Not possible to disable new TLS extensions for TLS 1.2 connections
Xuelei Fan
xuelei.fan at oracle.com
Tue Jan 22 01:53:27 UTC 2019
On 1/21/2019 1:29 PM, Amir Khassaia wrote:
> Thanks Xuelei,
> Do you mean to create an RFE at openjdk https://bugs.openjdk.java.net/ ?
>
Yes if you have an OpenJDK account. Otherwise, please use
bugreport.java.com
Thanks,
Xuelei
>
>
> On Tue, Jan 22, 2019 at 5:02 AM Xuelei Fan <xuelei.fan at oracle.com
> <mailto:xuelei.fan at oracle.com>> wrote:
>
> Hi Amir,
>
> I can see the problem for incompatible impl. Would you mind
> submit an OpenJDK enhancement for a workaround?
>
> Thanks & Regards,
>
> Xuelei
>
> On 1/20/2019 4:10 PM, Amir Khassaia wrote:
>> Xuelei,
>>
>> I have a sample socket client for the device TLS issue but its
>> not very helpful as any socket client created on top of JDK will
>> do, the last problem was apparent only when talking to a specific
>> hardware device which refused to negotiate TLS session (I've seen
>> several odd TLS implementations that were intolerant to Java
>> changes in various ways over the years and compatibility could
>> always be assured through config changes, this time around less so).
>>
>> Some of the hardware TLS stacks can range from small oddities to
>> being completely broken by small changes as they can contain
>> outdated and poorly implemented TLS stacks that are very
>> sensitive so even a small change can break them and thats why its
>> always important to have levers provided to control almost every
>> aspect of the handshake.
>>
>> I have a sample in my gist
>> (https://gist.github.com/amir-khassaia/04347ca88526f4b958b3326968a905c0),
>> apologies its in Kotlin. When ran with java 8, 9, 10 there were
>> no issues. With java 11 this worked on most devices but I've had
>> a device at a remote location that was not in my control that
>> I've had to diagnose the handshake failure on using java 11 it
>> was intolerant to TLS 1.2 client hello from Java 11 but fine with
>> TLS 1.1 as the new extensions are not present. It would be fine
>> with TLS 1.2 client hello from Java 10 and earlier as I mentioned.
>>
>> Javax.net.debug output
>> -------------------------------
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.395
>> AEDT|SSLCipher.java:437|jdk.tls.keyLimits: entry =
>> AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE =
>> 137438953472
>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433
>> AEDT|ServerNameExtension.java:255|Unable to indicate server name
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>> extension: server_name
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>> extension: status_request
>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443
>> AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is
>> not supported by the underlying providers
>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444
>> AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not
>> supported by the underlying providers
>> javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449
>> AEDT|AlpnExtension.java:161|No available application protocols
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>> extension: application_layer_protocol_negotiation
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>> extension: status_request_v2
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453
>> AEDT|ClientHello.java:651|Produced ClientHello handshake message (
>> "ClientHello": {
>> "client version" : "TLSv1.2",
>> "random" : "1A BA E8 FC 59 00 AB DF 9A 1A 07 94 24
>> 7F 34 3D 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68",
>> "session id" : "",
>> "cipher suites" :
>> "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
>> TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
>> TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
>> "compression methods" : "00",
>> "extensions" : [
>> "supported_groups (10)": {
>> "versions": [secp256r1, secp384r1, secp521r1, secp160k1]
>> },
>> "ec_point_formats (11)": {
>> "formats": [uncompressed]
>> },
>> "signature_algorithms (13)": {
>> "signature schemes": [ecdsa_secp256r1_sha256,
>> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>> rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,
>> rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,
>> rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256,
>> ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1,
>> dsa_sha1, rsa_md5]
>> },
>> "signature_algorithms_cert (50)": {
>> "signature schemes": [ecdsa_secp256r1_sha256,
>> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>> rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,
>> rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,
>> rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256,
>> ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1,
>> dsa_sha1, rsa_md5]
>> },
>> "extended_master_secret (23)": {
>> <empty>
>> },
>> "supported_versions (43)": {
>> "versions": [TLSv1.2, TLSv1.1]
>> },
>> "renegotiation_info (65,281)": {
>> "renegotiated connection": [<no renegotiated connection>]
>> }
>> ]
>> }
>> )
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455
>> AEDT|Alert.java:232|Received alert message (
>> "Alert": {
>> "level" : "fatal",
>> "description": "handshake_failure"
>> }
>> )
>> javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456
>> AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE):
>> Received fatal alert: handshake_failure (
>> "throwable" : {
>> javax.net.ssl.SSLHandshakeException: Received fatal alert:
>> handshake_failure
>> at
>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>> at
>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>> at
>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>> at
>> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>> at
>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>> at
>> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>> at SslSocketClient.main(SslSocketClient.kt:47)}
>>
>> )
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>> AEDT|SSLSocketImpl.java:1361|close the underlying socket
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>> AEDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
>> Exception in thread "main" javax.net.ssl.SSLHandshakeException:
>> Received fatal alert: handshake_failure
>> at
>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>> at
>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>> at
>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>> at
>> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>> at
>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>> at
>> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>> at
>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>> at SslSocketClient.main(SslSocketClient.kt:47)
>>
>>
>>
>>
>> Wireshark TLS 1.2 Java 8 client hello
>> -------------------------------------------------
>> Secure Sockets Layer
>> TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>> Content Type: Handshake (22)
>> Version: TLS 1.2 (0x0303)
>> Length: 157
>> Handshake Protocol: Client Hello
>> Handshake Type: Client Hello (1)
>> Length: 153
>> Version: TLS 1.2 (0x0303)
>> Random:
>> 5c34044c709feae39585e4db8e41b0170fbf9fa428b38941...
