Not possible to disable new TLS extensions for TLS 1.2 connections

Xuelei Fan xuelei.fan at oracle.com
Tue Jan 22 01:53:27 UTC 2019


On 1/21/2019 1:29 PM, Amir Khassaia wrote:
> Thanks Xuelei,
> Do you mean to create an RFE at openjdk https://bugs.openjdk.java.net/ ?
>
Yes if you have an OpenJDK account.  Otherwise, please use 
bugreport.java.com

Thanks,

Xuelei

>
>
> On Tue, Jan 22, 2019 at 5:02 AM Xuelei Fan <xuelei.fan at oracle.com 
> <mailto:xuelei.fan at oracle.com>> wrote:
>
>     Hi Amir,
>
>     I can see the problem for incompatible impl.  Would you mind
>     submit an OpenJDK enhancement for a workaround?
>
>     Thanks & Regards,
>
>     Xuelei
>
>     On 1/20/2019 4:10 PM, Amir Khassaia wrote:
>>     Xuelei,
>>
>>     I have a sample socket client for the device TLS issue but its
>>     not very helpful as any socket client created on top of JDK will
>>     do, the last problem was apparent only when talking to a specific
>>     hardware device which refused to negotiate TLS session (I've seen
>>     several odd TLS implementations that were intolerant to Java
>>     changes in various ways over the years and compatibility could
>>     always be assured through config changes, this time around less so).
>>
>>     Some of the hardware TLS stacks can range from small oddities to
>>     being completely broken by small changes as they can contain
>>     outdated and poorly implemented TLS stacks that are very
>>     sensitive so even a small change can break them and thats why its
>>     always important to have levers provided to control almost every
>>     aspect of the handshake.
>>
>>     I have a sample in my gist
>>     (https://gist.github.com/amir-khassaia/04347ca88526f4b958b3326968a905c0),
>>     apologies its in Kotlin. When ran with java 8, 9, 10 there were
>>     no issues. With java 11 this worked on most devices but I've had
>>     a device at a remote location that was not in my control that
>>     I've had to diagnose the handshake failure on using java 11 it
>>     was intolerant to TLS 1.2 client hello from Java 11 but fine with
>>     TLS 1.1 as the new extensions are not present. It would be fine
>>     with TLS 1.2 client hello from Java 10 and earlier as I mentioned.
>>
>>     Javax.net.debug output
>>     -------------------------------
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.395
>>     AEDT|SSLCipher.java:437|jdk.tls.keyLimits:  entry =
>>     AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE =
>>     137438953472
>>     javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433
>>     AEDT|ServerNameExtension.java:255|Unable to indicate server name
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>>     AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>     extension: server_name
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>>     AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>     extension: status_request
>>     javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443
>>     AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is
>>     not supported by the underlying providers
>>     javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444
>>     AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not
>>     supported by the underlying providers
>>     javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449
>>     AEDT|AlpnExtension.java:161|No available application protocols
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449
>>     AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>     extension: application_layer_protocol_negotiation
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450
>>     AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>     extension: status_request_v2
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453
>>     AEDT|ClientHello.java:651|Produced ClientHello handshake message (
>>     "ClientHello": {
>>       "client version"      : "TLSv1.2",
>>       "random"              : "1A BA E8 FC 59 00 AB DF 9A 1A 07 94 24
>>     7F 34 3D 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68",
>>       "session id"          : "",
>>       "cipher suites"       :
>>     "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
>>     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
>>     TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
>>     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
>>     TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
>>       "compression methods" : "00",
>>       "extensions"          : [
>>         "supported_groups (10)": {
>>           "versions": [secp256r1, secp384r1, secp521r1, secp160k1]
>>         },
>>         "ec_point_formats (11)": {
>>           "formats": [uncompressed]
>>         },
>>         "signature_algorithms (13)": {
>>           "signature schemes": [ecdsa_secp256r1_sha256,
>>     ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>>     rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,
>>     rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,
>>     rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256,
>>     ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1,
>>     dsa_sha1, rsa_md5]
>>         },
>>         "signature_algorithms_cert (50)": {
>>           "signature schemes": [ecdsa_secp256r1_sha256,
>>     ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>>     rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,
>>     rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,
>>     rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256,
>>     ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1,
>>     dsa_sha1, rsa_md5]
>>         },
>>         "extended_master_secret (23)": {
>>           <empty>
>>         },
>>         "supported_versions (43)": {
>>           "versions": [TLSv1.2, TLSv1.1]
>>         },
>>         "renegotiation_info (65,281)": {
>>           "renegotiated connection": [<no renegotiated connection>]
>>         }
>>       ]
>>     }
>>     )
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455
>>     AEDT|Alert.java:232|Received alert message (
>>     "Alert": {
>>       "level"      : "fatal",
>>       "description": "handshake_failure"
>>     }
>>     )
>>     javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456
