<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.hps
{mso-style-name:hps;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:155731878;
mso-list-type:hybrid;
mso-list-template-ids:201073652 -1585428938 67567619 67567621 67567617 67567619 67567621 67567617 67567619 67567621;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We have previously posted the following questions at
<a href="mailto:jdk8-dev@openjdk.java.net">jdk8-dev@openjdk.java.net</a> in a slightly different version – we have some further insights, since we have posted the questions the last time.
</span><span class="hps"><span lang="EN">A member of </span></span><span lang="EN-US"><a href="mailto:jdk8-dev@openjdk.java.net">jdk8-dev@openjdk.java.net</a></span><span lang="EN-US">
</span><span class="hps"><span lang="EN">advised us</span></span><span lang="EN">
<span class="hps">to post</span> <span class="hps">the questions</span> <span class="hps">
here again…<o:p></o:p></span></span></p>
<p class="MsoNormal"><span lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We did not find anything regarding our questions in the archive or in the Web. We have some questions regarding the renegotiation of SSLSockets (JSSE).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Preconditions:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">We installed the OpenJDK 8 update 40 (+ JCE unlimited strength policies) to run a distributed system that replicates its state over SSL-based socket connections<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">It is a peer-to-peer system. So, there is a set of socket connections between the various nodes of the distributed system<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-bottom:12.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">We only allow TLS 1.2 connections, so we get the SSLContext within the application by invoking:<br>
<br>
SSLContext ctx = SSLContext.getInstance(“TLSv1.2”);<br>
KeyManager[] kms = KeyManagerFactory.getInstance(“SunX509”).getKeyManagers();<br>
TrustManager[] tms = TrustManagerFactory.getInstance(“SunX509”).getTrustManagers();<br>
ctx.init(kms, tms, null);<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">Furthermore, we enable a list of cipher suites for socket, i.e., we invoke socket.setEnabledCipherSuites(new String[]{“TLS_RSA_WITH_AES_128_CBC_SHA”,”TLS_RSA_WITH_AES_256_CBC_SHA”,”TLS_DHE_RSA_WITH_AES_128_CBC_SHA”,…});<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Goal:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">After the connection is established and used by the nodes to communicate their states within the cluster, we need to renegotiate the SSL connection after a while. Additionally, we want to change the negotiated cipher
suite. For example, if the negotiated cipher suite is “TLS_RSA_WITH_AES_256_CBC_SHA” we want to change the cipher suite to “TLS_RSA_WITH_AES_128_CBC_SHA”. So, we invoke:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><br>
socket.setEnabledCipherSuites(new String[]{“TLS_RSA_WITH_AES_128_CBC_SHA”});<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">if(!resume)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span lang="EN-US">socket.getSession().invalidate();<br>
socket.startHandshake();<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Problem:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">However, the cipher suite does not change (neither resume = true nor resume = false). Even the renegotiation is not always performed. A previously registered HandshakeCompletedListener is not invoked anyway. And if the
debug log indicates that the handshake have been performed the previously negotiated cipher suite (“TLS_RSA_WITH_AES_256_CBC_SHA”) is used again. The debug log does not give us any hint what could be wrong.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We tested the renegotiation procedure on an adjusted JDK-Test case (RejectClientRenego)… It works. However, in the test case (RejectClientRenego) the application layer does not send any application data to the SSLSocket
while the renegotiation is being done… Furthermore, the test case is a single thread case. In our system multiple worker threads communicate over one socket connection and the renegotiation is invoked by a JMX MBean.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">So, we have the questions: Are we doing something wrong? Is it possible/allowed to renegotiate the cipher suite for a connected socket which is used continuously by the application layer while the renegotiation is performed?
Following the Javadoc of javax.net.ssl.SSLSocket.startHandshake() this should be possible (“If data has already been sent on the connection, it continues to flow during this handshake. When the handshake completes, this will be signaled with an event.”). Do
you have any other hints to solve our problems/to implement the desired behavior? …<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Steffen Mueller<o:p></o:p></span></p>
</div>
</body>
</html>