : 
> "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), 
> TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), 
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), 
> TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
>   "compression methods" : "00",
>   "extensions"          : [
>     "supported_groups (10)": {
>       "versions": [secp256r1, secp384r1, secp521r1, secp160k1]
>     },
>     "ec_point_formats (11)": {
>       "formats": [uncompressed]
>     },
>     "signature_algorithms (13)": {
>       "signature schemes": [ecdsa_secp256r1_sha256, 
> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, 
> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, 
> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, 
> rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, 
> rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
>     },
>     "signature_algorithms_cert (50)": {
>       "signature schemes": [ecdsa_secp256r1_sha256, 
> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, 
> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, 
> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, 
> rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, 
> rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
>     },
>     "extended_master_secret (23)": {
>       <empty>
>     },
>     "supported_versions (43)": {
>       "versions": [TLSv1.2, TLSv1.1]
>     },
>     "renegotiation_info (65,281)": {
>       "renegotiated connection": [<no renegotiated connection>]
>     }
>   ]
> }
> )
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455 
> AEDT|Alert.java:232|Received alert message (
> "Alert": {
>   "level"      : "fatal",
>   "description": "handshake_failure"
> }
> )
> javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456 
> AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Received 
> fatal alert: handshake_failure (
> "throwable" : {
>   javax.net.ssl.SSLHandshakeException: Received fatal alert: 
> handshake_failure
>   at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>   at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>   at 
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>   at 
> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>   at 
> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>   at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>   at 
> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>   at 
> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>   at 
> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>   at SslSocketClient.main(SslSocketClient.kt:47)}
>
> )
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457 
> AEDT|SSLSocketImpl.java:1361|close the underlying socket
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457 
> AEDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
> Exception in thread "main" javax.net.ssl.SSLHandshakeException: 
> Received fatal alert: handshake_failure
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
> at 
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
> at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
> at 
> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
> at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
> at 
> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
> at 
> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
> at 
> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
> at SslSocketClient.main(SslSocketClient.kt:47)
>
>
>
>
> Wireshark TLS 1.2 Java 8 client hello
> -------------------------------------------------
> Secure Sockets Layer
>     TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>         Content Type: Handshake (22)
>         Version: TLS 1.2 (0x0303)
>         Length: 157
>         Handshake Protocol: Client Hello
>             Handshake Type: Client Hello (1)
>             Length: 153
>             Version: TLS 1.2 (0x0303)
>             Random: 5c34044c709feae39585e4db8e41b0170fbf9fa428b38941...
>                 GMT Unix Time: Jan  8, 2019 13:00:44.000000000 AUS 
> Eastern Daylight Time
>                 Random Bytes: 
> 709feae39585e4db8e41b0170fbf9fa428b38941983ddb53...
>             Session ID Length: 0
>             Cipher Suites Length: 44
>             Cipher Suites (22 suites)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
> (0xc023)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
> (0xc027)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 
> (0xc025)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 
> (0xc029)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 
> (0xc009)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
> (0xc02b)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
> (0xc02f)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 
> (0xc02d)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 
> (0xc031)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
>                 Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
>             Compression Methods Length: 1
>             Compression Methods (1 method)
>                 Compression Method: null (0)
>             Extensions Length: 68
>             Extension: supported_groups (len=22)
>                 Type: supported_groups (10)
>                 Length: 22
>                 Supported Groups List Length: 20
>                 Supported Groups (10 groups)
>                     Supported Group: secp256r1 (0x0017)
>                     Supported Group: secp384r1 (0x0018)
>                     Supported Group: secp521r1 (0x0019)
>                     Supported Group: sect283k1 (0x0009)
>                     Supported Group: sect283r1 (0x000a)
>                     Supported Group: sect409k1 (0x000b)
>                     Supported Group: sect409r1 (0x000c)
>                     Supported Group: sect571k1 (0x000d)
>                     Supported Group: sect571r1 (0x000e)
>                     Supported Group: secp256k1 (0x0016)
>             Extension: ec_point_formats (len=2)
>                 Type: ec_point_formats (11)
>                 Length: 2
>                 EC point formats Length: 1
>                 Elliptic curves point formats (1)
>                     EC point format: uncompressed (0)
>             Extension: signature_algorithms (len=28)
>                 Type: signature_algorithms (13)
>                 Length: 28
>                 Signature Hash Algorithms Length: 26
>                 Signature Hash Algorithms (13 algorithms)