>>     AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE):
>>     Received fatal alert: handshake_failure (
>>     "throwable" : {
>>       javax.net.ssl.SSLHandshakeException: Received fatal alert:
>>     handshake_failure
>>       at
>>     java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>       at
>>     java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>       at
>>     java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>       at
>>     java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>       at
>>     java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>       at
>>     java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>       at
>>     java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>       at
>>     java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>       at
>>     java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>       at SslSocketClient.main(SslSocketClient.kt:47)}
>>
>>     )
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>>     AEDT|SSLSocketImpl.java:1361|close the underlying socket
>>     javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>>     AEDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
>>     Exception in thread "main" javax.net.ssl.SSLHandshakeException:
>>     Received fatal alert: handshake_failure
>>     at
>>     java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>     at
>>     java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>     at
>>     java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>     at
>>     java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>     at
>>     java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>     at
>>     java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>     at
>>     java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>     at
>>     java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>     at
>>     java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>     at SslSocketClient.main(SslSocketClient.kt:47)
>>
>>
>>
>>
>>     Wireshark TLS 1.2 Java 8 client hello
>>     -------------------------------------------------
>>     Secure Sockets Layer
>>         TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>>             Content Type: Handshake (22)
>>             Version: TLS 1.2 (0x0303)
>>             Length: 157
>>             Handshake Protocol: Client Hello
>>                 Handshake Type: Client Hello (1)
>>                 Length: 153
>>                 Version: TLS 1.2 (0x0303)
>>                 Random:
>>     5c34044c709feae39585e4db8e41b0170fbf9fa428b38941...
>>                     GMT Unix Time: Jan 8, 2019 13:00:44.000000000 AUS
>>     Eastern Daylight Time
>>                     Random Bytes:
>>     709feae39585e4db8e41b0170fbf9fa428b38941983ddb53...
>>                 Session ID Length: 0
>>                 Cipher Suites Length: 44
>>                 Cipher Suites (22 suites)
>>                     Cipher Suite:
>>     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
>>                     Cipher Suite:
>>     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>>                     Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
>>     (0x003c)
>>                     Cipher Suite:
>>     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
>>                     Cipher Suite:
>>     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
>>                     Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>     (0x0067)
>>                     Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
>>     (0x0040)
>>                     Cipher Suite:
>>     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
>>                     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>     (0xc013)
>>                     Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>>                     Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
>>     (0xc004)
>>                     Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
>>     (0xc00e)
>>                     Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>     (0x0033)
>>                     Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>>     (0x0032)
>>                     Cipher Suite:
>>     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
>>                     Cipher Suite:
>>     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>>                     Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
>>     (0x009c)
>>                     Cipher Suite:
>>     TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
>>                     Cipher Suite:
>>     TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
>>                     Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>     (0x009e)
>>                     Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
>>     (0x00a2)
>>                     Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
>>     (0x00ff)
>>                 Compression Methods Length: 1
>>                 Compression Methods (1 method)
>>                     Compression Method: null (0)
>>                 Extensions Length: 68
>>                 Extension: supported_groups (len=22)
>>                     Type: supported_groups (10)
>>                     Length: 22
>>                     Supported Groups List Length: 20
>>                     Supported Groups (10 groups)
>>                         Supported Group: secp256r1 (0x0017)
>>                         Supported Group: secp384r1 (0x0018)
>>                         Supported Group: secp521r1 (0x0019)
>>                         Supported Group: sect283k1 (0x0009)
>>                         Supported Group: sect283r1 (0x000a)
>>                         Supported Group: sect409k1 (0x000b)
>>                         Supported Group: sect409r1 (0x000c)
>>                         Supported Group: sect571k1 (0x000d)
>>                         Supported Group: sect571r1 (0x000e)
>>                         Supported Group: secp256k1 (0x0016)
>>                 Extension: ec_point_formats (len=2)
>>                     Type: ec_point_formats (11)
>>                     Length: 2
>>                     EC point formats Length: 1
