Bad exception message in SSLHandshakeException ?
Simon Bernard
contact at simonbernard.eu
Wed Apr 24 13:51:17 UTC 2024
Hi,
I think that maybe I found a bad message for SSLHanshakeException in
sun.security.ssl.CertificateMessage.
At server side configured with *CLIENT_AUTH_REQUIRED*, I get this
SSLHanshakeException when trying to connect with a client sending an
empty cert chain :
|Caused by: javax.net.ssl.SSLHandshakeException: Empty server
certificate chain at
sun.security.ssl.Alert.createSSLException(Alert.java:131) at
sun.security.ssl.Alert.createSSLException(Alert.java:117) at
sun.security.ssl.TransportContext.fatal(TransportContext.java:318) at
sun.security.ssl.TransportContext.fatal(TransportContext.java:274) at
sun.security.ssl.TransportContext.fatal(TransportContext.java:265) at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) at
sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at java.security.AccessController.doPrivileged(Native Method) at
sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
at
io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497) at
io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387) at
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
at
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
|
In that case, I think it should be "Empty client certificate chain||" ?
Looking at the *sun.security.ssl.CertificateMessage* code it seems that
same error message is used for client/server and for "empty when
required cert chain" and "certificate message receive when not required
or requested".
We should probably have 3 different message :
* "Empty server certificate chain"
* "Client authentication required but empty client certificate chain||
received"
* "Unexpected client Certificate message received because client
authentication is not requested or required"
(some more details at :
https://github.com/netty/netty/issues/13993#issuecomment-2074966726)
tested with openJDK 8 and 17.
HTH
Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240424/1c73496f/attachment.htm>
More information about the security-dev
mailing list