From gnu.andrew at redhat.com Thu Sep 2 03:07:00 2021 From: gnu.andrew at redhat.com (Andrew Hughes) Date: Thu, 2 Sep 2021 04:07:00 +0100 Subject: [IMPORTANT] 8u-dev now CLOSED FOR PUSHES for rampdown of 8u312 Message-ID: Hi all, We are now ramping down for the release of OpenJDK 8u312 in October. jdk8u/jdk8u-dev will be closed until hgupdater is switched over to use openjdk8u322. Please await further e-mail before pushing changes to 8u-dev. The promotion of 8u312-b05 is complete, so jdk8u/jdk8u is now open for requests for regression fixes for 8u312, which can be made using the jdk8u-critical-request label. Thanks, -- Andrew :) Pronouns: he / him or they / them Senior Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 From gnu.andrew at redhat.com Thu Sep 2 03:51:28 2021 From: gnu.andrew at redhat.com (Andrew Hughes) Date: Thu, 2 Sep 2021 04:51:28 +0100 Subject: OpenJDK 8u312-b04 EA Released Message-ID: I've made available an early access source bundle for 8u312, based on the tag jdk8u312-b04: https://openjdk-sources.osci.io/openjdk8/openjdk8u312-b04-ea.tar.xz The tarball is accompanied by a digital signature available at: https://openjdk-sources.osci.io/openjdk8/openjdk8u312-b04-ea.tar.xz.sig This is signed by our Red Hat OpenJDK key (openjdk at redhat.com): PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net) Fingerprint =3D CA5F 11C6 CE22 644D 42C6 AC44 92EF 8D39 DC13 168F SHA256 checksums: 982ed60cda65ce5640ca0d1c75dfab4b7a3fd3b88de7a2f8f2d0944c9a11ccd8 openjdk8u312-b04-ea.tar.xz 40d1ff1553ba2df8ca8dddd17e9ae54593fed6d8b45ecedb2c24b5e0d0f7eb69 openjdk8u312-b04-ea.tar.xz.sig They are listed at https://openjdk-sources.osci.io/openjdk8/openjdk8u312-b04-ea.sha256 The tarball was built on RHEL 6 (x86, x86_64) and RHEL 7 (aarch64, ppc, ppc64, ppc64le, s390x, x86, x86_64) Changes in 8u312-b04: - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit - JDK-8161016: Strange behavior of URLConnection with proxy - JDK-8194246: JVM crashes when calling getStackTrace if stack contains a method that is a member of a very large class - JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files - JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers" - JDK-8268103: JNI functions incorrectly return a double after JDK-8265836 - JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server - JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark - JDK-8269859: BacktraceBuilder._cprefs needs to be accessed as unsigned short - JDK-8269882: stack-use-after-scope in NewObjectA Thanks, -- Andrew :) Pronouns: he / him or they / them Senior Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 From gnu.andrew at redhat.com Thu Sep 2 03:53:17 2021 From: gnu.andrew at redhat.com (Andrew Hughes) Date: Thu, 2 Sep 2021 04:53:17 +0100 Subject: OpenJDK 8u312-b53 EA Released Message-ID: The message from this sender included one or more files which could not be scanned for virus detection; do not open these files unless you are certain of the sender's intent. ---------------------------------------------------------------------- I've made available an early access source bundle for 8u312, based on the tag jdk8u312-b05: https://openjdk-sources.osci.io/openjdk8/openjdk8u312-b05-ea.tar.xz The tarball is accompanied by a digital signature available at: https://openjdk-sources.osci.io/openjdk8/openjdk8u312-b05-ea.tar.xz.sig This is signed by our Red Hat OpenJDK key (openjdk at redhat.com): PGP Key: rsa4096/0x92EF8D39DC13168F (hkp://keys.gnupg.net) Fingerprint =3D CA5F 11C6 CE22 644D 42C6 AC44 92EF 8D39 DC13 168F SHA256 checksums: dd0f2a8bb82b0dea6b8b1723f41295de93a424b55480d1355825dd8e6f9503ef openjdk8u312-b05-ea.tar.xz cb7e352724e27144adea86bc82ce023d071a681dd99a3440708b533617b56945 openjdk8u312-b05-ea.tar.xz.sig They are listed at https://openjdk-sources.osci.io/openjdk8/openjdk8u312-b05-ea.sha256 The tarball was built on RHEL 6 (x86, x86_64) and RHEL 7 (aarch64, ppc, ppc64, ppc64le, s390x, x86, x86_64) Changes in 8u312-b05: - JDK-7188942: Remove support of pbuffers in OGL Java2d pipeline - JDK-8022323: [JavaSecurityScanner] review package com.sun.management.* Native methods should be private - JDK-8131062: aarch64: add support for GHASH acceleration - JDK-8134869: AARCH64: GHASH intrinsic is not optimal - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon - JDK-8272714: [8u] Build failure after backport of JDK-8248901 with MSVC 2013 Thanks, -- Andrew :) Pronouns: he / him or they / them Senior Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 From gnu.andrew at redhat.com Thu Sep 2 17:15:48 2021 From: gnu.andrew at redhat.com (Andrew Hughes) Date: Thu, 2 Sep 2021 18:15:48 +0100 Subject: [IMPORTANT] 8u-dev now OPEN for pushes for 8u322 Message-ID: Changes can now again be pushed to 8u-dev with jdk8u-fix-yes. These will be for the 8u322 release in January 2022. Thanks, -- Andrew :) Pronouns: he / him or they / them Senior Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 From qingfeng.yy at alibaba-inc.com Wed Sep 8 02:58:31 2021 From: qingfeng.yy at alibaba-inc.com (Yi Yang) Date: Wed, 08 Sep 2021 10:58:31 +0800 Subject: =?UTF-8?B?UmU6IFBJTkc6IFJGUjogOHUgYmFja3BvcnQgb2YgSkRLLTgyMzc0OTkgSkZSOiBJbmNsdWRl?= =?UTF-8?B?IHN0YWNrIHRyYWNlIGluIHRoZSBUaHJlYWRTdGFydCBldmVudA==?= In-Reply-To: <642A1A9B-EE96-40B0-ABDE-7D6656C59133@amazon.com> References: <642A1A9B-EE96-40B0-ABDE-7D6656C59133@amazon.com> Message-ID: Hi Paul, Sorry for the late response, I missed this email inadvertently. > Lgtm. Do you need a sponsor? Sure! Can you help sponsor this patch? Thanks. Yang ------------------------------------------------------------------ From:Hohensee, Paul Send Time:2021 Apr. 28 (Wed.) 02:32 To:"YANG, Yi" ; Andrew Hughes Cc:jdk8u-dev at openjdk.java.net Subject:RE: PING: RFR: 8u backport of JDK-8237499 JFR: Include stack trace in the ThreadStart event Lgtm. Do you need a sponsor? Thanks, Paul -----Original Message----- From: jdk8u-dev on behalf of Yang Yi Date: Wednesday, February 17, 2021 at 9:27 PM To: Yang Yi , Andrew Hughes Cc: "jdk8u-dev at openjdk.java.net" Subject: RE: Re: PING: RFR: 8u backport of JDK-8237499 JFR: Include stack trace in the ThreadStart event Gentle Ping v2 :-) ------------------Original Mail ------------------ Sender:Yang Yi Send Date:Thu Feb 4 11:08:39 2021 Recipients:Andrew Hughes CC:jdk8u-dev at openjdk.java.net Subject:Re: PING: RFR: 8u backport of JDK-8237499 JFR: Include stack trace in the ThreadStart event Hi Andrew, Thanks to your explanation, it makes sense, I have updated my patch according to your change. Webrev: HotSpot Part: http://cr.openjdk.java.net/~ddong/yiyang/8237499/hotspot-webrev.01/ JDK Part: http://cr.openjdk.java.net/~ddong/yiyang/8237499/jdk-webrev/ Cheers, Yang Yi ------------------------------------------------------------------ From:Andrew Hughes Send Time:2021 Feb. 4 (Thu.) 01:45 To:"YANG, Yi" Cc:jdk8u-dev at openjdk.java.net Subject:Re: PING: RFR: 8u backport of JDK-8237499 JFR: Include stack trace in the ThreadStart event On 19:52 Tue 02 Feb , Yang Yi wrote: > Hi Andrew, > > Do you mean I should update my patch to add these three functions together so that they work as a whole rather than adding them one by one in the future? > > Please let me know if I misunderstand your reply. > > Thanks, > Yang Yi > Yes, that's correct. In other words, please add my patch to what you have and provide an updated webrev :-) Thanks, -- Andrew :) Senior Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 From aostrouhhov at azul.com Wed Sep 8 13:50:58 2021 From: aostrouhhov at azul.com (Anton Ostrouhhov) Date: Wed, 8 Sep 2021 13:50:58 +0000 Subject: Backport JDK-8066588 into 8u Message-ID: Hello! I see a letter (https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-July/014126.html) in which Andrew (gnu.andrew at redhat.com) wrote that JDK-8066588 will be backported into 8u for 8u312. It is already a 'rampdown' stage so as far as I understand this fix is not going to be included into 8u312. Can I take this task and do the fix for u322? -- Regards, Anton Ostrouhhov Software Engineer Azul (https://www.azul.com) From alexey at azul.com Wed Sep 8 17:54:06 2021 From: alexey at azul.com (Alexey Bakhtin) Date: Wed, 8 Sep 2021 17:54:06 +0000 Subject: [8u] RFR: 8076190: Customizing the generation of a PKCS12 keystore In-Reply-To: References: Message-ID: Hi Martin, Thank you a lot for review. I?ve simplified keytool code almost as you suggested but I still think PKCS12 probing is useful here. I?m agree, the first version of kstype detection was not correct, so I?ve implemented it via PKCS12KeyStore.probe as you suggested in the first mail. Without such probing the passwordless feature looks strange: "keytool -list? cmd prints PKCS12 store type and warning about password for the passwordless keystore (if storetype is not indicated explicitly). The same is for other commands. Also, I have removed changes in the test/lib/jdk/test/lib/SecurityTools.java and updated tests to use jdk/test/lib/jdk/test/lib/SecurityTools.java All sun/security/pkcs12 and sun/security/tools/keytool tests passed New version of the patch is available at : http://cr.openjdk.java.net/~abakhtin/8076190_8u/webrev.v1/ Regards Alexey > On 24 Aug 2021, at 18:50, Martin Balao wrote: > > Hi Alexey, > > Final comments for this first round: > > * src/share/classes/sun/security/tools/keytool/Main.java > * @@ -2025,7 +2058,14 @@ > * Seems to have an issue similar to the one before: > * 'srcstoretype' is changed based on probing (which was not a > JDK-8 behavior) > * the value set is based on the assumption that > '!"JKS".equalsIgnoreCase(realType)' is PKCS#12 and that may not be > correct on some cases > * there might be some redundancy in the checks 'srcksfile != null > && is != null && srcProviderName == null' > * I'd consider a similar approach to the one proposed earlier: take > the 'srcstoretype' value for certain, compare against 'pkcs12' and > handle the existing-keystore scenario. In this case, 'is' seems to be > the variable to decide whether there is an existing keystore or not. > > * test/lib/jdk/test/lib/SecurityTools.java > * For some reason, there are 2 SecurityTools files in JDK-8: > * jdk/test/lib/testlibrary/jdk/testlibrary/SecurityTools.java > * jdk/test/lib/jdk/test/lib/SecurityTools.java > * Can we avoid this change by making the test use the other one? > * Looks like > 'jdk/test/lib/testlibrary/jdk/testlibrary/SecurityTools.java' is the > one that you want for the test > * If we apply your proposed change, then the 2 libs will be equal > in regards to the affected method and I'm in general concerned about > the side-effects of modifying libraries; the set of regression tests > that you ran may not be enough to make sure that we don't introduce a > regression. > > Thanks, > Martin.