<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div><br></div><div>Hi, I'd like to report a bug that may confuse others as they diagnose TLS handshakes.</div><div><br></div><div>The extension logging seems to be affected in JDK 11.0.2, these come up as empty in client hello (see below) from Oracle JDK 11.0.2</div><div>==========================</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:48.620 AEDT|SSLCipher.java:437|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472<br></div><div>javax.net.ssl|WARNING|01|main|2019-02-14 10:51:50.357 AEDT|ServerNameExtension.java:255|Unable to indicate server name</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.357 AEDT|SSLExtensions.java:256|Ignore, context unavailable extension: server_name</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.358 AEDT|SSLExtensions.java:256|Ignore, context unavailable extension: status_request</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.361 AEDT|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: secp160k1</div><div>javax.net.ssl|WARNING|01|main|2019-02-14 10:51:50.486 AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers</div><div>javax.net.ssl|WARNING|01|main|2019-02-14 10:51:50.486 AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers</div><div>javax.net.ssl|INFO|01|main|2019-02-14 10:51:50.513 AEDT|AlpnExtension.java:161|No available application protocols</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.514 AEDT|SSLExtensions.java:256|Ignore, context unavailable extension: application_layer_protocol_negotiation</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.514 AEDT|SSLExtensions.java:256|Ignore, context unavailable extension: status_request_v2</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.516 AEDT|ClientHello.java:651|Produced ClientHello handshake message (</div><div>"ClientHello": {</div><div>  "client version"      : "TLSv1.2",</div><div>  "random"              : "3E 3B 04 98 F4 65 C7 CF 2B B2 30 EA AE CE 7D C5 51 45 C4 A9 CB D6 F2 39 3F 52 46 77 BE 28 EC 06",</div><div>  "session id"          : "",</div><div>  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032)]",</div><div>  "compression methods" : "00",</div><div>  "extensions"          : [</div><div>    </div><div>  ]</div><div>}</div><div>)</div><div><br></div><div>Notice empty extensions, these are actually there on the wire (checked with wireshark).</div><div><br></div><div>This previously appeared to work, just checked with OpenJDK 11.0.1 and I get them:</div><div><br></div><div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:54.261 AEDT|SSLCipher.java:437|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472</div><div>javax.net.ssl|WARNING|01|main|2019-02-14 10:54:56.491 AEDT|ServerNameExtension.java:255|Unable to indicate server name</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.492 AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: server_name</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.492 AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: status_request</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.494 AEDT|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: secp160k1</div><div>javax.net.ssl|WARNING|01|main|2019-02-14 10:54:56.546 AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers</div><div>javax.net.ssl|WARNING|01|main|2019-02-14 10:54:56.546 AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers</div><div>javax.net.ssl|INFO|01|main|2019-02-14 10:54:56.575 AEDT|AlpnExtension.java:161|No available application protocols</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.576 AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: application_layer_protocol_negotiation</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.576 AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: status_request_v2</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.577 AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: renegotiation_info</div><div>javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.582 AEDT|ClientHello.java:651|Produced ClientHello handshake message (</div><div>"ClientHello": {</div><div>  "client version"      : "TLSv1.2",</div><div>  "random"              : "4E 23 00 5E 22 D3 0D 78 D0 97 B5 E1 16 FB E3 92 B5 90 B0 8E 30 89 BC 72 BA F1 B7 94 71 E7 E8 80",</div><div>  "session id"          : "",</div><div>  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",</div><div>  "compression methods" : "00",</div><div>  "extensions"          : [</div><div>    "supported_groups (10)": {</div><div>      "versions": [secp256r1, secp384r1, secp521r1]</div><div>    },</div><div>    "ec_point_formats (11)": {</div><div>      "formats": [uncompressed]</div><div>    },</div><div>    "signature_algorithms (13)": {</div><div>      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]</div><div>    },</div><div>    "signature_algorithms_cert (50)": {</div><div>      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]</div><div>    },</div><div>    "extended_master_secret (23)": {</div><div>      <empty></div><div>    },</div><div>    "supported_versions (43)": {</div><div>      "versions": [TLSv1.2, TLSv1.1, TLSv1]</div><div>    }</div><div>  ]</div><div>}</div><div>)</div></div><div><br></div><div>Regards,</div><div>Amir</div><div><br></div><div><br></div><div><br></div></div></div></div></div></div>