<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Just FTW I think they still enable the TLS1.3 detection logic via their BoringSSL usage just like others noted:<div class=""><br class=""></div><div class=""><a href="https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_set_jdk11_workaround" class="">https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_set_jdk11_workaround</a></div><div class=""><br class=""></div><div class="">Bye</div><div class="">Norman</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 11. Aug 2020, at 04:23, Jamil Nimeh <<a href="mailto:jamil.j.nimeh@oracle.com" class="">jamil.j.nimeh@oracle.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
<div class=""><p class="">Hi Bernd,</p><p class="">Without seeing the respective traces it is hard to know for
certain, but I can tell you that BoringSSL looks for a specific
"fingerprint" in the client hello which it attributes to the
original JDK 11 client hello. They did this to work around
specific bugs in the initial TLS 1.3 implementation released with
JDK 11.</p><p class="">If the client hello is structured such that it doesn't match the
fingerprint then things proceed with no issues. There are many
ways to change the fingerprint. It can even be accomplished by
using the identical set of extensions that cause the failure, but
ordering them differently. I had more than a few "WAT?" moments
getting my head around that when we were characterizing this issue
back in April. :)</p><p class="">If we were to look at the client hellos from that Zulu OpenJSSE
provider, I'm sure we could identify the element that changes the
fingerprint such that it works.</p><p class="">--Jamil<br class="">
</p>
<div class="moz-cite-prefix">On 8/10/2020 7:10 PM, Bernd Eckenfels
wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:AM6PR03MB438930C14D4EB1ED22C20273FF450@AM6PR03MB4389.eurprd03.prod.outlook.com" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
<div class="">
<div class="">
<div style="direction: ltr;" class="">Hello Jamil,</div>
<div class=""><br class="">
</div>
<div style="direction: ltr;" class="">Thanks for responding, you are
correct, this system property resolves my problem (on both
the Oracle as well as Azure JRE).</div>
<div class=""><br class="">
</div>
<div style="direction: ltr;" class="">There is however something fishy
going on. With the OpenJSSE provider (as provided by Zulu)
the default for this option seems to be =true, as the
extension is sent in ClientHello. I naturally disabled it
and I can see in the debug log that the extension is no
longer requested - HOWEVER the handshake with <a href="http://google.com" class="">google.com</a>
still succeeds with OpenJSSE. WAT?
<span id="ms-outlook-ios-cursor" class=""></span>:)</div>
<div class=""><br class="">
</div>
<div style="direction: ltr;" class="">Gruss</div>
<div style="direction: ltr;" class="">Bernd</div>
</div>
<div class=""><br class="">
</div>
<div class="ms-outlook-ios-signature">
<div class=""><br class="">
</div>
<div style="direction: ltr;" class="">-- </div>
<div style="direction: ltr;" class=""><a class="moz-txt-link-freetext" href="http://bernd.eckenfels.net/">http://bernd.eckenfels.net</a></div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1" class="">
<div id="divRplyFwdMsg" dir="ltr" class=""><font style="font-size:11pt" face="Calibri, sans-serif" class=""><b class="">Von:</b>
security-dev <a class="moz-txt-link-rfc2396E" href="mailto:security-dev-retn@openjdk.java.net"><security-dev-retn@openjdk.java.net></a> im
Auftrag von Jamil Nimeh <a class="moz-txt-link-rfc2396E" href="mailto:jamil.j.nimeh@oracle.com"><jamil.j.nimeh@oracle.com></a><br class="">
<b class="">Gesendet:</b> Tuesday, August 11, 2020 3:11:14 AM<br class="">
<b class="">An:</b> <a class="moz-txt-link-abbreviated" href="mailto:security-dev@openjdk.java.net">security-dev@openjdk.java.net</a>
<a class="moz-txt-link-rfc2396E" href="mailto:security-dev@openjdk.java.net"><security-dev@openjdk.java.net></a><br class="">
<b class="">Betreff:</b> Re: [TLS-backport8] Does TLSv1.3 work with
<a class="moz-txt-link-abbreviated" href="http://www.google.com/">www.google.com</a></font>
<div class=""> </div>
</div>
<div class=""><p class="">Hmmm, looks a lot like this issue: <a class="x_moz-txt-link-freetext" href="https://bugs.openjdk.java.net/browse/JDK-8241360" moz-do-not-send="true">
https://bugs.openjdk.java.net/browse/JDK-8241360</a>. What
happens if you run it with
-Djdk.tls.client.enableStatusRequestExtension=true? That
should get you past it. This is mentioned in the release
notes for 8u261:</p><p class=""><a class="x_moz-txt-link-freetext" href="https://www.oracle.com/java/technologies/javase/8u261-relnotes.html" moz-do-not-send="true">https://www.oracle.com/java/technologies/javase/8u261-relnotes.html</a></p><p class="">--Jamil<br class="">
</p>
<div class="x_moz-cite-prefix">On 8/10/2020 5:49 PM, Bernd
wrote:<br class="">
</div>
<blockquote type="cite" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">Hallo,
<div class=""><br class="">
</div>
<div class="">is the upcoming Java8u TLS backport supposed to
work with "-<span style="" class="">Djdk.tls.client.protocols=TLSv1.3"
when connecting to
<a href="https://www.google.com/" moz-do-not-send="true" class="">https://www.google.com</a>?</span></div>
<div class=""><span style="" class=""><br class="">
</span></div>
<div class=""><span style="" class="">I get an alert when I try to
HttpsURLConnection.open to it. This happens with
the Zulu port of this feature as well as the
8u261GA from Oracle. When specifying
TLSv1.3,TLSv1.2 it connects but uses a v2 cipher.</span></div>
<div class=""><span style="" class=""><br class="">
</span></div>
<div class=""><span style="" class="">The OpenJSSE (-XX:+UseOpenJSSE)
backport of Zulu seems not affected, it does