>> GMT Unix Time: Jan 8, 2019 13:00:44.000000000 AUS
>> Eastern Daylight Time
>> Random Bytes:
>> 709feae39585e4db8e41b0170fbf9fa428b38941983ddb53...
>> Session ID Length: 0
>> Cipher Suites Length: 44
>> Cipher Suites (22 suites)
>> Cipher Suite:
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
>> Cipher Suite:
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
>> (0x003c)
>> Cipher Suite:
>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
>> Cipher Suite:
>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> (0x0067)
>> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
>> (0x0040)
>> Cipher Suite:
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>> (0xc013)
>> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
>> (0xc004)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
>> (0xc00e)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> (0x0033)
>> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>> (0x0032)
>> Cipher Suite:
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
>> Cipher Suite:
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>> Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
>> (0x009c)
>> Cipher Suite:
>> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
>> Cipher Suite:
>> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>> (0x009e)
>> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
>> (0x00a2)
>> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
>> (0x00ff)
>> Compression Methods Length: 1
>> Compression Methods (1 method)
>> Compression Method: null (0)
>> Extensions Length: 68
>> Extension: supported_groups (len=22)
>> Type: supported_groups (10)
>> Length: 22
>> Supported Groups List Length: 20
>> Supported Groups (10 groups)
>> Supported Group: secp256r1 (0x0017)
>> Supported Group: secp384r1 (0x0018)
>> Supported Group: secp521r1 (0x0019)
>> Supported Group: sect283k1 (0x0009)
>> Supported Group: sect283r1 (0x000a)
>> Supported Group: sect409k1 (0x000b)
>> Supported Group: sect409r1 (0x000c)
>> Supported Group: sect571k1 (0x000d)
>> Supported Group: sect571r1 (0x000e)
>> Supported Group: secp256k1 (0x0016)
>> Extension: ec_point_formats (len=2)
>> Type: ec_point_formats (11)
>> Length: 2
>> EC point formats Length: 1
>> Elliptic curves point formats (1)
>> EC point format: uncompressed (0)
>> Extension: signature_algorithms (len=28)
>> Type: signature_algorithms (13)
>> Length: 28
>> Signature Hash Algorithms Length: 26
>> Signature Hash Algorithms (13 algorithms)
>> Signature Algorithm: ecdsa_secp521r1_sha512
>> (0x0603)
>> Signature Hash Algorithm Hash: SHA512 (6)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>> Signature Hash Algorithm Hash: SHA512 (6)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: ecdsa_secp384r1_sha384
>> (0x0503)
>> Signature Hash Algorithm Hash: SHA384 (5)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>> Signature Hash Algorithm Hash: SHA384 (5)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: ecdsa_secp256r1_sha256
>> (0x0403)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: SHA256 DSA (0x0402)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: DSA (2)
>> Signature Algorithm: SHA224 ECDSA (0x0303)
>> Signature Hash Algorithm Hash: SHA224 (3)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: SHA224 RSA (0x0301)
>> Signature Hash Algorithm Hash: SHA224 (3)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: SHA224 DSA (0x0302)
>> Signature Hash Algorithm Hash: SHA224 (3)
>> Signature Hash Algorithm Signature: DSA (2)
>> Signature Algorithm: ecdsa_sha1 (0x0203)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: SHA1 DSA (0x0202)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: DSA (2)
>> Extension: extended_master_secret (len=0)
>> Type: extended_master_secret (23)
>> Length: 0
>>
>>
>>
>> Wireshark Java 11 TLS 1.2 Client hello
>> ----------------------------------------------------
>> Secure Sockets Layer
>> TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>> Content Type: Handshake (22)
>> Version: TLS 1.2 (0x0303)
>> Length: 185
>> Handshake Protocol: Client Hello
>> Handshake Type: Client Hello (1)
>> Length: 181
>> Version: TLS 1.2 (0x0303)
>> Random:
>> 37f32691301b6b9d45bb62c6268915819881b8ebd95f152c...