>>                     Elliptic curves point formats (1)
>>                         EC point format: uncompressed (0)
>>                 Extension: signature_algorithms (len=28)
>>                     Type: signature_algorithms (13)
>>                     Length: 28
>>                     Signature Hash Algorithms Length: 26
>>                     Signature Hash Algorithms (13 algorithms)
>>                         Signature Algorithm: ecdsa_secp521r1_sha512
>>     (0x0603)
>>                             Signature Hash Algorithm Hash: SHA512 (6)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>>                             Signature Hash Algorithm Hash: SHA512 (6)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: ecdsa_secp384r1_sha384
>>     (0x0503)
>>                             Signature Hash Algorithm Hash: SHA384 (5)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>>                             Signature Hash Algorithm Hash: SHA384 (5)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: ecdsa_secp256r1_sha256
>>     (0x0403)
>>                             Signature Hash Algorithm Hash: SHA256 (4)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>>                             Signature Hash Algorithm Hash: SHA256 (4)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: SHA256 DSA (0x0402)
>>                             Signature Hash Algorithm Hash: SHA256 (4)
>>                             Signature Hash Algorithm Signature: DSA (2)
>>                         Signature Algorithm: SHA224 ECDSA (0x0303)
>>                             Signature Hash Algorithm Hash: SHA224 (3)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: SHA224 RSA (0x0301)
>>                             Signature Hash Algorithm Hash: SHA224 (3)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: SHA224 DSA (0x0302)
>>                             Signature Hash Algorithm Hash: SHA224 (3)
>>                             Signature Hash Algorithm Signature: DSA (2)
>>                         Signature Algorithm: ecdsa_sha1 (0x0203)
>>                             Signature Hash Algorithm Hash: SHA1 (2)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>>                             Signature Hash Algorithm Hash: SHA1 (2)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: SHA1 DSA (0x0202)
>>                             Signature Hash Algorithm Hash: SHA1 (2)
>>                             Signature Hash Algorithm Signature: DSA (2)
>>                 Extension: extended_master_secret (len=0)
>>                     Type: extended_master_secret (23)
>>                     Length: 0
>>
>>
>>
>>     Wireshark Java 11 TLS 1.2 Client hello
>>     ----------------------------------------------------
>>     Secure Sockets Layer
>>         TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>>             Content Type: Handshake (22)
>>             Version: TLS 1.2 (0x0303)
>>             Length: 185
>>             Handshake Protocol: Client Hello
>>                 Handshake Type: Client Hello (1)
>>                 Length: 181
>>                 Version: TLS 1.2 (0x0303)
>>                 Random:
>>     37f32691301b6b9d45bb62c6268915819881b8ebd95f152c...
>>                     GMT Unix Time: Sep 30, 1999 19:00:01.000000000
>>     AUS Eastern Standard Time
>>                     Random Bytes:
>>     301b6b9d45bb62c6268915819881b8ebd95f152c41c7e483...
>>                 Session ID Length: 0
>>                 Cipher Suites Length: 10
>>                 Cipher Suites (5 suites)
>>                     Cipher Suite:
>>     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
>>                     Cipher Suite:
>>     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>>                     Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
>>     (0x003c)
>>                     Cipher Suite:
>>     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
>>                     Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>>                 Compression Methods Length: 1
>>                 Compression Methods (1 method)
>>                     Compression Method: null (0)
>>                 Extensions Length: 130
>>                 Extension: supported_groups (len=10)
>>                     Type: supported_groups (10)
>>                     Length: 10
>>                     Supported Groups List Length: 8
>>                     Supported Groups (4 groups)
>>                         Supported Group: secp256r1 (0x0017)
>>                         Supported Group: secp384r1 (0x0018)
>>                         Supported Group: secp521r1 (0x0019)
>>                         Supported Group: secp160k1 (0x000f)
>>                 Extension: ec_point_formats (len=2)
>>                     Type: ec_point_formats (11)
>>                     Length: 2
>>                     EC point formats Length: 1
>>                     Elliptic curves point formats (1)
>>                         EC point format: uncompressed (0)
>>                 Extension: signature_algorithms (len=42)
>>                     Type: signature_algorithms (13)
>>                     Length: 42
>>                     Signature Hash Algorithms Length: 40
>>                     Signature Hash Algorithms (20 algorithms)
>>                         Signature Algorithm: ecdsa_secp256r1_sha256
>>     (0x0403)
>>                             Signature Hash Algorithm Hash: SHA256 (4)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: ecdsa_secp384r1_sha384
>>     (0x0503)
>>                             Signature Hash Algorithm Hash: SHA384 (5)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: ecdsa_secp521r1_sha512
>>     (0x0603)
>>                             Signature Hash Algorithm Hash: SHA512 (6)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (4)
>>                         Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (5)
>>                         Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (6)
>>                         Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (9)
>>                         Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (10)
>>                         Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (11)