- > From hohensee at amazon.com Wed Sep 8 19:16:08 2021 From: hohensee at amazon.com (Hohensee, Paul) Date: Wed, 8 Sep 2021 19:16:08 +0000 Subject: PING: RFR: 8u backport of JDK-8237499 JFR: Include stack trace in the ThreadStart event Message-ID: <1B9A63C0-AF9F-4496-9714-7CBCF0741DFD@amazon.com> Yes. I?ve added Fix Request comments to 8237499 and 8239886 and tagged both. Thanks, Paul From: Yi Yang Reply-To: Yi Yang Date: Tuesday, September 7, 2021 at 7:59 PM To: "Hohensee, Paul" , Andrew Hughes Cc: "jdk8u-dev at openjdk.java.net" Subject: RE: PING: RFR: 8u backport of JDK-8237499 JFR: Include stack trace in the ThreadStart event Hi Paul, Sorry for the late response, I missed this email inadvertently. > Lgtm. Do you need a sponsor? Sure! Can you help sponsor this patch? Thanks. Yang ------------------------------------------------------------------ From:Hohensee, Paul Send Time:2021 Apr. 28 (Wed.) 02:32 To:"YANG, Yi" ; Andrew Hughes Cc:jdk8u-dev at openjdk.java.net Subject:RE: PING: RFR: 8u backport of JDK-8237499 JFR: Include stack trace in the ThreadStart event Lgtm. Do you need a sponsor? Thanks, Paul -----Original Message----- From: jdk8u-dev on behalf of Yang Yi Date: Wednesday, February 17, 2021 at 9:27 PM To: Yang Yi , Andrew Hughes Cc: "jdk8u-dev at openjdk.java.net" Subject: RE: Re: PING: RFR: 8u backport of JDK-8237499 JFR: Include stack trace in the ThreadStart event Gentle Ping v2 :-) ------------------Original Mail ------------------ Sender:Yang Yi Send Date:Thu Feb 4 11:08:39 2021 Recipients:Andrew Hughes CC:jdk8u-dev at openjdk.java.net Subject:Re: PING: RFR: 8u backport of JDK-8237499 JFR: Include stack trace in the ThreadStart event Hi Andrew, Thanks to your explanation, it makes sense, I have updated my patch according to your change. Webrev: HotSpot Part: http://cr.openjdk.java.net/~ddong/yiyang/8237499/hotspot-webrev.01/ JDK Part: http://cr.openjdk.java.net/~ddong/yiyang/8237499/jdk-webrev/ Cheers, Yang Yi ------------------------------------------------------------------ From:Andrew Hughes Send Time:2021 Feb. 4 (Thu.) 01:45 To:"YANG, Yi" Cc:jdk8u-dev at openjdk.java.net Subject:Re: PING: RFR: 8u backport of JDK-8237499 JFR: Include stack trace in the ThreadStart event On 19:52 Tue 02 Feb , Yang Yi wrote: > Hi Andrew, > > Do you mean I should update my patch to add these three functions together so that they work as a whole rather than adding them one by one in the future? > > Please let me know if I misunderstand your reply. > > Thanks, > Yang Yi > Yes, that's correct. In other words, please add my patch to what you have and provide an updated webrev :-) Thanks, -- Andrew :) Senior Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 From vkempik at azul.com Thu Sep 9 11:50:41 2021 From: vkempik at azul.com (Vladimir Kempik) Date: Thu, 9 Sep 2021 11:50:41 +0000 Subject: [8u] RFR: 8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread In-Reply-To: <414632cf-f434-7a54-13e7-bee0213a297d@amazon.com> References: <0C294011-9A6C-42A3-A810-A02F05AF2AEF@azul.com> <20210609171824.GD63768@rincewind> <2C560A7D-2456-4DEC-8094-4656722C35CC@azul.com> <414632cf-f434-7a54-13e7-bee0213a297d@amazon.com> Message-ID: <9BD416CB-B368-4D35-8839-3360756EC690@azul.com> Hello, thanks for looking into this. Sorry for late response. > 26 ???. 2021 ?., ? 07:52, Sergey Bylokhov ???????(?): > > Hi, Vladimir. > > On 8/6/21 12:52 PM, Vladimir Kempik wrote: >>>> Since the support for xcode12 were approved ( see JDK-8267545 ), it becomes important to backport some of the bug fixes as well. >>>> This fix passed all the testing in zulu8 for past 3 releases ( since October 2020) > > Why did you remove the headful keyword from the test? That is by accident, restored that line in the test . Updated webrev: http://cr.openjdk.java.net/~vkempik/8226806/webrev.02/ Regards, Vladimir > >>> The test library additions seem odd, given those methods are >>> already in jdk/test/lib/jdk/test/lib/process/OutputAnalyzer.java. >>> I don't know why we have two OutputAnalyzer.java files, but that >>> also seems to be true in 11u! > > PS: The second OutputAnalyzer was removed in jdk12 by the JDK-8210112, and before that it was deprecated by the JKD-8141526 > > -- > Best regards, Sergey. From bylokhov at amazon.com Fri Sep 10 05:15:00 2021 From: bylokhov at amazon.com (Sergey Bylokhov) Date: Thu, 9 Sep 2021 22:15:00 -0700 Subject: [8u] RFR: 8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread In-Reply-To: <9BD416CB-B368-4D35-8839-3360756EC690@azul.com> References: <0C294011-9A6C-42A3-A810-A02F05AF2AEF@azul.com> <20210609171824.GD63768@rincewind> <2C560A7D-2456-4DEC-8094-4656722C35CC@azul.com> <414632cf-f434-7a54-13e7-bee0213a297d@amazon.com> <9BD416CB-B368-4D35-8839-3360756EC690@azul.com> Message-ID: <45de9c35-aa2f-9c8a-530c-a55711e339bc@amazon.com> On 9/9/21 4:50 AM, Vladimir Kempik wrote: > That is by accident, restored that line in the test . > Updated webrev: http://cr.openjdk.java.net/~vkempik/8226806/webrev.02/ Looks fine. -- Best regards, Sergey. From gnu.andrew at redhat.com Tue Sep 14 02:16:12 2021 From: gnu.andrew at redhat.com (Andrew Hughes) Date: Tue, 14 Sep 2021 03:16:12 +0100 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland Message-ID: I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 Updates Committer. Jonathan is doing active backporting work for 8u, including both clean backports and those that require reviews and so register under his own commit handle [1] [2]. Making him a committer would aid this backporting work by avoiding the need for someone else to sponsor & push his fixes. He has already proven capable of following the appropriate processes and providing good quality patches. Clean backports: JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel JDK-8161016: Strange behavior of URLConnection with proxy JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings changes JDK-8078614: WindowsClassicLookAndFeel : MetalComboBoxUI.getbaseLine fails with IllegalArgumentException JDK-8258043: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop JDK-8168517: java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed" JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes JDK-8226697: Several tests which need the @key headful keyword are missing it. JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black JDK-8080287: closed bug, pre-requisite for JDK-8177393, wrote RFA Unclean backports, requiring review: JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather than JRE JDK-8038723: Open up some PrinterJob tests JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 JDK-8183369: RFC unconformity of HttpURLConnection with proxy JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll Votes are due by 19h00 UTC on Tuesday, 28th of September, 2021. Only current OpenJDK 8 Updates Committers (and above) [2] are eligible to vote on this nomination. Votes must be cast in the open by replying to this mailing list. For Lazy Consensus voting instructions, see [3]. [0] https://openjdk.java.net/census#jdowland [1] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() [2] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/hotspot/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() [2] http://openjdk.java.net/census#jdk8u [3] http://openjdk.java.net/projects/#committer-vote Thanks, -- Andrew :) Pronouns: he / him or they / them Senior Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 From shade at redhat.com Tue Sep 14 07:30:03 2021 From: shade at redhat.com (Aleksey Shipilev) Date: Tue, 14 Sep 2021 09:30:03 +0200 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland In-Reply-To: References: Message-ID: <21f15117-d3a8-bf1c-d3e8-a10466da925f@redhat.com> Vote: yes On 9/14/21 4:16 AM, Andrew Hughes wrote: > I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 > Updates Committer. -- Thanks, -Aleksey From adinn at redhat.com Tue Sep 14 08:57:50 2021 From: adinn at redhat.com (Andrew Dinn) Date: Tue, 14 Sep 2021 09:57:50 +0100 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland In-Reply-To: References: Message-ID: <7279e7a3-c424-758c-30d3-6718e6d683b7@redhat.com> Vote: yes On 14/09/2021 03:16, Andrew Hughes wrote: > I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 > Updates Committer. > > Jonathan is doing active backporting work for 8u, including both clean > backports and those that require reviews and so register under his own > commit handle [1] [2]. Making him a committer would aid this > backporting work by avoiding the need for someone else to sponsor & > push his fixes. He has already proven capable of following the > appropriate processes and providing good quality patches. > > Clean backports: > JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel > JDK-8161016: Strange behavior of URLConnection with proxy > JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings changes > JDK-8078614: WindowsClassicLookAndFeel : MetalComboBoxUI.getbaseLine fails with IllegalArgumentException > JDK-8258043: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop > JDK-8168517: java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed" > JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes > JDK-8226697: Several tests which need the @key headful keyword are missing it. > JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" > JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black > JDK-8080287: closed bug, pre-requisite for JDK-8177393, wrote RFA > > Unclean backports, requiring review: > JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files > JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather than JRE > JDK-8038723: Open up some PrinterJob tests > JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 > JDK-8183369: RFC unconformity of HttpURLConnection with proxy > JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll > > Votes are due by 19h00 UTC on Tuesday, 28th of September, 2021. > > Only current OpenJDK 8 Updates Committers (and above) [2] are eligible > to vote on this nomination. > > Votes must be cast in the open by replying to this mailing list. > > For Lazy Consensus voting instructions, see [3]. > > [0] https://openjdk.java.net/census#jdowland > [1] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/hotspot/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] http://openjdk.java.net/census#jdk8u > [3] http://openjdk.java.net/projects/#committer-vote > > Thanks, > -- regards, Andrew Dinn ----------- Red Hat Distinguished Engineer Red Hat UK Ltd Registered in England and Wales under Company Registration No. 03798903 Directors: Michael Cunningham, Michael ("Mike") O'Neill From neugens at redhat.com Tue Sep 14 09:01:52 2021 From: neugens at redhat.com (Mario Torre) Date: Tue, 14 Sep 2021 11:01:52 +0200 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland In-Reply-To: References: Message-ID: Vote: Yes, Cheers, Mario On Tue, Sep 14, 2021 at 4:17 AM Andrew Hughes wrote: > > I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 > Updates Committer. > > Jonathan is doing active backporting work for 8u, including both clean > backports and those that require reviews and so register under his own > commit handle [1] [2]. Making him a committer would aid this > backporting work by avoiding the need for someone else to sponsor & > push his fixes. He has already proven capable of following the > appropriate processes and providing good quality patches. > > Clean backports: > JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel > JDK-8161016: Strange behavior of URLConnection with proxy > JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings changes > JDK-8078614: WindowsClassicLookAndFeel : MetalComboBoxUI.getbaseLine fails with IllegalArgumentException > JDK-8258043: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop > JDK-8168517: java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed" > JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes > JDK-8226697: Several tests which need the @key headful keyword are missing it. > JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" > JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black > JDK-8080287: closed bug, pre-requisite for JDK-8177393, wrote RFA > > Unclean backports, requiring review: > JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files > JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather than JRE > JDK-8038723: Open up some PrinterJob tests > JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 > JDK-8183369: RFC unconformity of HttpURLConnection with proxy > JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll > > Votes are due by 19h00 UTC on Tuesday, 28th of September, 2021. > > Only current OpenJDK 8 Updates Committers (and above) [2] are eligible > to vote on this nomination. > > Votes must be cast in the open by replying to this mailing list. > > For Lazy Consensus voting instructions, see [3]. > > [0] https://openjdk.java.net/census#jdowland > [1] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/hotspot/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] http://openjdk.java.net/census#jdk8u > [3] http://openjdk.java.net/projects/#committer-vote > > Thanks, > -- > Andrew :) > Pronouns: he / him or they / them > Senior Free Java Software Engineer > OpenJDK Package Owner > Red Hat, Inc. (http://www.redhat.com) > > PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) > Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 -- Mario Torre Manager, Software Engineering, core OpenJDK Red Hat GmbH 9704 A60C B4BE A8B8 0F30 9205 5D7E 4952 3F65 7898 From sgehwolf at redhat.com Tue Sep 14 09:22:05 2021 From: sgehwolf at redhat.com (Severin Gehwolf) Date: Tue, 14 Sep 2021 11:22:05 +0200 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland In-Reply-To: References: Message-ID: <7386222ee92840f08599238faae0a80fce9e7da1.camel@redhat.com> Vote: yes. On Tue, 2021-09-14 at 03:16 +0100, Andrew Hughes wrote: > I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 > Updates Committer. > > Jonathan is doing active backporting work for 8u, including both clean > backports and those that require reviews and so register under his own > commit handle [1] [2].? Making him a committer would aid this > backporting work by avoiding the need for someone else to sponsor & > push his fixes.? He has already proven capable of following the > appropriate processes and providing good quality patches. > > Clean backports: > ??????? JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel > ??????? JDK-8161016: Strange behavior of URLConnection with proxy > ??????? JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings changes > ??????? JDK-8078614: WindowsClassicLookAndFeel : MetalComboBoxUI.getbaseLine fails with IllegalArgumentException > ??????? JDK-8258043: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop > ??????? JDK-8168517: java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed" > ??????? JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes > ??????? JDK-8226697: Several tests which need the @key headful keyword are missing it. > ??????? JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" > ??????? JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black > ??????? JDK-8080287: closed bug, pre-requisite for JDK-8177393, wrote RFA > > Unclean backports, requiring review: > ??????? JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files > ??????? JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather than JRE > ??????? JDK-8038723: Open up some PrinterJob tests > ??????? JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 > ??????? JDK-8183369: RFC unconformity of HttpURLConnection with proxy > ??????? JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll > > Votes are due by 19h00 UTC on Tuesday, 28th of September, 2021. > > Only current OpenJDK 8 Updates Committers (and above) [2] are eligible > to vote on this nomination. > > Votes must be cast in the open by replying to this mailing list. > > For Lazy Consensus voting instructions, see [3]. > > [0] https://openjdk.java.net/census#jdowland > [1] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/hotspot/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] http://openjdk.java.net/census#jdk8u > [3] http://openjdk.java.net/projects/#committer-vote > > Thanks, From vkempik at azul.com Tue Sep 14 10:28:28 2021 From: vkempik at azul.com (Vladimir Kempik) Date: Tue, 14 Sep 2021 10:28:28 +0000 Subject: [8u] RFR: 8261397: Try Catch Method Failing to Work When Dividing An Integer By 0 Message-ID: Please review this backport of 8261397 to jdk8u The fix didn?t apply cleanly due to MACOS_ONLY macro missing in jdk8 and some context code difference. The fix is low-risk, affect only macos_x86 when running in rosetta2 translation mode on m1 mac. Checked the build with fix on m1 mac with testcase from the bug, testcase now works. The webrev - http://cr.openjdk.java.net/~vkempik/8261397/webrev.8u.01/ The Bug - https://bugs.openjdk.java.net/browse/JDK-8261397 Original changeset - https://github.com/openjdk/jdk/commit/0257caad Regards, Vladimir From akashche at redhat.com Tue Sep 14 13:05:19 2021 From: akashche at redhat.com (Alex Kashchenko) Date: Tue, 14 Sep 2021 14:05:19 +0100 Subject: [8u] RFR: 8151260: Mark URLPermission/URLTest.java and ipv6tests/TcpTest.java as intermittently failing Message-ID: Hi, Please review this trivial change to TcpTest.java: Bug: https://bugs.openjdk.java.net/browse/JDK-8151260 Original changeset: https://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/55a1107a6092 8u webrev: https://cr.openjdk.java.net/~akasko/jdk8u/8151260/webrev.00/ This patch allows to apply cleanly related subsequent ipv6tests patches (up to JDK-8194260 [1] that is intended to be backported to 8u). Hunk with a change to TcpTest.java applies cleanly, change to URLTest.java is excluded because it is not directly related to ipv6tests and also contains a number of large changes (JDK-8055747 [2] and others) that are not backported to 8u. [1] https://bugs.openjdk.java.net/browse/JDK-8194260 [2] https://bugs.openjdk.java.net/browse/JDK-8055747 -- -Alex From hohensee at amazon.com Tue Sep 14 13:23:55 2021 From: hohensee at amazon.com (Hohensee, Paul) Date: Tue, 14 Sep 2021 13:23:55 +0000 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland Message-ID: <3C92D3BF-4909-4ADF-81F7-6DE6759A7D5B@amazon.com> Vote: yes. ?-----Original Message----- From: jdk8u-dev on behalf of Andrew Hughes Date: Monday, September 13, 2021 at 7:17 PM To: "jdk8u-dev at openjdk.java.net" Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 Updates Committer. Jonathan is doing active backporting work for 8u, including both clean backports and those that require reviews and so register under his own commit handle [1] [2]. Making him a committer would aid this backporting work by avoiding the need for someone else to sponsor & push his fixes. He has already proven capable of following the appropriate processes and providing good quality patches. Clean backports: JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel JDK-8161016: Strange behavior of URLConnection with proxy JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings changes JDK-8078614: WindowsClassicLookAndFeel : MetalComboBoxUI.getbaseLine fails with IllegalArgumentException JDK-8258043: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop JDK-8168517: java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed" JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes JDK-8226697: Several tests which need the @key headful keyword are missing it. JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black JDK-8080287: closed bug, pre-requisite for JDK-8177393, wrote RFA Unclean backports, requiring review: JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather than JRE JDK-8038723: Open up some PrinterJob tests JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 JDK-8183369: RFC unconformity of HttpURLConnection with proxy JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll Votes are due by 19h00 UTC on Tuesday, 28th of September, 2021. Only current OpenJDK 8 Updates Committers (and above) [2] are eligible to vote on this nomination. Votes must be cast in the open by replying to this mailing list. For Lazy Consensus voting instructions, see [3]. [0] https://openjdk.java.net/census#jdowland [1] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() [2] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/hotspot/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() [2] http://openjdk.java.net/census#jdk8u [3] http://openjdk.java.net/projects/#committer-vote Thanks, -- Andrew :) Pronouns: he / him or they / them Senior Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 From erik.joelsson at oracle.com Tue Sep 14 13:57:46 2021 From: erik.joelsson at oracle.com (erik.joelsson at oracle.com) Date: Tue, 14 Sep 2021 06:57:46 -0700 Subject: Switch jdk8u development to Git/Skara Message-ID: Hello, Back in February there was a discussion about moving the OpenJDK 8u development to Git/Skara together with the jdk11u move [1]. The conclusion then, as I understood it, was to wait until sometime after jdk11u was moved to give people a chance to get familiar with the new development process and iron out the details on how it should be applied. The jdk11u move took place over the summer, so I thought now would be a good time to revisit the discussion for jdk8u. The move for 8u is a bit trickier than 11u as a necessary pre step is to first consolidate the Mercurial repositories into one, like we did for JDK 10. I have already produced a prototype conversion during the previous discussion [2], but it's quite outdated at this time. Unfortunately, the consolidation process is not easily automated and only incremental to a point (basically on a per promotion tag level, but even that comes with some caveats in the update world where multiple releases are are being developed in parallel). Because of this it's not feasible to setup a live mirror like we did for jdk11u. Instead, we will need to plan for up to a week (worst case) of downtime where I produce the final consolidated HG repository, and then let Skara convert and publish this to Github. Ideally it should only take 1-2 days, but these consolidations have been finicky in the past, so better plan for the worst. Another option would be to transition in 2 steps, first to a consolidated HG repo, then to Git. This certainly has other drawbacks, having to adjust to and support another development process for a short period of time. It would, however, make the final transition to Git much smoother and similar to the jdk11u transition. I would like to hear from the maintainers of jdk8u what your preferred strategy would be and what timelines that would make sense to you. /Erik [1] https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-February/013402.html [2] https://github.com/openjdk/jdk8u From zgu at redhat.com Tue Sep 14 23:23:24 2021 From: zgu at redhat.com (Zhengyu Gu) Date: Tue, 14 Sep 2021 19:23:24 -0400 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland In-Reply-To: References: Message-ID: Vote: yes -Zhengyu On 9/13/21 22:16, Andrew Hughes wrote: > I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 > Updates Committer. > > Jonathan is doing active backporting work for 8u, including both clean > backports and those that require reviews and so register under his own > commit handle [1] [2]. Making him a committer would aid this > backporting work by avoiding the need for someone else to sponsor & > push his fixes. He has already proven capable of following the > appropriate processes and providing good quality patches. > > Clean backports: > JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel > JDK-8161016: Strange behavior of URLConnection with proxy > JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings changes > JDK-8078614: WindowsClassicLookAndFeel : MetalComboBoxUI.getbaseLine fails with IllegalArgumentException > JDK-8258043: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop > JDK-8168517: java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed" > JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes > JDK-8226697: Several tests which need the @key headful keyword are missing it. > JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" > JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black > JDK-8080287: closed bug, pre-requisite for JDK-8177393, wrote RFA > > Unclean backports, requiring review: > JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files > JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather than JRE > JDK-8038723: Open up some PrinterJob tests > JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 > JDK-8183369: RFC unconformity of HttpURLConnection with proxy > JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll > > Votes are due by 19h00 UTC on Tuesday, 28th of September, 2021. > > Only current OpenJDK 8 Updates Committers (and above) [2] are eligible > to vote on this nomination. > > Votes must be cast in the open by replying to this mailing list. > > For Lazy Consensus voting instructions, see [3]. > > [0] https://openjdk.java.net/census#jdowland > [1] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/hotspot/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] http://openjdk.java.net/census#jdk8u > [3] http://openjdk.java.net/projects/#committer-vote > > Thanks, > From rwestrel at redhat.com Wed Sep 15 08:53:26 2021 From: rwestrel at redhat.com (Roland Westrelin) Date: Wed, 15 Sep 2021 10:53:26 +0200 Subject: RFR: 8182036: Load from initializing arraycopy uses wrong memory state In-Reply-To: <41dfa34a91fb4bfcb495b513125ba19e@huawei.com> References: <61BDC9D1-0D1A-447F-9255-6C999005F47C@amazon.com> <41dfa34a91fb4bfcb495b513125ba19e@huawei.com> Message-ID: <87lf3yfce1.fsf@redhat.com> > Thanks for looking at this. > Could I have another review from some C2 experts please? Sorry I missed that one back then. The fix itself looks good but I'm surprised the change to memnode.cpp is not required. Do you understand why it's not? Roland. From akashche at redhat.com Wed Sep 15 09:55:23 2021 From: akashche at redhat.com (Alex Kashchenko) Date: Wed, 15 Sep 2021 10:55:23 +0100 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland In-Reply-To: References: Message-ID: Vote: yes On 9/14/21, Andrew Hughes wrote: > I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 > Updates Committer. > > Jonathan is doing active backporting work for 8u, including both clean > backports and those that require reviews and so register under his own > commit handle [1] [2]. Making him a committer would aid this > backporting work by avoiding the need for someone else to sponsor & > push his fixes. He has already proven capable of following the > appropriate processes and providing good quality patches. > > Clean backports: > JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not > highlighted in GTKLookAndFeel > JDK-8161016: Strange behavior of URLConnection with proxy > JDK-8152077: (cal) Calendar.roll does not always roll the hours > during daylight savings changes > JDK-8078614: WindowsClassicLookAndFeel : MetalComboBoxUI.getbaseLine > fails with IllegalArgumentException > JDK-8258043: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java > needs update by removing a infinite loop > JDK-8168517: java/lang/ProcessBuilder/Basic.java failed with > "java.lang.AssertionError: Some tests failed" > JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java > fails sometimes > JDK-8226697: Several tests which need the @key headful keyword are > missing it. > JDK-8262731: [macOS] Exception from "Printable.print" is swallowed > during "PrinterJob.print" > JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% > black > JDK-8080287: closed bug, pre-requisite for JDK-8177393, wrote RFA > > Unclean backports, requiring review: > JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header > files > JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather > than JRE > JDK-8038723: Open up some PrinterJob tests > JDK-8227006: [linux] Runtime.availableProcessors execution time > increased by factor of 100 > JDK-8183369: RFC unconformity of HttpURLConnection with proxy > JDK-8187450: JNI local refs exceeds capacity warning in > NetworkInterface::getAll > > Votes are due by 19h00 UTC on Tuesday, 28th of September, 2021. > > Only current OpenJDK 8 Updates Committers (and above) [2] are eligible > to vote on this nomination. > > Votes must be cast in the open by replying to this mailing list. > > For Lazy Consensus voting instructions, see [3]. > > [0] https://openjdk.java.net/census#jdowland > [1] > https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] > https://hg.openjdk.java.net/jdk8u/jdk8u-dev/hotspot/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] http://openjdk.java.net/census#jdk8u > [3] http://openjdk.java.net/projects/#committer-vote > > Thanks, > -- > Andrew :) > Pronouns: he / him or they / them > Senior Free Java Software Engineer > OpenJDK Package Owner > Red Hat, Inc. (http://www.redhat.com) > > PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) > Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 > -- -Alex From erik.joelsson at oracle.com Wed Sep 15 12:28:41 2021 From: erik.joelsson at oracle.com (erik.joelsson at oracle.com) Date: Wed, 15 Sep 2021 05:28:41 -0700 Subject: Switch jdk8u development to Git/Skara In-Reply-To: References: Message-ID: <6189dd25-c696-21f2-9f69-fba54732811f@oracle.com> On 2021-09-14 06:57, erik.joelsson at oracle.com wrote: > [2] https://github.com/openjdk/jdk8u This has now been updated with everything including tag jdk8u312-b05. /Erik From volker.simonis at gmail.com Wed Sep 15 13:25:04 2021 From: volker.simonis at gmail.com (Volker Simonis) Date: Wed, 15 Sep 2021 15:25:04 +0200 Subject: Switch jdk8u development to Git/Skara In-Reply-To: <6189dd25-c696-21f2-9f69-fba54732811f@oracle.com> References: <6189dd25-c696-21f2-9f69-fba54732811f@oracle.com> Message-ID: Hi Erik, thanks for not having forgotten about this issue :) Taking into account that 8u will be supported for at least five more years until 2026 [1,2] and that all downports are meanwhile originating from Git repositories I'm still strongly in favour of this migration in general. Regarding the technical migration details I think I'd slightly in favour of the big-bang. one-step variant but I'm happy to accept the decision of the current 8u maintainers, whatever that will be. Best regards, Volker [1] https://access.redhat.com/articles/1299013#OpenJDK_Update_Release [2] https://aws.amazon.com/de/about-aws/whats-new/2020/08/amazon-corretto-8-11-support-extended/ On Wed, Sep 15, 2021 at 2:28 PM wrote: > > > On 2021-09-14 06:57, erik.joelsson at oracle.com wrote: > > [2] https://github.com/openjdk/jdk8u > > This has now been updated with everything including tag jdk8u312-b05. > > /Erik > > From yan at azul.com Wed Sep 15 14:51:40 2021 From: yan at azul.com (Yuri Nesterenko) Date: Wed, 15 Sep 2021 17:51:40 +0300 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland In-Reply-To: References: Message-ID: Vote: yes --yan On 14.09.2021 05:16, Andrew Hughes wrote: > I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 > Updates Committer. > > Jonathan is doing active backporting work for 8u, including both clean > backports and those that require reviews and so register under his own > commit handle [1] [2]. Making him a committer would aid this > backporting work by avoiding the need for someone else to sponsor & > push his fixes. He has already proven capable of following the > appropriate processes and providing good quality patches. > > Clean backports: > JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel > JDK-8161016: Strange behavior of URLConnection with proxy > JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings changes > JDK-8078614: WindowsClassicLookAndFeel : MetalComboBoxUI.getbaseLine fails with IllegalArgumentException > JDK-8258043: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop > JDK-8168517: java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed" > JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes > JDK-8226697: Several tests which need the @key headful keyword are missing it. > JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" > JDK-8177393: Result of RescaleOp for 4BYTE_ABGR images may be 25% black > JDK-8080287: closed bug, pre-requisite for JDK-8177393, wrote RFA > > Unclean backports, requiring review: > JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files > JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather than JRE > JDK-8038723: Open up some PrinterJob tests > JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 > JDK-8183369: RFC unconformity of HttpURLConnection with proxy > JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll > > Votes are due by 19h00 UTC on Tuesday, 28th of September, 2021. > > Only current OpenJDK 8 Updates Committers (and above) [2] are eligible > to vote on this nomination. > > Votes must be cast in the open by replying to this mailing list. > > For Lazy Consensus voting instructions, see [3]. > > [0] https://openjdk.java.net/census#jdowland > [1] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/hotspot/log?revcount=200&rev=(author(jdowland)+or+desc(%22jdowland%40redhat.com%22))+and+not+merge() > [2] http://openjdk.java.net/census#jdk8u > [3] http://openjdk.java.net/projects/#committer-vote > > Thanks, > From felix.yang at huawei.com Thu Sep 16 06:58:55 2021 From: felix.yang at huawei.com (Yangfei (Felix)) Date: Thu, 16 Sep 2021 06:58:55 +0000 Subject: RFR: 8182036: Load from initializing arraycopy uses wrong memory state In-Reply-To: <87lf3yfce1.fsf@redhat.com> References: <61BDC9D1-0D1A-447F-9255-6C999005F47C@amazon.com> <41dfa34a91fb4bfcb495b513125ba19e@huawei.com> <87lf3yfce1.fsf@redhat.com> Message-ID: <5a6e82379f004c88b61f8367c64ebcb6@huawei.com> Hi, > -----Original Message----- > From: Roland Westrelin [mailto:rwestrel at redhat.com] > Sent: Wednesday, September 15, 2021 4:53 PM > To: Yangfei (Felix) ; Hohensee, Paul > ; jdk8u-dev > Subject: RE: RFR: 8182036: Load from initializing arraycopy uses wrong > memory state > > > > > Thanks for looking at this. > > Could I have another review from some C2 experts please? > > Sorry I missed that one back then. > > The fix itself looks good but I'm surprised the change to memnode.cpp is not > required. Do you understand why it's not? The change in memnode.cpp of the original patch modifies the condition of the assertion. For jdk10+, the assertion is located in a loop and the loop condition looks like [1]. For jdk8u, this loop is not there and the assertion is simply in an if statement like [2]. Also the condition for the loop and if statement is rather different: For jdk8u, we have this condition for the if statement: mem->in(MemNode::Address)->eqv_uncast(address). In this case, 'mem' is the StoreL node from the ClearArrayNode, as explained in [3]. And 'address' corresponds to the StoreI node. Since those two store nodes access different memory, the condition will be false and the assertion for jdk8u will not hit in this case. That's why I excluded the change for jdk8u. I should have mentioned this in my original email. Thanks, Felix [1] https://hg.openjdk.java.net/jdk10/jdk10/hotspot/file/5ab7a67bc155/src/share/vm/opto/memnode.cpp#l2424 [2] https://hg.openjdk.java.net/jdk8u/jdk8u-dev/hotspot/file/3ba3f0e3f6c5/src/share/vm/opto/memnode.cpp#l2482 [3] https://mail.openjdk.java.net/pipermail/hotspot-compiler-dev/2017-June/026479.html From zgu at redhat.com Thu Sep 16 14:28:29 2021 From: zgu at redhat.com (Zhengyu Gu) Date: Thu, 16 Sep 2021 10:28:29 -0400 Subject: [8u] RFR 8186902: jcmd GC.run should not be blocked by DisableExplicitGC Message-ID: <32885a57-7d12-0b70-00ec-8965ebc86285@redhat.com> I would like to backport this parity bug to openjdk8u. Original bug: https://bugs.openjdk.java.net/browse/JDK-8186902 Original patch: http://hg.openjdk.java.net/jdk10/jdk10/hotspot/rev/3d1150c7899c 8u Webrev: http://cr.openjdk.java.net/~zgu/JDK-8186902-8u/webrev.00/ The original patch does not apply cleanly. Besides line shifts, 8u does not define GCCause::_dcmd_gc_run, but GCCause::_java_lang_system_gc instead. Thanks, -Zhengyu From kevin.walls at oracle.com Thu Sep 16 14:38:06 2021 From: kevin.walls at oracle.com (Kevin Walls) Date: Thu, 16 Sep 2021 14:38:06 +0000 Subject: [8u] RFR 8186902: jcmd GC.run should not be blocked by DisableExplicitGC In-Reply-To: <32885a57-7d12-0b70-00ec-8965ebc86285@redhat.com> References: <32885a57-7d12-0b70-00ec-8965ebc86285@redhat.com> Message-ID: Hi, Looks good to me, Thanks Kevin -----Original Message----- From: jdk8u-dev On Behalf Of Zhengyu Gu Sent: 16 September 2021 15:28 To: jdk8u-dev Subject: [8u] RFR 8186902: jcmd GC.run should not be blocked by DisableExplicitGC I would like to backport this parity bug to openjdk8u. Original bug: https://bugs.openjdk.java.net/browse/JDK-8186902 Original patch: http://hg.openjdk.java.net/jdk10/jdk10/hotspot/rev/3d1150c7899c 8u Webrev: http://cr.openjdk.java.net/~zgu/JDK-8186902-8u/webrev.00/ The original patch does not apply cleanly. Besides line shifts, 8u does not define GCCause::_dcmd_gc_run, but GCCause::_java_lang_system_gc instead. Thanks, -Zhengyu From rwestrel at redhat.com Thu Sep 16 14:59:13 2021 From: rwestrel at redhat.com (Roland Westrelin) Date: Thu, 16 Sep 2021 16:59:13 +0200 Subject: RFR: 8182036: Load from initializing arraycopy uses wrong memory state In-Reply-To: <5a6e82379f004c88b61f8367c64ebcb6@huawei.com> References: <61BDC9D1-0D1A-447F-9255-6C999005F47C@amazon.com> <41dfa34a91fb4bfcb495b513125ba19e@huawei.com> <87lf3yfce1.fsf@redhat.com> <5a6e82379f004c88b61f8367c64ebcb6@huawei.com> Message-ID: <874kakva66.fsf@redhat.com> > The change in memnode.cpp of the original patch modifies the condition of the assertion. > For jdk10+, the assertion is located in a loop and the loop condition looks like [1]. > For jdk8u, this loop is not there and the assertion is simply in an if statement like [2]. > Also the condition for the loop and if statement is rather different: > For jdk8u, we have this condition for the if statement: mem->in(MemNode::Address)->eqv_uncast(address). > In this case, 'mem' is the StoreL node from the ClearArrayNode, as explained in [3]. And 'address' corresponds to the StoreI node. > Since those two store nodes access different memory, the condition will be false and the assertion for jdk8u will not hit in this case. > That's why I excluded the change for jdk8u. I should have mentioned this in my original email. Thanks for the details. That sounds reasonable to me. Roland. From zgu at redhat.com Thu Sep 16 17:16:16 2021 From: zgu at redhat.com (Zhengyu Gu) Date: Thu, 16 Sep 2021 13:16:16 -0400 Subject: [8u] RFR 8186902: jcmd GC.run should not be blocked by DisableExplicitGC In-Reply-To: References: <32885a57-7d12-0b70-00ec-8965ebc86285@redhat.com> Message-ID: <1a91414b-0dbf-1b1c-8b67-38006f1fbd37@redhat.com> Thanks, Kevin. -Zhengyu On 9/16/21 10:38, Kevin Walls wrote: > Hi, > Looks good to me, > Thanks > Kevin > > -----Original Message----- > From: jdk8u-dev On Behalf Of Zhengyu Gu > Sent: 16 September 2021 15:28 > To: jdk8u-dev > Subject: [8u] RFR 8186902: jcmd GC.run should not be blocked by DisableExplicitGC > > I would like to backport this parity bug to openjdk8u. > > Original bug: https://bugs.openjdk.java.net/browse/JDK-8186902 > Original patch: > http://hg.openjdk.java.net/jdk10/jdk10/hotspot/rev/3d1150c7899c > > > 8u Webrev: http://cr.openjdk.java.net/~zgu/JDK-8186902-8u/webrev.00/ > > The original patch does not apply cleanly. Besides line shifts, 8u does not define GCCause::_dcmd_gc_run, but GCCause::_java_lang_system_gc instead. > > > Thanks, > > -Zhengyu > From felix.yang at huawei.com Fri Sep 17 01:12:50 2021 From: felix.yang at huawei.com (Yangfei (Felix)) Date: Fri, 17 Sep 2021 01:12:50 +0000 Subject: RFR: 8182036: Load from initializing arraycopy uses wrong memory state In-Reply-To: <874kakva66.fsf@redhat.com> References: <61BDC9D1-0D1A-447F-9255-6C999005F47C@amazon.com> <41dfa34a91fb4bfcb495b513125ba19e@huawei.com> <87lf3yfce1.fsf@redhat.com> <5a6e82379f004c88b61f8367c64ebcb6@huawei.com> <874kakva66.fsf@redhat.com> Message-ID: <380a4ba2bd664ca3a2568a574ecaab40@huawei.com> Thanks for reviewing this. The issue has been tagged for approval. Felix. > -----Original Message----- > From: Roland Westrelin [mailto:rwestrel at redhat.com] > Sent: Thursday, September 16, 2021 10:59 PM > To: Yangfei (Felix) ; Hohensee, Paul > ; jdk8u-dev > Subject: RE: RFR: 8182036: Load from initializing arraycopy uses wrong > memory state > > > > The change in memnode.cpp of the original patch modifies the condition of > the assertion. > > For jdk10+, the assertion is located in a loop and the loop condition looks > like [1]. > > For jdk8u, this loop is not there and the assertion is simply in an if > statement like [2]. > > Also the condition for the loop and if statement is rather different: > > For jdk8u, we have this condition for the if statement: mem- > >in(MemNode::Address)->eqv_uncast(address). > > In this case, 'mem' is the StoreL node from the ClearArrayNode, as > explained in [3]. And 'address' corresponds to the StoreI node. > > Since those two store nodes access different memory, the condition will be > false and the assertion for jdk8u will not hit in this case. > > That's why I excluded the change for jdk8u. I should have mentioned this > in my original email. > > Thanks for the details. That sounds reasonable to me. > > Roland. From vkempik at azul.com Fri Sep 17 10:35:00 2021 From: vkempik at azul.com (Vladimir Kempik) Date: Fri, 17 Sep 2021 10:35:00 +0000 Subject: Switch jdk8u development to Git/Skara In-Reply-To: References: <6189dd25-c696-21f2-9f69-fba54732811f@oracle.com> Message-ID: Hello If Skara?s ?/backport? command can be updated to do patch unshuffling then it will be a huge thing to ease backporting. Regards, Vladimir > 15 ????. 2021 ?., ? 16:25, Volker Simonis ???????(?): > > Hi Erik, > > thanks for not having forgotten about this issue :) > > Taking into account that 8u will be supported for at least five more > years until 2026 [1,2] and that all downports are meanwhile > originating from Git repositories I'm still strongly in favour of this > migration in general. > > Regarding the technical migration details I think I'd slightly in > favour of the big-bang. one-step variant but I'm happy to accept the > decision of the current 8u maintainers, whatever that will be. > > Best regards, > Volker > > [1] https://access.redhat.com/articles/1299013#OpenJDK_Update_Release > [2] https://aws.amazon.com/de/about-aws/whats-new/2020/08/amazon-corretto-8-11-support-extended/ > > On Wed, Sep 15, 2021 at 2:28 PM wrote: >> >> >> On 2021-09-14 06:57, erik.joelsson at oracle.com wrote: >>> [2] https://github.com/openjdk/jdk8u >> >> This has now been updated with everything including tag jdk8u312-b05. >> >> /Erik >> >> From xwan at mtb.com Tue Sep 21 11:02:05 2021 From: xwan at mtb.com (Wan, Thomas) Date: Tue, 21 Sep 2021 11:02:05 +0000 Subject: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) In-Reply-To: References: Message-ID: It seems jdk8u202 was working well with ldap ssl. Since then all other jdk 8 release has the same error as below, any idea what is wrong? I compared the source code, it seems sun.security package has been changed a lot since jdk8u202 javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147) at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ... 7 more -----Original Message----- From: jdk8u-dev On Behalf Of jdk8u-dev-request at openjdk.java.net Sent: Tuesday, September 21, 2021 6:59 AM To: Wan, Thomas Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Welcome to the jdk8u-dev at openjdk.java.net mailing list! To post to this list, send your message to: jdk8u-dev at openjdk.java.net General information about the mailing list is at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$ If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$ You can also make such adjustments via email by sending a message to: jdk8u-dev-request at openjdk.java.net with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: Grace0208 Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From ecki at zusammenkunft.net Tue Sep 21 11:07:08 2021 From: ecki at zusammenkunft.net (Bernd Eckenfels) Date: Tue, 21 Sep 2021 11:07:08 +0000 Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) In-Reply-To: References: Message-ID: It normally means the peer does not like your cipher or protocol selection or maybe the peer has a wrongly configured certificate. The actual reason why the peer shuts down the connection so unclear should be logged on the remote site. -- http://bernd.eckenfels.net ________________________________ Von: jdk8u-dev im Auftrag von Wan, Thomas Gesendet: Tuesday, September 21, 2021 1:02:05 PM An: jdk8u-dev at openjdk.java.net Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) It seems jdk8u202 was working well with ldap ssl. Since then all other jdk 8 release has the same error as below, any idea what is wrong? I compared the source code, it seems sun.security package has been changed a lot since jdk8u202 javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147) at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ... 7 more -----Original Message----- From: jdk8u-dev On Behalf Of jdk8u-dev-request at openjdk.java.net Sent: Tuesday, September 21, 2021 6:59 AM To: Wan, Thomas Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Welcome to the jdk8u-dev at openjdk.java.net mailing list! To post to this list, send your message to: jdk8u-dev at openjdk.java.net General information about the mailing list is at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$ If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$ You can also make such adjustments via email by sending a message to: jdk8u-dev-request at openjdk.java.net with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: Grace0208 Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From xwan at mtb.com Tue Sep 21 11:12:15 2021 From: xwan at mtb.com (Wan, Thomas) Date: Tue, 21 Sep 2021 11:12:15 +0000 Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) In-Reply-To: References: Message-ID: Hi Bernd, Thanks for quick response. Normally I would go to the server to figure out why. In this case, the server is at end of life situation, waiting to migrate to new directory product soon, there is nothing logging in the server side for now. Is there anything I can do in my side/client side to figure out why? I need release something quick to openshift while the directory migration might take another 6 months. So I am stuck now. From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 7:07 AM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. It normally means the peer does not like your cipher or protocol selection or maybe the peer has a wrongly configured certificate. The actual reason why the peer shuts down the connection so unclear should be logged on the remote site. -- http://bernd.eckenfels.net ________________________________ Von: jdk8u-dev > im Auftrag von Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:02:05 PM An: jdk8u-dev at openjdk.java.net > Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) It seems jdk8u202 was working well with ldap ssl. Since then all other jdk 8 release has the same error as below, any idea what is wrong? I compared the source code, it seems sun.security package has been changed a lot since jdk8u202 javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147) at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ... 