>> GMT Unix Time: Sep 30, 1999 19:00:01.000000000
>> AUS Eastern Standard Time
>> Random Bytes:
>> 301b6b9d45bb62c6268915819881b8ebd95f152c41c7e483...
>> Session ID Length: 0
>> Cipher Suites Length: 10
>> Cipher Suites (5 suites)
>> Cipher Suite:
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
>> Cipher Suite:
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
>> (0x003c)
>> Cipher Suite:
>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
>> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>> Compression Methods Length: 1
>> Compression Methods (1 method)
>> Compression Method: null (0)
>> Extensions Length: 130
>> Extension: supported_groups (len=10)
>> Type: supported_groups (10)
>> Length: 10
>> Supported Groups List Length: 8
>> Supported Groups (4 groups)
>> Supported Group: secp256r1 (0x0017)
>> Supported Group: secp384r1 (0x0018)
>> Supported Group: secp521r1 (0x0019)
>> Supported Group: secp160k1 (0x000f)
>> Extension: ec_point_formats (len=2)
>> Type: ec_point_formats (11)
>> Length: 2
>> EC point formats Length: 1
>> Elliptic curves point formats (1)
>> EC point format: uncompressed (0)
>> Extension: signature_algorithms (len=42)
>> Type: signature_algorithms (13)
>> Length: 42
>> Signature Hash Algorithms Length: 40
>> Signature Hash Algorithms (20 algorithms)
>> Signature Algorithm: ecdsa_secp256r1_sha256
>> (0x0403)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: ecdsa_secp384r1_sha384
>> (0x0503)
>> Signature Hash Algorithm Hash: SHA384 (5)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: ecdsa_secp521r1_sha512
>> (0x0603)
>> Signature Hash Algorithm Hash: SHA512 (6)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (4)
>> Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (5)
>> Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (6)
>> Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (9)
>> Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (10)
>> Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (11)
>> Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>> Signature Hash Algorithm Hash: SHA384 (5)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>> Signature Hash Algorithm Hash: SHA512 (6)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: SHA256 DSA (0x0402)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: DSA (2)
>> Signature Algorithm: SHA224 ECDSA (0x0303)
>> Signature Hash Algorithm Hash: SHA224 (3)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: SHA224 RSA (0x0301)
>> Signature Hash Algorithm Hash: SHA224 (3)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: SHA224 DSA (0x0302)
>> Signature Hash Algorithm Hash: SHA224 (3)
>> Signature Hash Algorithm Signature: DSA (2)
>> Signature Algorithm: ecdsa_sha1 (0x0203)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: SHA1 DSA (0x0202)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: DSA (2)
>> Signature Algorithm: MD5 RSA (0x0101)
>> Signature Hash Algorithm Hash: MD5 (1)
>> Signature Hash Algorithm Signature: RSA (1)
>> Extension: signature_algorithms_cert (len=42)
>> Type: signature_algorithms_cert (50)
>> Length: 42
>> Signature Hash Algorithms Length: 40
>> Signature Hash Algorithms (20 algorithms)
>> Signature Algorithm: ecdsa_secp256r1_sha256
>> (0x0403)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: ecdsa_secp384r1_sha384
>> (0x0503)
>> Signature Hash Algorithm Hash: SHA384 (5)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: ecdsa_secp521r1_sha512
>> (0x0603)
>> Signature Hash Algorithm Hash: SHA512 (6)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (4)
>> Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (5)
>> Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (6)
>> Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (9)
>> Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (10)
>> Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
>> Signature Hash Algorithm Hash: Unknown (8)
>> Signature Hash Algorithm Signature:
>> Unknown (11)
>> Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>> Signature Hash Algorithm Hash: SHA384 (5)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>> Signature Hash Algorithm Hash: SHA512 (6)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: SHA256 DSA (0x0402)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: DSA (2)
>> Signature Algorithm: SHA224 ECDSA (0x0303)
