<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<div dir="ltr">
<div></div>
<div data-ogsc="" style="">
<div>
<div style="direction: ltr;">Jamil, just a folllw up, I noticed in the bug comets that there are multiple conditions where boringSSL fails, seems like OpenJSSE somehow does not trigger the fingerprint match w/ and w/o status request.</div>
<div><br>
</div>
<div style="direction: ltr;">Gruss</div>
<div style="direction: ltr;">Bernd</div>
</div>
<div><br>
</div>
<div class="ms-outlook-ios-signature">
<div><br>
</div>
<div style="direction: ltr;">-- </div>
<div style="direction: ltr;">http://bernd.eckenfels.net</div>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>Von:</b> Bernd Eckenfels <ecki@zusammenkunft.net><br>
<b>Gesendet:</b> Tuesday, August 11, 2020 4:10:54 AM<br>
<b>An:</b> Jamil Nimeh <jamil.j.nimeh@oracle.com>; security-dev@openjdk.java.net <security-dev@openjdk.java.net><br>
<b>Betreff:</b> Re: [TLS-backport8] Does TLSv1.3 work with www.google.com</font>
<div> </div>
</div>
<div>
<div>
<div>
<div style="direction:ltr">Hello Jamil,</div>
<div><br>
</div>
<div style="direction:ltr">Thanks for responding, you are correct, this system property resolves my problem (on both the Oracle as well as Azure JRE).</div>
<div><br>
</div>
<div style="direction:ltr">There is however something fishy going on. With the OpenJSSE provider (as provided by Zulu) the default for this option seems to be =true, as the extension is sent in ClientHello. I naturally disabled it and I can see in the debug
log that the extension is no longer requested - HOWEVER the handshake with google.com still succeeds with OpenJSSE. WAT?
<span id="x_ms-outlook-ios-cursor"></span>:)</div>
<div><br>
</div>
<div style="direction:ltr">Gruss</div>
<div style="direction:ltr">Bernd</div>
</div>
<div><br>
</div>
<div class="x_ms-outlook-ios-signature">
<div><br>
</div>
<div style="direction:ltr">-- </div>
<div style="direction:ltr">http://bernd.eckenfels.net</div>
</div>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>Von:</b> security-dev <security-dev-retn@openjdk.java.net> im Auftrag von Jamil Nimeh <jamil.j.nimeh@oracle.com><br>
<b>Gesendet:</b> Tuesday, August 11, 2020 3:11:14 AM<br>
<b>An:</b> security-dev@openjdk.java.net <security-dev@openjdk.java.net><br>
<b>Betreff:</b> Re: [TLS-backport8] Does TLSv1.3 work with www.google.com</font>
<div> </div>
</div>
<div>
<p>Hmmm, looks a lot like this issue: <a class="x_x_moz-txt-link-freetext" href="https://bugs.openjdk.java.net/browse/JDK-8241360">
https://bugs.openjdk.java.net/browse/JDK-8241360</a>. What happens if you run it with -Djdk.tls.client.enableStatusRequestExtension=true? That should get you past it. This is mentioned in the release notes for 8u261:</p>
<p><a class="x_x_moz-txt-link-freetext" href="https://www.oracle.com/java/technologies/javase/8u261-relnotes.html">https://www.oracle.com/java/technologies/javase/8u261-relnotes.html</a></p>
<p>--Jamil<br>
</p>
<div class="x_x_moz-cite-prefix">On 8/10/2020 5:49 PM, Bernd wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hallo,
<div><br>
</div>
<div>is the upcoming Java8u TLS backport supposed to work with "-<span style="">Djdk.tls.client.protocols=TLSv1.3" when connecting to
<a href="https://www.google.com">https://www.google.com</a>?</span></div>
<div><span style=""><br>
</span></div>
<div><span style="">I get an alert when I try to HttpsURLConnection.open to it. This happens with the Zulu port of this feature as well as the 8u261GA from Oracle. When specifying TLSv1.3,TLSv1.2 it connects but uses a v2 cipher.</span></div>
<div><span style=""><br>
</span></div>
<div><span style="">The OpenJSSE (-XX:+UseOpenJSSE) backport of Zulu seems not affected, it does handshake correctly with Google (so only difference i can see is an additional OCSP request and chacha cipher which is not picked).</span></div>
<div><span style=""><br>
</span></div>
<div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px">javax.net.ssl|FINE|01|main|2020-08-11 01:45:23.268 CEST|Logger.java:765|Produced ClientHello handshake message
(</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px">"ClientHello": {</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "client version" : "TLSv1.2",</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "random" : "51 1A 14 21 CF BA 47 06 AB 26 67 4C 97 D9 12 77 BA 61 93 E3 DE 61 5C AC 30 10 9A 82
42 3D FC F1",</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "session id" : "C7 34 0D C4 D4 14 43 12 32 80 CF 23 52 A5 44 7A 34 4D BF F6 F0 62 4D 1F AA 3D 73 85
EB 49 29 B8",</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302)]",</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "compression methods" : "00",</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "extensions" : [</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "server_name (0)": {</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> type=host_name (0), value=<a href="http://www.google.com">www.google.com</a></span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> },</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "supported_groups (10)": {</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> },</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "signature_algorithms (13)": {</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> },</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "signature_algorithms_cert (50)": {</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> },</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "supported_versions (43)": {</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "versions": [TLSv1.3]</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> },</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "psk_key_exchange_modes (45)": {</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "ke_modes": [psk_dhe_ke]</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> },</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "key_share (51)": {</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "client_shares": [ </span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> {</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "named group": secp256r1</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> "key_exchange": {</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> 0000: 04 A4 C2 58 EF 8B 62 3D 47 C4 21 FE 7D 4A 85 2B ...X..b=G.!..J.+</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> 0010: AE 99 7D 3C 30 08 F4 00 F3 B0 A9 17 DE 0E B1 16 ...<0...........</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> 0020: 0D 45 46 87 42 B0 83 68 FB 15 E9 79 D2 40 8C DA .EF.B..h...y.@..</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> 0030: 38 FF 76 52 1D 40 10 A0 BE 39 75 8B 79 F0 CD A1
<a class="x_x_moz-txt-link-abbreviated" href="mailto:8.vR.@...9u.y">8.vR.@...9u.y</a>...</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> 0040: E1 </span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> }</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> },</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> ]</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> }</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"> ]</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px">}</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px">)</span></font></div>
</div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px">...</span></font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f">
<div><span style="font-size:14px">javax.net.ssl|FINE|01|main|2020-08-11 01:45:23.288 CEST|Logger.java:765|Received alert message (</span></div>
<div><span style="font-size:14px">"Alert": {</span></div>
<div><span style="font-size:14px"> "level" : "fatal",</span></div>
<div><span style="font-size:14px"> "description": "protocol_version"</span></div>
<div><span style="font-size:14px">}</span></div>
<div><span style="font-size:14px">)</span></div>
<div style="font-size:14px"><br>
</div>
</font></div>
<div><font face="Lucida Sans Unicode, Lucida Grande,
Tahoma, Verdana, sans-serif" color="#2b2e2f"><span style="font-size:14px"><br>
</span></font></div>
<div><span style=""><br>
</span></div>
<div><span style="">Gruss</span></div>
<div><span style="">Bernd</span></div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</body>
</html>