Bad exception message in SSLHandshakeException ?
Daniel Jeliński
djelinski1 at gmail.com
Wed Apr 24 16:02:08 UTC 2024
Hi Simon,
Thanks for reporting. The problem is already tracked under
https://bugs.openjdk.org/browse/JDK-8325022.
Cheers,
Daniel
śr., 24 kwi 2024 o 15:52 Simon Bernard <contact at simonbernard.eu> napisał(a):
>
> Hi,
>
> I think that maybe I found a bad message for SSLHanshakeException in sun.security.ssl.CertificateMessage.
>
> At server side configured with CLIENT_AUTH_REQUIRED, I get this SSLHanshakeException when trying to connect with a client sending an empty cert chain :
>
> Caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate chain
> at sun.security.ssl.Alert.createSSLException(Alert.java:131)
> at sun.security.ssl.Alert.createSSLException(Alert.java:117)
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:318)
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:274)
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:265)
> at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390)
> at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
> at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
> at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
> at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
> at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
> at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497)
> at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338)
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387)
> at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
>
> In that case, I think it should be "Empty client certificate chain" ?
>
> Looking at the sun.security.ssl.CertificateMessage code it seems that same error message is used for client/server and for "empty when required cert chain" and "certificate message receive when not required or requested".
> We should probably have 3 different message :
>
> "Empty server certificate chain"
> "Client authentication required but empty client certificate chain received"
> "Unexpected client Certificate message received because client authentication is not requested or required"
>
> (some more details at : https://github.com/netty/netty/issues/13993#issuecomment-2074966726)
>
> tested with openJDK 8 and 17.
>
> HTH
>
> Simon
More information about the security-dev
mailing list