>> Signature Hash Algorithm Hash: SHA224 (3)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: SHA224 RSA (0x0301)
>> Signature Hash Algorithm Hash: SHA224 (3)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: SHA224 DSA (0x0302)
>> Signature Hash Algorithm Hash: SHA224 (3)
>> Signature Hash Algorithm Signature: DSA (2)
>> Signature Algorithm: ecdsa_sha1 (0x0203)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: SHA1 DSA (0x0202)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: DSA (2)
>> Signature Algorithm: MD5 RSA (0x0101)
>> Signature Hash Algorithm Hash: MD5 (1)
>> Signature Hash Algorithm Signature: RSA (1)
>> Extension: extended_master_secret (len=0)
>> Type: extended_master_secret (23)
>> Length: 0
>> Extension: supported_versions (len=5)
>> Type: supported_versions (43)
>> Length: 5
>> Supported Versions length: 4
>> Supported Version: TLS 1.2 (0x0303)
>> Supported Version: TLS 1.1 (0x0302)
>> Extension: renegotiation_info (len=1)
>> Type: renegotiation_info (65281)
>> Length: 1
>> Renegotiation Info extension
>> Renegotiation info extension length: 0
>>
>>
>>
>>
>>
>>
>> On Mon, Jan 21, 2019 at 10:37 AM Xuelei Fan
>> <xuelei.fan at oracle.com <mailto:xuelei.fan at oracle.com>> wrote:
>>
>> Hi Amir,
>>
>> Normally, the extension should have no impact if it cannot be
>> recognized by the server. It's good to be able to disable
>> extensions if not needed. I need to evaluate the priority of
>> it although. Did you have a simple test code that I can
>> reproduce the issue?
>>
>> Thanks,
>>
>> Xuelei
>>
>> On 1/20/2019 3:03 PM, Amir Khassaia wrote:
>>> Greetings Xuelei,
>>> To follow up on this, the certificate in the connection is a
>>> red herring and not important. It's actually a very unusual
>>> behaviour by talk.google.com
>>> <http://talk.google.com/> endpoint to encapsulate an error
>>> message inside a certificate.
>>>
>>> As per the output I included:
>>> /"certificate" : { />/ "version" : "v3", />/ "serial number" : "00 90 76 89 18 E9 33 93 A0", />/ "signature algorithm": "SHA256withRSA", />/ "issuer" : "CN=invalid2.invalid, OU="No SNI
>>> provided; />/please fix your client."", />/ "not before" : "2015-01-01 11:00:00.000 AEDT", />/ "not after" : "2030-01-01 11:00:00.000 AEDT", />/ "subject" : "CN=invalid2.invalid, OU="No SNI
>>> provided; />/please fix your client."",/
>>> //
>>> This certificate simply masks the TLS interoperability issue
>>> as an untrusted certificate issue.
>>> The fact is, some of the extensions sent by JSSE are changes
>>> to TLS 1.2 to support TLS 1.3, this however affects some
>>> clients adversely in practice and usually JDK provides
>>> properties to turn new enhancements off and work around such
>>> behaviour, for the extensions I mentioned this is not
>>> provided and hence they are always sent for client sockets
>>> unless TLSv1.2 is not in use.
>>>
>>> The impact to us is that upgrading to JDK11 means for some
>>> endpoints or devices that are not 100% compliant to the spec
>>> the security is reduced as we have to now work around to
>>> drop connections to these to TLSv1.1 or TLS1.0 or not to
>>> move to Java 11 at all.
>>> My request is simply to have all of the new extensions
>>> configurable on individual basis so that they can be turned
>>> off if needed for compatibility just like most other
>>> security enhancements that were delivered in the past.
>>> It appears some of the issues can come from
>>>
>>> - inclusion of RSASSA-PSS alg in TLS 1.2 handshakes but
>>> these can disabled at least
>>>
>>> -signature_algorithms_cert and supported_versions extensions
>>> which seem to be hardcoded for TLS 1.2 (I was not able to
>>> conclusively identify which of these caused my troubles)
>>>
>>> https://tools.ietf.org/html/rfc8446#section-1.3 does say
>>> that TLS 1.2 clients are affected but in an optional
>>> manner.Just today I've encountered another Java 11 interop
>>> issue with TLS but this time with a physical device which
>>> can have a long shelf life yet running a simple client
>>> socket handshake abruptly terminates the connection upon
>>> client hello (no server_hello at all), and downgrading the
>>> JRE below 11 works fine. I'm including a trace for that as
>>> well: javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.395
>>> AEDT|SSLCipher.java:437|jdk.tls.keyLimits: entry =
>>> AES/GCM/NoPadding KeyUpdate 2^37.