>                     Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA256 DSA (0x0402)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: SHA224 ECDSA (0x0303)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: SHA224 RSA (0x0301)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA224 DSA (0x0302)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: ecdsa_sha1 (0x0203)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA1 DSA (0x0202)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: DSA (2)
>             Extension: extended_master_secret (len=0)
>                 Type: extended_master_secret (23)
>                 Length: 0
>
>
>
> Wireshark Java 11 TLS 1.2 Client hello
> ----------------------------------------------------
> Secure Sockets Layer
>     TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>         Content Type: Handshake (22)
>         Version: TLS 1.2 (0x0303)
>         Length: 185
>         Handshake Protocol: Client Hello
>             Handshake Type: Client Hello (1)
>             Length: 181
>             Version: TLS 1.2 (0x0303)
>             Random: 37f32691301b6b9d45bb62c6268915819881b8ebd95f152c...
>                 GMT Unix Time: Sep 30, 1999 19:00:01.000000000 AUS 
> Eastern Standard Time
>                 Random Bytes: 
> 301b6b9d45bb62c6268915819881b8ebd95f152c41c7e483...
>             Session ID Length: 0
>             Cipher Suites Length: 10
>             Cipher Suites (5 suites)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
> (0xc023)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
> (0xc027)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 
> (0xc029)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>             Compression Methods Length: 1
>             Compression Methods (1 method)
>                 Compression Method: null (0)
>             Extensions Length: 130
>             Extension: supported_groups (len=10)
>                 Type: supported_groups (10)
>                 Length: 10
>                 Supported Groups List Length: 8
>                 Supported Groups (4 groups)
>                     Supported Group: secp256r1 (0x0017)
>                     Supported Group: secp384r1 (0x0018)
>                     Supported Group: secp521r1 (0x0019)
>                     Supported Group: secp160k1 (0x000f)
>             Extension: ec_point_formats (len=2)
>                 Type: ec_point_formats (11)
>                 Length: 2
>                 EC point formats Length: 1
>                 Elliptic curves point formats (1)
>                     EC point format: uncompressed (0)
>             Extension: signature_algorithms (len=42)
>                 Type: signature_algorithms (13)
>                 Length: 42
>                 Signature Hash Algorithms Length: 40
>                 Signature Hash Algorithms (20 algorithms)
>                     Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (4)
>                     Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (5)
>                     Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (6)
>                     Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (9)
>                     Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (10)
>                     Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (11)
>                     Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA256 DSA (0x0402)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: SHA224 ECDSA (0x0303)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: SHA224 RSA (0x0301)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA224 DSA (0x0302)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: ecdsa_sha1 (0x0203)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA1 DSA (0x0202)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: MD5 RSA (0x0101)
>                         Signature Hash Algorithm Hash: MD5 (1)
>                         Signature Hash Algorithm Signature: RSA (1)
>             Extension: signature_algorithms_cert (len=42)
>                 Type: signature_algorithms_cert (50)
>                 Length: 42
>                 Signature Hash Algorithms Length: 40
>                 Signature Hash Algorithms (20 algorithms)
>                     Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (4)
>                     Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (5)
>                     Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (6)
>                     Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (9)
>                     Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (10)
>                     Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (11)
>                     Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA256 DSA (0x0402)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: SHA224 ECDSA (0x0303)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: SHA224 RSA (0x0301)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA224 DSA (0x0302)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: ecdsa_sha1 (0x0203)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA1 DSA (0x0202)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: MD5 RSA (0x0101)
>                         Signature Hash Algorithm Hash: MD5 (1)
>                         Signature Hash Algorithm Signature: RSA (1)
>             Extension: extended_master_secret (len=0)
>                 Type: extended_master_secret (23)
>                 Length: 0
>             Extension: supported_versions (len=5)
>                 Type: supported_versions (43)
>                 Length: 5
>                 Supported Versions length: 4
>                 Supported Version: TLS 1.2 (0x0303)
>                 Supported Version: TLS 1.1 (0x0302)
>             Extension: renegotiation_info (len=1)
>                 Type: renegotiation_info (65281)
>                 Length: 1
>                 Renegotiation Info extension
>                     Renegotiation info extension length: 0
>
>
>
>
>
>
> On Mon, Jan 21, 2019 at 10:37 AM Xuelei Fan <xuelei.fan at oracle.com 
> <mailto:xuelei.fan at oracle.com>> wrote:
>
>     Hi Amir,
>
>     Normally, the extension should have no impact if it cannot be
>     recognized by the server.   It's good to be able to disable
>     extensions if not needed.   I need to evaluate the priority of it
>     although.  Did you have a simple test code that I can reproduce
>     the issue?