>>                         Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>>                             Signature Hash Algorithm Hash: SHA256 (4)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>>                             Signature Hash Algorithm Hash: SHA384 (5)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>>                             Signature Hash Algorithm Hash: SHA512 (6)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: SHA256 DSA (0x0402)
>>                             Signature Hash Algorithm Hash: SHA256 (4)
>>                             Signature Hash Algorithm Signature: DSA (2)
>>                         Signature Algorithm: SHA224 ECDSA (0x0303)
>>                             Signature Hash Algorithm Hash: SHA224 (3)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: SHA224 RSA (0x0301)
>>                             Signature Hash Algorithm Hash: SHA224 (3)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: SHA224 DSA (0x0302)
>>                             Signature Hash Algorithm Hash: SHA224 (3)
>>                             Signature Hash Algorithm Signature: DSA (2)
>>                         Signature Algorithm: ecdsa_sha1 (0x0203)
>>                             Signature Hash Algorithm Hash: SHA1 (2)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>>                             Signature Hash Algorithm Hash: SHA1 (2)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: SHA1 DSA (0x0202)
>>                             Signature Hash Algorithm Hash: SHA1 (2)
>>                             Signature Hash Algorithm Signature: DSA (2)
>>                         Signature Algorithm: MD5 RSA (0x0101)
>>                             Signature Hash Algorithm Hash: MD5 (1)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                 Extension: signature_algorithms_cert (len=42)
>>                     Type: signature_algorithms_cert (50)
>>                     Length: 42
>>                     Signature Hash Algorithms Length: 40
>>                     Signature Hash Algorithms (20 algorithms)
>>                         Signature Algorithm: ecdsa_secp256r1_sha256
>>     (0x0403)
>>                             Signature Hash Algorithm Hash: SHA256 (4)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: ecdsa_secp384r1_sha384
>>     (0x0503)
>>                             Signature Hash Algorithm Hash: SHA384 (5)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: ecdsa_secp521r1_sha512
>>     (0x0603)
>>                             Signature Hash Algorithm Hash: SHA512 (6)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (4)
>>                         Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (5)
>>                         Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (6)
>>                         Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (9)
>>                         Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (10)
>>                         Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
>>                             Signature Hash Algorithm Hash: Unknown (8)
>>                             Signature Hash Algorithm Signature:
>>     Unknown (11)
>>                         Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>>                             Signature Hash Algorithm Hash: SHA256 (4)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>>                             Signature Hash Algorithm Hash: SHA384 (5)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>>                             Signature Hash Algorithm Hash: SHA512 (6)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: SHA256 DSA (0x0402)
>>                             Signature Hash Algorithm Hash: SHA256 (4)
>>                             Signature Hash Algorithm Signature: DSA (2)
>>                         Signature Algorithm: SHA224 ECDSA (0x0303)
>>                             Signature Hash Algorithm Hash: SHA224 (3)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: SHA224 RSA (0x0301)
>>                             Signature Hash Algorithm Hash: SHA224 (3)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: SHA224 DSA (0x0302)
>>                             Signature Hash Algorithm Hash: SHA224 (3)
>>                             Signature Hash Algorithm Signature: DSA (2)
>>                         Signature Algorithm: ecdsa_sha1 (0x0203)
>>                             Signature Hash Algorithm Hash: SHA1 (2)
>>                             Signature Hash Algorithm Signature: ECDSA (3)
>>                         Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>>                             Signature Hash Algorithm Hash: SHA1 (2)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                         Signature Algorithm: SHA1 DSA (0x0202)
>>                             Signature Hash Algorithm Hash: SHA1 (2)
>>                             Signature Hash Algorithm Signature: DSA (2)
>>                         Signature Algorithm: MD5 RSA (0x0101)
>>                             Signature Hash Algorithm Hash: MD5 (1)
>>                             Signature Hash Algorithm Signature: RSA (1)
>>                 Extension: extended_master_secret (len=0)
>>                     Type: extended_master_secret (23)
>>                     Length: 0
>>                 Extension: supported_versions (len=5)
>>                     Type: supported_versions (43)
>>                     Length: 5
>>                     Supported Versions length: 4
>>                     Supported Version: TLS 1.2 (0x0303)
>>                     Supported Version: TLS 1.1 (0x0302)
>>                 Extension: renegotiation_info (len=1)
>>                     Type: renegotiation_info (65281)
>>                     Length: 1
>>                     Renegotiation Info extension
>>                         Renegotiation info extension length: 0
>>
>>
>>
>>
>>
>>
>>     On Mon, Jan 21, 2019 at 10:37 AM Xuelei Fan
>>     <xuelei.fan at oracle.com <mailto:xuelei.fan at oracle.com>> wrote:
>>
>>         Hi Amir,
>>
>>         Normally, the extension should have no impact if it cannot be
>>         recognized by the server.   It's good to be able to disable
>>         extensions if not needed. I need to evaluate the priority of
>>         it although. Did you have a simple test code that I can
>>         reproduce the issue?