>>> AES/GCM/NOPADDING:KEYUPDATE = 137438953472
>>>
>>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433
>>> AEDT|ServerNameExtension.java:255|Unable to indicate server name
>>>
>>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>> extension: server_name
>>>
>>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>> extension: status_request
>>>
>>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443
>>> AEDT|SignatureScheme.java:282|Signature algorithm, ed25519,
>>> is not supported by the underlying providers
>>>
>>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444
>>> AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is
>>> not supported by the underlying providers
>>>
>>> javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449
>>> AEDT|AlpnExtension.java:161|No available application protocols
>>>
>>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449
>>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>> extension: application_layer_protocol_negotiation
>>>
>>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450
>>> AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>> extension: status_request_v2
>>>
>>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453
>>> AEDT|ClientHello.java:651|Produced ClientHello handshake
>>> message (
>>>
>>> "ClientHello": {
>>>
>>> "client version" : "TLSv1.2",
>>>
>>> "random" : "1A BA E8 FC 59 00 AB DF 9A 1A 07
>>> 94 24 7F 34 3D 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68",
>>>
>>> "session id" : "",
>>>
>>> "cipher suites" :
>>> "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
>>> TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
>>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
>>> TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
>>>
>>> "compression methods" : "00",
>>>
>>> "extensions" : [
>>>
>>> "supported_groups (10)": {
>>>
>>> "versions": [secp256r1, secp384r1, secp521r1, secp160k1]
>>>
>>> },
>>>
>>> "ec_point_formats (11)": {
>>>
>>> "formats": [uncompressed]
>>>
>>> },
>>>
>>> "signature_algorithms (13)": {
>>>
>>> "signature schemes": [ecdsa_secp256r1_sha256,
>>> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>>> rsa_pss_rsae_sha256, rsa_pss_rsae_sha384,
>>> rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384,
>>> rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
>>> rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224,
>>> dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
>>>
>>> },
>>>
>>> "signature_algorithms_cert (50)": {
>>>
>>> "signature schemes": [ecdsa_secp256r1_sha256,
>>> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>>> rsa_pss_rsae_sha256, rsa_pss_rsae_sha384,
>>> rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384,
>>> rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
>>> rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224,
>>> dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
>>>
>>> },
>>>
>>> "extended_master_secret (23)": {
>>>
>>> <empty>
>>>
>>> },
>>>
>>> "supported_versions (43)": {
>>>
>>> "versions": [TLSv1.2, TLSv1.1]
>>>
>>> },
>>>
>>> "renegotiation_info (65,281)": {
>>>
>>> "renegotiated connection": [<no renegotiated connection>]
>>>
>>> }
>>>
>>> ]
>>>
>>> }
>>>
>>> )
>>>
>>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455
>>> AEDT|Alert.java:232|Received alert message (
>>>
>>> "Alert": {
>>>
>>> "level" : "fatal",
>>>
>>> "description": "handshake_failure"
>>>
>>> }
>>>
>>> )
>>>
>>> javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456
>>> AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE):
>>> Received fatal alert: handshake_failure (
>>>
>>> "throwable" : {
>>>
>>> javax.net.ssl.SSLHandshakeException: Received fatal alert:
>>> handshake_failure
>>>
>>> at
>>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>>
>>> at
>>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>>
>>> at
>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>>
>>> at
>>> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>>
>>> at
>>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>>
>>> at
>>> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>>
>>> at
>>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>>
>>> at
>>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>>
>>> at
>>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>>
>>> at SslSocketClient.main(SslSocketClient.kt:47)}
>>>
>>>
>>> )
>>>
>>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>>> AEDT|SSLSocketImpl.java:1361|close the underlying socket
>>>
>>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>>> AEDT|SSLSocketImpl.java:1380|close the SSL connection
>>> (initiative)
>>>
>>> Exception in thread "main"
>>> javax.net.ssl.SSLHandshakeException: Received fatal alert:
>>> handshake_failure
>>>
>>> at
>>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>>
>>> at
>>> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>>
>>> at
>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>>
>>> at
>>> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>>
>>> at
>>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>>
>>> at
>>> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>>
>>> at
>>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>>
>>> at
>>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>>
>>> at
>>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>>
>>> at SslSocketClient.main(SslSocketClient.kt:47)
>>>
>>>
>>>
>>>
>>> I've sent my reply earlier but neither got it posted nor
>>> denied notification so trying again.
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190121/4e26688a/attachment.htm>
More information about the security-dev
mailing list