>
>     Thanks,
>
>     Xuelei
>
>     On 1/20/2019 3:03 PM, Amir Khassaia wrote:
>>     Greetings Xuelei,
>>     To follow up on this, the certificate in the connection is a red
>>     herring and not important. It's actually a very unusual behaviour
>>     by talk.google.com <http://talk.google.com/> endpoint to
>>     encapsulate an error message inside a certificate.
>>
>>     As per the output I included:
>>     /"certificate" : { />/    "version"            : "v3", />/    "serial number"      : "00 90 76 89 18 E9 33 93 A0", />/    "signature algorithm": "SHA256withRSA", />/    "issuer"             : "CN=invalid2.invalid, OU="No SNI
>>     provided; />/please fix your client."", />/    "not before"         : "2015-01-01 11:00:00.000 AEDT", />/    "not  after"         : "2030-01-01 11:00:00.000 AEDT", />/    "subject"            : "CN=invalid2.invalid, OU="No SNI
>>     provided; />/please fix your client."",/
>>     //
>>     This certificate simply masks the TLS interoperability issue as
>>     an untrusted certificate issue.
>>     The fact is, some of the extensions sent by JSSE are changes to
>>     TLS 1.2 to support TLS 1.3, this however affects some clients
>>     adversely in practice and usually JDK provides properties to turn
>>     new enhancements off and work around such behaviour, for the
>>     extensions I mentioned this is not provided and hence they are
>>     always sent for client sockets unless TLSv1.2 is not in use.
>>
>>     The impact to us is that upgrading to JDK11 means for some
>>     endpoints or devices that are not 100% compliant to the spec the
>>     security is reduced as we have to now work around to drop
>>     connections to these to TLSv1.1 or TLS1.0 or not to move to Java
>>     11 at all.
>>     My request is simply to have all of the new extensions
>>     configurable on individual basis so that they can be turned off
>>     if needed for compatibility just like most other security
>>     enhancements that were delivered in the past.