>>
>>         Thanks,
>>
>>         Xuelei
>>
>>         On 1/20/2019 3:03 PM, Amir Khassaia wrote:
>>>         Greetings Xuelei,
>>>         To follow up on this, the certificate in the connection is a
>>>         red herring and not important. It's actually a very unusual
>>>         behaviour by talk.google.com
>>>         <http://talk.google.com/> endpoint to encapsulate an error
>>>         message inside a certificate.
>>>
>>>         As per the output I included:
>>>         /"certificate" : { />/    "version"            : "v3", />/    "serial number"      : "00 90 76 89 18 E9 33 93 A0", />/    "signature algorithm": "SHA256withRSA", />/    "issuer"             : "CN=invalid2.invalid, OU="No SNI
>>>         provided; />/please fix your client."", />/    "not before"         : "2015-01-01 11:00:00.000 AEDT", />/    "not  after"         : "2030-01-01 11:00:00.000 AEDT", />/    "subject"            : "CN=invalid2.invalid, OU="No SNI
>>>         provided; />/please fix your client."",/
>>>         //
>>>         This certificate simply masks the TLS interoperability issue
>>>         as an untrusted certificate issue.
>>>         The fact is, some of the extensions sent by JSSE are changes
>>>         to TLS 1.2 to support TLS 1.3, this however affects some
>>>         clients adversely in practice and usually JDK provides
>>>         properties to turn new enhancements off and work around such
>>>         behaviour, for the extensions I mentioned this is not
>>>         provided and hence they are always sent for client sockets
>>>         unless TLSv1.2 is not in use.
>>>
>>>         The impact to us is that upgrading to JDK11 means for some
>>>         endpoints or devices that are not 100% compliant to the spec
>>>         the security is reduced as we have to now work around to
>>>         drop connections to these to TLSv1.1 or TLS1.0 or not to
>>>         move to Java 11 at all.
>>>         My request is simply to have all of the new extensions
>>>         configurable on individual basis so that they can be turned
>>>         off if needed for compatibility just like most other
>>>         security enhancements that were delivered in the past.
>>>         It appears some of the issues can come from
>>>
>>>         - inclusion of RSASSA-PSS alg in TLS 1.2 handshakes but
>>>         these can disabled at least
>>>
>>>         -signature_algorithms_cert and supported_versions extensions
>>>         which seem to be hardcoded for TLS 1.2 (I was not able to
>>>         conclusively identify which of these caused my troubles)
>>>
>>>         https://tools.ietf.org/html/rfc8446#section-1.3 does say
>>>         that TLS 1.2 clients are affected but in an optional
>>>         manner.Just today I've encountered another Java 11 interop
>>>         issue with TLS but this time with a physical device which
>>>         can have a long shelf life yet running a simple client
>>>         socket handshake abruptly terminates the connection upon
>>>         client hello (no server_hello at all), and downgrading the
>>>         JRE below 11 works fine. I'm including a trace for that as
>>>         well: javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.395
>>>         AEDT|SSLCipher.java:437|jdk.tls.keyLimits:  entry =
>>>         AES/GCM/NoPadding KeyUpdate 2^37.