handshake correctly with Google (so only
difference i can see is an additional OCSP request
and chacha cipher which is not picked).</span></div>
<div class=""><span style="" class=""><br class="">
</span></div>
<div class="">
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class="">javax.net.ssl|FINE|01|main|2020-08-11
01:45:23.268 CEST|Logger.java:765|Produced
ClientHello handshake message (</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class="">"ClientHello": {</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "client version"
: "TLSv1.2",</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "random"
: "51 1A 14 21 CF BA 47 06 AB 26 67 4C 97 D9
12 77 BA 61 93 E3 DE 61 5C AC 30 10 9A 82 42
3D FC F1",</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "session id"
: "C7 34 0D C4 D4 14 43 12 32 80 CF 23 52 A5
44 7A 34 4D BF F6 F0 62 4D 1F AA 3D 73 85 EB
49 29 B8",</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "cipher suites"
: "[TLS_AES_128_GCM_SHA256(0x1301),
TLS_AES_256_GCM_SHA384(0x1302)]",</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "compression methods"
: "00",</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "extensions"
: [</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "server_name (0)":
{</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> type=host_name
(0), value=<a href="http://www.google.com/" moz-do-not-send="true" class="">www.google.com</a></span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> },</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "supported_groups
(10)": {</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "versions":
[secp256r1, secp384r1, secp521r1, ffdhe2048,
ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> },</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class="">
"signature_algorithms (13)": {</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "signature
schemes": [ecdsa_secp256r1_sha256,
ecdsa_secp384r1_sha384,
ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,
rsa_pss_pss_sha256, rsa_pss_pss_sha384,
rsa_pss_pss_sha512, rsa_pkcs1_sha256,
rsa_pkcs1_sha384, rsa_pkcs1_sha512,
ecdsa_sha1, rsa_pkcs1_sha1]</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> },</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class="">
"signature_algorithms_cert (50)": {</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "signature
schemes": [ecdsa_secp256r1_sha256,
ecdsa_secp384r1_sha384,
ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,
rsa_pss_pss_sha256, rsa_pss_pss_sha384,
rsa_pss_pss_sha512, rsa_pkcs1_sha256,
rsa_pkcs1_sha384, rsa_pkcs1_sha512,
ecdsa_sha1, rsa_pkcs1_sha1]</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> },</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "supported_versions
(43)": {</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "versions":
[TLSv1.3]</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> },</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class="">
"psk_key_exchange_modes (45)": {</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "ke_modes":
[psk_dhe_ke]</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> },</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "key_share (51)": {</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "client_shares":
[ </span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> {</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> "named
group": secp256r1</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class="">
"key_exchange": {</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> 0000: 04 A4
C2 58 EF 8B 62 3D 47 C4 21 FE 7D 4A 85 2B
...X..b=G.!..J.+</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> 0010: AE 99
7D 3C 30 08 F4 00 F3 B0 A9 17 DE 0E B1 16
...<0...........</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> 0020: 0D 45
46 87 42 B0 83 68 FB 15 E9 79 D2 40 8C DA
.EF.B..h...y.@..</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> 0030: 38 FF
76 52 1D 40 10 A0 BE 39 75 8B 79 F0 CD A1
<a class="x_moz-txt-link-abbreviated" href="mailto:8.vR.@...9u.y" moz-do-not-send="true">8.vR.@...9u.y</a>...</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> 0040: E1 </span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> }</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> },</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> ]</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> }</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""> ]</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class="">}</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class="">)</span></font></div>
</div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class="">...</span></font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class="">
<div class=""><span style="font-size:14px" class="">javax.net.ssl|FINE|01|main|2020-08-11
01:45:23.288 CEST|Logger.java:765|Received
alert message (</span></div>
<div class=""><span style="font-size:14px" class="">"Alert": {</span></div>
<div class=""><span style="font-size:14px" class=""> "level" :
"fatal",</span></div>
<div class=""><span style="font-size:14px" class=""> "description":
"protocol_version"</span></div>
<div class=""><span style="font-size:14px" class="">}</span></div>
<div class=""><span style="font-size:14px" class="">)</span></div>
<div style="font-size:14px" class=""><br class="">
</div>
</font></div>
<div class=""><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f" class=""><span style="font-size:14px" class=""><br class="">
</span></font></div>
<div class=""><span style="" class=""><br class="">
</span></div>
<div class=""><span style="" class="">Gruss</span></div>
<div class=""><span style="" class="">Bernd</span></div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div></blockquote></div><br class=""></div></body></html>