>>     It appears some of the issues can come from
>>
>>     - inclusion of RSASSA-PSS alg in TLS 1.2 handshakes but these can
>>     disabled at least
>>
>>     -signature_algorithms_cert and supported_versions extensions
>>     which seem to be hardcoded for TLS 1.2 (I was not able to
>>     conclusively identify which of these caused my troubles)
>>
>>     https://tools.ietf.org/html/rfc8446#section-1.3 does say that TLS
>>     1.2 clients are affected but in an optional manner.Just today
>>     I've encountered another Java 11 interop issue with TLS but this
>>     time with a physical device which can have a long shelf life yet
>>     running a simple client socket handshake abruptly terminates the
>>     connection upon client hello (no server_hello at all), and
>>     downgrading the JRE below 11 works fine. I'm including a trace
>>     for that as well: javax.net.ssl|DEBUG|01|main|2019-01-08
>>     13:40:14.395 AEDT|SSLCipher.java:437|jdk.tls.keyLimits:  entry =
>>     AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE =
>>     137438953472
>>
>>     javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433
>>     AEDT|ServerNameExtension.java:255|Unable to indicate server name
>>
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>>     AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>     extension: server_name
>>
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>>     AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>     extension: status_request
>>
>>     javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443
>>     AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is
>>     not supported by the underlying providers
>>
>>     javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444
>>     AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not
>>     supported by the underlying providers
>>
>>     javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449
>>     AEDT|AlpnExtension.java:161|No available application protocols
>>
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449
>>     AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>     extension: application_layer_protocol_negotiation
>>
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450
>>     AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>     extension: status_request_v2
>>
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453
>>     AEDT|ClientHello.java:651|Produced ClientHello handshake message (
>>
>>     "ClientHello": {
>>
>>       "client version"      : "TLSv1.2",
>>
>>       "random"              : "1A BA E8 FC 59 00 AB DF 9A 1A 07 94 24
>>     7F 34 3D 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68",
>>
>>       "session id"          : "",
>>
>>       "cipher suites"       :
>>     "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
>>     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
>>     TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
>>     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
>>     TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
>>
>>       "compression methods" : "00",
>>
>>       "extensions"          : [
>>
>>         "supported_groups (10)": {
>>
>>           "versions": [secp256r1, secp384r1, secp521r1, secp160k1]
>>
>>         },
>>
>>         "ec_point_formats (11)": {
>>
>>           "formats": [uncompressed]
>>
>>         },
>>
>>         "signature_algorithms (13)": {
>>
>>           "signature schemes": [ecdsa_secp256r1_sha256,
>>     ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>>     rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,
>>     rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,
>>     rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256,
>>     ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1,
>>     dsa_sha1, rsa_md5]
>>
>>         },
>>
>>         "signature_algorithms_cert (50)": {
>>
>>           "signature schemes": [ecdsa_secp256r1_sha256,
>>     ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>>     rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,
>>     rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,
>>     rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256,
>>     ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1,
>>     dsa_sha1, rsa_md5]
>>
>>         },
>>
>>         "extended_master_secret (23)": {
>>
>>           <empty>
>>
>>         },
>>
>>         "supported_versions (43)": {
>>
>>           "versions": [TLSv1.2, TLSv1.1]
>>
>>         },
>>
>>         "renegotiation_info (65,281)": {
>>
>>           "renegotiated connection": [<no renegotiated connection>]
>>
>>         }
>>
>>       ]
>>
>>     }
>>
>>     )
>>
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455
>>     AEDT|Alert.java:232|Received alert message (
>>
>>     "Alert": {
>>
>>       "level"      : "fatal",
>>
>>       "description": "handshake_failure"
>>
>>     }
>>
>>     )
>>
>>     javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456
>>     AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE):
>>     Received fatal alert: handshake_failure (
>>
>>     "throwable" : {
>>
>>       javax.net.ssl.SSLHandshakeException: Received fatal alert:
>>     handshake_failure
>>
>>         at
>>     java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>
>>         at
>>     java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>
>>         at
>>     java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>
>>         at
>>     java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>
>>         at
>>     java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>
>>         at
>>     java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>
>>         at
>>     java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>
>>         at
>>     java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>
>>         at
>>     java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>
>>         at SslSocketClient.main(SslSocketClient.kt:47)}
>>
>>
>>     )
>>
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>>     AEDT|SSLSocketImpl.java:1361|close the underlying socket
>>
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>>     AEDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
>>
>>     Exception in thread "main" javax.net.ssl.SSLHandshakeException:
>>     Received fatal alert: handshake_failure
>>
>>       at
>>     java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>
>>       at
>>     java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>
>>       at
>>     java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>
>>       at
>>     java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>
>>       at
>>     java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>
>>       at
>>     java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>
>>       at
>>     java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>
>>       at
>>     java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>
>>       at
>>     java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>
>>       at SslSocketClient.main(SslSocketClient.kt:47)
>>
>>
>>
>>
>>     I've sent my reply earlier but neither got it posted nor denied
>>     notification so trying again.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190121/e41186aa/attachment.htm>


More information about the security-dev mailing list