>>>         AES/GCM/NOPADDING:KEYUPDATE = 137438953472
>>>
>>>         javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433
>>>         AEDT|ServerNameExtension.java:255|Unable to indicate server name
>>>
>>>         javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>>>         AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>>         extension: server_name
>>>
>>>         javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>>>         AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>>         extension: status_request
>>>
>>>         javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443
>>>         AEDT|SignatureScheme.java:282|Signature algorithm, ed25519,
>>>         is not supported by the underlying providers
>>>
>>>         javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444
>>>         AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is
>>>         not supported by the underlying providers
>>>
>>>         javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449
>>>         AEDT|AlpnExtension.java:161|No available application protocols
>>>
>>>         javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449
>>>         AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>>         extension: application_layer_protocol_negotiation
>>>
>>>         javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450
>>>         AEDT|SSLExtensions.java:235|Ignore, context unavailable
>>>         extension: status_request_v2
>>>
>>>         javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453
>>>         AEDT|ClientHello.java:651|Produced ClientHello handshake
>>>         message (
>>>
>>>         "ClientHello": {
>>>
>>>           "client version"      : "TLSv1.2",
>>>
>>>           "random"              : "1A BA E8 FC 59 00 AB DF 9A 1A 07
>>>         94 24 7F 34 3D 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68",
>>>
>>>           "session id"          : "",
>>>
>>>           "cipher suites"       :
>>>         "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
>>>         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
>>>         TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
>>>         TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
>>>         TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
>>>
>>>           "compression methods" : "00",
>>>
>>>           "extensions"          : [
>>>
>>>             "supported_groups (10)": {
>>>
>>>               "versions": [secp256r1, secp384r1, secp521r1, secp160k1]
>>>
>>>             },
>>>
>>>             "ec_point_formats (11)": {
>>>
>>>               "formats": [uncompressed]
>>>
>>>             },
>>>
>>>             "signature_algorithms (13)": {
>>>
>>>               "signature schemes": [ecdsa_secp256r1_sha256,
>>>         ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>>>         rsa_pss_rsae_sha256, rsa_pss_rsae_sha384,
>>>         rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384,
>>>         rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
>>>         rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224,
>>>         dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
>>>
>>>             },
>>>
>>>             "signature_algorithms_cert (50)": {
>>>
>>>               "signature schemes": [ecdsa_secp256r1_sha256,
>>>         ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512,
>>>         rsa_pss_rsae_sha256, rsa_pss_rsae_sha384,
>>>         rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384,
>>>         rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
>>>         rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224,
>>>         dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
>>>
>>>             },
>>>
>>>             "extended_master_secret (23)": {
>>>
>>>               <empty>
>>>
>>>             },
>>>
>>>             "supported_versions (43)": {
>>>
>>>               "versions": [TLSv1.2, TLSv1.1]
>>>
>>>             },
>>>
>>>             "renegotiation_info (65,281)": {
>>>
>>>               "renegotiated connection": [<no renegotiated connection>]
>>>
>>>             }
>>>
>>>           ]
>>>
>>>         }
>>>
>>>         )
>>>
>>>         javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455
>>>         AEDT|Alert.java:232|Received alert message (
>>>
>>>         "Alert": {
>>>
>>>           "level"      : "fatal",
>>>
>>>           "description": "handshake_failure"
>>>
>>>         }
>>>
>>>         )
>>>
>>>         javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456
>>>         AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE):
>>>         Received fatal alert: handshake_failure (
>>>
>>>         "throwable" : {
>>>
>>>           javax.net.ssl.SSLHandshakeException: Received fatal alert:
>>>         handshake_failure
>>>
>>>             at
>>>         java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>>
>>>             at
>>>         java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>>
>>>             at
>>>         java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>>
>>>             at
>>>         java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>>
>>>             at
>>>         java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>>
>>>             at
>>>         java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>>
>>>             at
>>>         java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>>
>>>             at
>>>         java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>>
>>>             at
>>>         java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>>
>>>             at SslSocketClient.main(SslSocketClient.kt:47)}
>>>
>>>
>>>         )
>>>
>>>         javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>>>         AEDT|SSLSocketImpl.java:1361|close the underlying socket
>>>
>>>         javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>>>         AEDT|SSLSocketImpl.java:1380|close the SSL connection
>>>         (initiative)
>>>
>>>         Exception in thread "main"
>>>         javax.net.ssl.SSLHandshakeException: Received fatal alert:
>>>         handshake_failure
>>>
>>>           at
>>>         java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>>
>>>           at
>>>         java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>>
>>>           at
>>>         java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>>
>>>           at
>>>         java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>>
>>>           at
>>>         java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>>
>>>           at
>>>         java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>>
>>>           at
>>>         java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>>
>>>           at
>>>         java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>>
>>>           at
>>>         java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>>
>>>           at SslSocketClient.main(SslSocketClient.kt:47)
>>>
>>>
>>>
>>>
>>>         I've sent my reply earlier but neither got it posted nor
>>>         denied notification so trying again.
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190121/4e26688a/attachment.htm>


More information about the security-dev mailing list