7 more -----Original Message----- From: jdk8u-dev > On Behalf Of jdk8u-dev-request at openjdk.java.net Sent: Tuesday, September 21, 2021 6:59 AM To: Wan, Thomas > Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Welcome to the jdk8u-dev at openjdk.java.net mailing list! To post to this list, send your message to: jdk8u-dev at openjdk.java.net General information about the mailing list is at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$ If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$ You can also make such adjustments via email by sending a message to: jdk8u-dev-request at openjdk.java.net with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: Grace0208 Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From xwan at mtb.com Tue Sep 21 11:14:35 2021 From: xwan at mtb.com (Wan, Thomas) Date: Tue, 21 Sep 2021 11:14:35 +0000 Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) In-Reply-To: References: Message-ID: Here is my debug log javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|ClientHello.java:633|Produced ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", "session id" : "", "cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", "compression methods" : "00", "extensions" : [ "server_name (0)": { type=host_name (0), value=unbale.mandtbank.com }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": "request extensions": { } } }, "supported_groups (10)": { "versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "signature_algorithms_cert (50)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "status_request_v2 (17)": { "cert status request": { "certificate status type": ocsp_multi "OCSP status request": { "responder_id": "request extensions": { } } } }, "extended_master_secret (23)": { }, "supported_versions (43)": { "versions": [TLSv1.2] } ] } ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:255|Raw write ( 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 .g. at ...../.....3 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketInputRecord.java:451|Raw read: EOF javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking ( "throwable" : { javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more} ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), length = 2 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:85|Raw write ( 0000: 15 03 03 00 02 02 28 ......( ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1361|close the underlying socket javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 7:07 AM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. It normally means the peer does not like your cipher or protocol selection or maybe the peer has a wrongly configured certificate. The actual reason why the peer shuts down the connection so unclear should be logged on the remote site. -- http://bernd.eckenfels.net ________________________________ Von: jdk8u-dev > im Auftrag von Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:02:05 PM An: jdk8u-dev at openjdk.java.net > Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) It seems jdk8u202 was working well with ldap ssl. Since then all other jdk 8 release has the same error as below, any idea what is wrong? I compared the source code, it seems sun.security package has been changed a lot since jdk8u202 javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147) at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ... 7 more -----Original Message----- From: jdk8u-dev > On Behalf Of jdk8u-dev-request at openjdk.java.net Sent: Tuesday, September 21, 2021 6:59 AM To: Wan, Thomas > Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Welcome to the jdk8u-dev at openjdk.java.net mailing list! To post to this list, send your message to: jdk8u-dev at openjdk.java.net General information about the mailing list is at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$ If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$ You can also make such adjustments via email by sending a message to: jdk8u-dev-request at openjdk.java.net with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: Grace0208 Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From ecki at zusammenkunft.net Tue Sep 21 11:32:08 2021 From: ecki at zusammenkunft.net (Bernd Eckenfels) Date: Tue, 21 Sep 2021 11:32:08 +0000 Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) In-Reply-To: References: Message-ID: Hello, You cannot see the reason on your side. You need to check the other side. However seeing that your client only propose TLSv1.2 that's a likely candidate, maybe you need to re-enable TLS 1.1. that,,happened with 8u291 in Oracle according to this: https://java.com/en/jre-jdk-cryptoroadmap.html https://java.com/en/configure_crypto.html#DisableTLS Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas Gesendet: Tuesday, September 21, 2021 1:14:35 PM An: Bernd Eckenfels ; jdk8u-dev at openjdk.java.net Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) Here is my debug log javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|ClientHello.java:633|Produced ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", "session id" : "", "cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", "compression methods" : "00", "extensions" : [ "server_name (0)": { type=host_name (0), value=unbale.mandtbank.com }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": "request extensions": { } } }, "supported_groups (10)": { "versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "signature_algorithms_cert (50)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "status_request_v2 (17)": { "cert status request": { "certificate status type": ocsp_multi "OCSP status request": { "responder_id": "request extensions": { } } } }, "extended_master_secret (23)": { }, "supported_versions (43)": { "versions": [TLSv1.2] } ] } ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:255|Raw write ( 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 .g. at ...../.....3 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketInputRecord.java:451|Raw read: EOF javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking ( "throwable" : { javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more} ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), length = 2 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:85|Raw write ( 0000: 15 03 03 00 02 02 28 ......( ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1361|close the underlying socket javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 7:07 AM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. It normally means the peer does not like your cipher or protocol selection or maybe the peer has a wrongly configured certificate. The actual reason why the peer shuts down the connection so unclear should be logged on the remote site. -- http://bernd.eckenfels.net ________________________________ Von: jdk8u-dev > im Auftrag von Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:02:05 PM An: jdk8u-dev at openjdk.java.net > Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) It seems jdk8u202 was working well with ldap ssl. Since then all other jdk 8 release has the same error as below, any idea what is wrong? I compared the source code, it seems sun.security package has been changed a lot since jdk8u202 javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147) at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ... 7 more -----Original Message----- From: jdk8u-dev > On Behalf Of jdk8u-dev-request at openjdk.java.net Sent: Tuesday, September 21, 2021 6:59 AM To: Wan, Thomas > Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Welcome to the jdk8u-dev at openjdk.java.net mailing list! To post to this list, send your message to: jdk8u-dev at openjdk.java.net General information about the mailing list is at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$ If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$ You can also make such adjustments via email by sending a message to: jdk8u-dev-request at openjdk.java.net with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: Grace0208 Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From xwan at mtb.com Tue Sep 21 11:39:59 2021 From: xwan at mtb.com (Wan, Thomas) Date: Tue, 21 Sep 2021 11:39:59 +0000 Subject: jdk8u ssl connection issue Message-ID: Hi Bernd, It does work with TLS1.1. But in jdk8u202, it works with 1.2 as well. All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, but that is not as secure as TLS1.2 any more. From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 7:32 AM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Hello, You cannot see the reason on your side. You need to check the other side. However seeing that your client only propose TLSv1.2 that's a likely candidate, maybe you need to re-enable TLS 1.1. that,,happened with 8u291 in Oracle according to this: https://java.com/en/jre-jdk-cryptoroadmap.html https://java.com/en/configure_crypto.html#DisableTLS Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:14:35 PM An: Bernd Eckenfels >; jdk8u-dev at openjdk.java.net > Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) Here is my debug log javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|ClientHello.java:633|Produced ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", "session id" : "", "cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", "compression methods" : "00", "extensions" : [ "server_name (0)": { type=host_name (0), value=unbale.mandtbank.com }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": "request extensions": { } } }, "supported_groups (10)": { "versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "signature_algorithms_cert (50)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "status_request_v2 (17)": { "cert status request": { "certificate status type": ocsp_multi "OCSP status request": { "responder_id": "request extensions": { } } } }, "extended_master_secret (23)": { }, "supported_versions (43)": { "versions": [TLSv1.2] } ] } ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:255|Raw write ( 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 .g. at ...../.....3 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketInputRecord.java:451|Raw read: EOF javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking ( "throwable" : { javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more} ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), length = 2 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:85|Raw write ( 0000: 15 03 03 00 02 02 28 ......( ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1361|close the underlying socket javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more From: Bernd Eckenfels > Sent: Tuesday, September 21, 2021 7:07 AM To: Wan, Thomas >; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. It normally means the peer does not like your cipher or protocol selection or maybe the peer has a wrongly configured certificate. The actual reason why the peer shuts down the connection so unclear should be logged on the remote site. -- http://bernd.eckenfels.net ________________________________ Von: jdk8u-dev > im Auftrag von Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:02:05 PM An: jdk8u-dev at openjdk.java.net > Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) It seems jdk8u202 was working well with ldap ssl. Since then all other jdk 8 release has the same error as below, any idea what is wrong? I compared the source code, it seems sun.security package has been changed a lot since jdk8u202 javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147) at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ... 7 more -----Original Message----- From: jdk8u-dev > On Behalf Of jdk8u-dev-request at openjdk.java.net Sent: Tuesday, September 21, 2021 6:59 AM To: Wan, Thomas > Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Welcome to the jdk8u-dev at openjdk.java.net mailing list! To post to this list, send your message to: jdk8u-dev at openjdk.java.net General information about the mailing list is at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$ If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$ You can also make such adjustments via email by sending a message to: jdk8u-dev-request at openjdk.java.net with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: Grace0208 Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From ecki at zusammenkunft.net Tue Sep 21 11:51:35 2021 From: ecki at zusammenkunft.net (Bernd Eckenfels) Date: Tue, 21 Sep 2021 11:51:35 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: Hello, I don?t see any other changes in 212 besides a PKCS11 change for Tls1.2 which should not be the case, also it looks like this version re-enabled the Renegotiation signaling cipher, that should not be a problem but you never know. Can you compare the client Hello of a working 1.2 and a failed 1.2 handshake to see which ciphers and extensions differ? Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas Gesendet: Dienstag, September 21, 2021 1:40 PM An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net Betreff: jdk8u ssl connection issue Hi Bernd, It does work with TLS1.1. But in jdk8u202, it works with 1.2 as well. All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, but that is not as secure as TLS1.2 any more. From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 7:32 AM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Hello, You cannot see the reason on your side. You need to check the other side. However seeing that your client only propose TLSv1.2 that?s a likely candidate, maybe you need to re-enable TLS 1.1. that,,happened with 8u291 in Oracle according to this: https://java.com/en/jre-jdk-cryptoroadmap.html https://java.com/en/configure_crypto.html#DisableTLS Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:14:35 PM An: Bernd Eckenfels >; jdk8u-dev at openjdk.java.net > Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) Here is my debug log javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|ClientHello.java:633|Produced ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", "session id" : "", "cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", "compression methods" : "00", "extensions" : [ "server_name (0)": { type=host_name (0), value=unbale.mandtbank.com }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": "request extensions": { } } }, "supported_groups (10)": { "versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "signature_algorithms_cert (50)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "status_request_v2 (17)": { "cert status request": { "certificate status type": ocsp_multi "OCSP status request": { "responder_id": "request extensions": { } } } }, "extended_master_secret (23)": { }, "supported_versions (43)": { "versions": [TLSv1.2] } ] } ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:255|Raw write ( 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 .g. at ...../.....3 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketInputRecord.java:451|Raw read: EOF javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking ( "throwable" : { javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more} ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), length = 2 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:85|Raw write ( 0000: 15 03 03 00 02 02 28 ......( ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1361|close the underlying socket javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more From: Bernd Eckenfels > Sent: Tuesday, September 21, 2021 7:07 AM To: Wan, Thomas >; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. It normally means the peer does not like your cipher or protocol selection or maybe the peer has a wrongly configured certificate. The actual reason why the peer shuts down the connection so unclear should be logged on the remote site. -- http://bernd.eckenfels.net ________________________________ Von: jdk8u-dev > im Auftrag von Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:02:05 PM An: jdk8u-dev at openjdk.java.net > Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) It seems jdk8u202 was working well with ldap ssl. Since then all other jdk 8 release has the same error as below, any idea what is wrong? I compared the source code, it seems sun.security package has been changed a lot since jdk8u202 javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147) at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ... 7 more -----Original Message----- From: jdk8u-dev > On Behalf Of jdk8u-dev-request at openjdk.java.net Sent: Tuesday, September 21, 2021 6:59 AM To: Wan, Thomas > Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Welcome to the jdk8u-dev at openjdk.java.net mailing list! To post to this list, send your message to: jdk8u-dev at openjdk.java.net General information about the mailing list is at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$ If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$ You can also make such adjustments via email by sending a message to: jdk8u-dev-request at openjdk.java.net with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: Grace0208 Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From xwan at mtb.com Tue Sep 21 12:35:16 2021 From: xwan at mtb.com (Wan, Thomas) Date: Tue, 21 Sep 2021 12:35:16 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: failed TLS1.2 log with jdk 11 or jdk 8u292 javax.net.ssl|ALL|01|main|2021-09-21 07:42:53.151 EDT|SSLContextImpl.java:115|trigger seeding of SecureRandom javax.net.ssl|ALL|01|main|2021-09-21 07:42:53.464 EDT|SSLContextImpl.java:119|done seeding of SecureRandom javax.net.ssl|WARNING|01|main|2021-09-21 07:42:53.558 EDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers javax.net.ssl|WARNING|01|main|2021-09-21 07:42:53.558 EDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers javax.net.ssl|ALL|01|main|2021-09-21 07:42:53.558 EDT|SignatureScheme.java:358|Ignore disabled signature sheme: rsa_md5 javax.net.ssl|INFO|01|main|2021-09-21 07:42:53.558 EDT|AlpnExtension.java:161|No available application protocols javax.net.ssl|DEBUG|01|main|2021-09-21 07:42:53.558 EDT|SSLExtensions.java:235|Ignore, context unavailable extension: application_layer_protocol_negotiation javax.net.ssl|DEBUG|01|main|2021-09-21 07:42:53.558 EDT|SSLExtensions.java:235|Ignore, context unavailable extension: renegotiation_info javax.net.ssl|DEBUG|01|main|2021-09-21 07:42:53.558 EDT|ClientHello.java:633|Produced ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "A9 5F 09 2E FE FD 71 C4 1A 06 E2 D2 DC 61 CD DE 9E B7 E6 64 C0 40 92 73 A2 E1 E3 EF E0 0B E2 85", "session id" : "", "cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", "compression methods" : "00", "extensions" : [ "server_name (0)": { type=host_name (0), value=unbale.xxxxx.com }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": "request extensions": { } } }, "supported_groups (10)": { "versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "signature_algorithms_cert (50)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "status_request_v2 (17)": { "cert status request": { "certificate status type": ocsp_multi "OCSP status request": { "responder_id": "request extensions": { } } } }, "extended_master_secret (23)": { }, "supported_versions (43)": { "versions": [TLSv1.2] } ] } ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:42:53.558 EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311 javax.net.ssl|DEBUG|01|main|2021-09-21 07:42:53.558 EDT|SSLSocketOutputRecord.java:255|Raw write ( 0000: 16 03 03 01 37 01 00 01 33 03 03 A9 5F 09 2E FE ....7...3..._... 0010: FD 71 C4 1A 06 E2 D2 DC 61 CD DE 9E B7 E6 64 C0 .q......a.....d. 0020: 40 92 73 A2 E1 E3 EF E0 0B E2 85 00 00 56 C0 2C @.s..........V., 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 .g. at ...../.....3 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.xxxxx 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:42:53.558 EDT|SSLSocketInputRecord.java:451|Raw read: EOF javax.net.ssl|ERROR|01|main|2021-09-21 07:42:53.573 EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking ( "throwable" : { javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxxx.xxxSSLPoke.Main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more} ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:42:53.573 EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), length = 2 javax.net.ssl|DEBUG|01|main|2021-09-21 07:42:53.573 EDT|SSLSocketOutputRecord.java:85|Raw write ( 0000: 15 03 03 00 02 02 28 ......( ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:42:53.573 EDT|SSLSocketImpl.java:1361|close the underlying socket javax.net.ssl|DEBUG|01|main|2021-09-21 07:42:53.573 EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxxSSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more Process finished with exit code 0 From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 7:52 AM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. Hello, I don't see any other changes in 212 besides a PKCS11 change for Tls1.2 which should not be the case, also it looks like this version re-enabled the Renegotiation signaling cipher, that should not be a problem but you never know. Can you compare the client Hello of a working 1.2 and a failed 1.2 handshake to see which ciphers and extensions differ? Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas > Gesendet: Dienstag, September 21, 2021 1:40 PM An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net Betreff: jdk8u ssl connection issue Hi Bernd, It does work with TLS1.1. But in jdk8u202, it works with 1.2 as well. All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, but that is not as secure as TLS1.2 any more. From: Bernd Eckenfels > Sent: Tuesday, September 21, 2021 7:32 AM To: Wan, Thomas >; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Hello, You cannot see the reason on your side. You need to check the other side. However seeing that your client only propose TLSv1.2 that's a likely candidate, maybe you need to re-enable TLS 1.1. that,,happened with 8u291 in Oracle according to this: https://java.com/en/jre-jdk-cryptoroadmap.html https://java.com/en/configure_crypto.html#DisableTLS Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:14:35 PM An: Bernd Eckenfels >; jdk8u-dev at openjdk.java.net > Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) Here is my debug log javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|ClientHello.java:633|Produced ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", "session id" : "", "cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", "compression methods" : "00", "extensions" : [ "server_name (0)": { type=host_name (0), value=unbale.mandtbank.com }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": "request extensions": { } } }, "supported_groups (10)": { "versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "signature_algorithms_cert (50)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "status_request_v2 (17)": { "cert status request": { "certificate status type": ocsp_multi "OCSP status request": { "responder_id": "request extensions": { } } } }, "extended_master_secret (23)": { }, "supported_versions (43)": { "versions": [TLSv1.2] } ] } ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:255|Raw write ( 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 .g. at ...../.....3 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketInputRecord.java:451|Raw read: EOF javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking ( "throwable" : { javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more} ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), length = 2 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:85|Raw write ( 0000: 15 03 03 00 02 02 28 ......( ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1361|close the underlying socket javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more From: Bernd Eckenfels > Sent: Tuesday, September 21, 2021 7:07 AM To: Wan, Thomas >; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. It normally means the peer does not like your cipher or protocol selection or maybe the peer has a wrongly configured certificate. The actual reason why the peer shuts down the connection so unclear should be logged on the remote site. -- http://bernd.eckenfels.net ________________________________ Von: jdk8u-dev > im Auftrag von Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:02:05 PM An: jdk8u-dev at openjdk.java.net > Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) It seems jdk8u202 was working well with ldap ssl. Since then all other jdk 8 release has the same error as below, any idea what is wrong? I compared the source code, it seems sun.security package has been changed a lot since jdk8u202 javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147) at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ... 7 more -----Original Message----- From: jdk8u-dev > On Behalf Of jdk8u-dev-request at openjdk.java.net Sent: Tuesday, September 21, 2021 6:59 AM To: Wan, Thomas > Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Welcome to the jdk8u-dev at openjdk.java.net mailing list! To post to this list, send your message to: jdk8u-dev at openjdk.java.net General information about the mailing list is at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$ If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$ You can also make such adjustments via email by sending a message to: jdk8u-dev-request at openjdk.java.net with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: Grace0208 Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From xwan at mtb.com Tue Sep 21 13:12:51 2021 From: xwan at mtb.com (Wan, Thomas) Date: Tue, 21 Sep 2021 13:12:51 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: I did the comparison, found the jdk8u202 use 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS 1.2. I forced it in jdk.tls.client.SignatureSchemes In system setting and I got the following error javax.net.ssl|ALL|01|main|2021-09-21 09:03:01.514 EDT|SSLContextImpl.java:115|trigger seeding of SecureRandom javax.net.ssl|ALL|01|main|2021-09-21 09:03:01.814 EDT|SSLContextImpl.java:119|done seeding of SecureRandom javax.net.ssl|FINE|01|main|2021-09-21 09:03:01.838 EDT|SSLConfiguration.java:450|System property jdk.tls.client.SignatureSchemes is set to 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' javax.net.ssl|WARNING|01|main|2021-09-21 09:03:01.867 EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not supported by the underlying providers javax.net.ssl|WARNING|01|main|2021-09-21 09:03:01.867 EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not supported by the underlying providers javax.net.ssl|FINE|01|main|2021-09-21 09:03:01.875 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 7:52 AM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. Hello, I don't see any other changes in 212 besides a PKCS11 change for Tls1.2 which should not be the case, also it looks like this version re-enabled the Renegotiation signaling cipher, that should not be a problem but you never know. Can you compare the client Hello of a working 1.2 and a failed 1.2 handshake to see which ciphers and extensions differ? Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas > Gesendet: Dienstag, September 21, 2021 1:40 PM An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net Betreff: jdk8u ssl connection issue Hi Bernd, It does work with TLS1.1. But in jdk8u202, it works with 1.2 as well. All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, but that is not as secure as TLS1.2 any more. From: Bernd Eckenfels > Sent: Tuesday, September 21, 2021 7:32 AM To: Wan, Thomas >; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Hello, You cannot see the reason on your side. You need to check the other side. However seeing that your client only propose TLSv1.2 that's a likely candidate, maybe you need to re-enable TLS 1.1. that,,happened with 8u291 in Oracle according to this: https://java.com/en/jre-jdk-cryptoroadmap.html https://java.com/en/configure_crypto.html#DisableTLS Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:14:35 PM An: Bernd Eckenfels >; jdk8u-dev at openjdk.java.net > Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) Here is my debug log javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|ClientHello.java:633|Produced ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", "session id" : "", "cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", "compression methods" : "00", "extensions" : [ "server_name (0)": { type=host_name (0), value=unbale.mandtbank.com }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": "request extensions": { } } }, "supported_groups (10)": { "versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "signature_algorithms_cert (50)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "status_request_v2 (17)": { "cert status request": { "certificate status type": ocsp_multi "OCSP status request": { "responder_id": "request extensions": { } } } }, "extended_master_secret (23)": { }, "supported_versions (43)": { "versions": [TLSv1.2] } ] } ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:255|Raw write ( 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 .g. at ...../.....3 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketInputRecord.java:451|Raw read: EOF javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking ( "throwable" : { javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more} ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), length = 2 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:85|Raw write ( 0000: 15 03 03 00 02 02 28 ......( ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1361|close the underlying socket javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more From: Bernd Eckenfels > Sent: Tuesday, September 21, 2021 7:07 AM To: Wan, Thomas >; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. It normally means the peer does not like your cipher or protocol selection or maybe the peer has a wrongly configured certificate. The actual reason why the peer shuts down the connection so unclear should be logged on the remote site. -- http://bernd.eckenfels.net ________________________________ Von: jdk8u-dev > im Auftrag von Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:02:05 PM An: jdk8u-dev at openjdk.java.net > Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) It seems jdk8u202 was working well with ldap ssl. Since then all other jdk 8 release has the same error as below, any idea what is wrong? I compared the source code, it seems sun.security package has been changed a lot since jdk8u202 javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147) at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ... 7 more -----Original Message----- From: jdk8u-dev > On Behalf Of jdk8u-dev-request at openjdk.java.net Sent: Tuesday, September 21, 2021 6:59 AM To: Wan, Thomas > Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Welcome to the jdk8u-dev at openjdk.java.net mailing list! To post to this list, send your message to: jdk8u-dev at openjdk.java.net General information about the mailing list is at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$ If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$ You can also make such adjustments via email by sending a message to: jdk8u-dev-request at openjdk.java.net with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: Grace0208 Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From xwan at mtb.com Tue Sep 21 13:23:22 2021 From: xwan at mtb.com (Wan, Thomas) Date: Tue, 21 Sep 2021 13:23:22 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: One step further, I added all SignatureSchemes Supported in the server by running nmap, here is the error I got javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 EDT|SSLConfiguration.java:450|System property jdk.tls.client.SignatureSchemes is set to 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not supported by the underlying providers javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not supported by the underlying providers javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256 javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256 javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256 From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 7:52 AM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. Hello, I don't see any other changes in 212 besides a PKCS11 change for Tls1.2 which should not be the case, also it looks like this version re-enabled the Renegotiation signaling cipher, that should not be a problem but you never know. Can you compare the client Hello of a working 1.2 and a failed 1.2 handshake to see which ciphers and extensions differ? Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas > Gesendet: Dienstag, September 21, 2021 1:40 PM An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net Betreff: jdk8u ssl connection issue Hi Bernd, It does work with TLS1.1. But in jdk8u202, it works with 1.2 as well. All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, but that is not as secure as TLS1.2 any more. From: Bernd Eckenfels > Sent: Tuesday, September 21, 2021 7:32 AM To: Wan, Thomas >; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Hello, You cannot see the reason on your side. You need to check the other side. However seeing that your client only propose TLSv1.2 that's a likely candidate, maybe you need to re-enable TLS 1.1. that,,happened with 8u291 in Oracle according to this: https://java.com/en/jre-jdk-cryptoroadmap.html https://java.com/en/configure_crypto.html#DisableTLS Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:14:35 PM An: Bernd Eckenfels >; jdk8u-dev at openjdk.java.net > Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) Here is my debug log javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|ClientHello.java:633|Produced ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", "session id" : "", "cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", "compression methods" : "00", "extensions" : [ "server_name (0)": { type=host_name (0), value=unbale.mandtbank.com }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": "request extensions": { } } }, "supported_groups (10)": { "versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "signature_algorithms_cert (50)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "status_request_v2 (17)": { "cert status request": { "certificate status type": ocsp_multi "OCSP status request": { "responder_id": "request extensions": { } } } }, "extended_master_secret (23)": { }, "supported_versions (43)": { "versions": [TLSv1.2] } ] } ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:255|Raw write ( 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 .g. at ...../.....3 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketInputRecord.java:451|Raw read: EOF javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking ( "throwable" : { javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more} ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), length = 2 javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:85|Raw write ( 0000: 15 03 03 00 02 02 28 ......( ) javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1361|close the underlying socket javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942) at xxx.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ... 6 more From: Bernd Eckenfels > Sent: Tuesday, September 21, 2021 7:07 AM To: Wan, Thomas >; jdk8u-dev at openjdk.java.net Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. It normally means the peer does not like your cipher or protocol selection or maybe the peer has a wrongly configured certificate. The actual reason why the peer shuts down the connection so unclear should be logged on the remote site. -- http://bernd.eckenfels.net ________________________________ Von: jdk8u-dev > im Auftrag von Wan, Thomas > Gesendet: Tuesday, September 21, 2021 1:02:05 PM An: jdk8u-dev at openjdk.java.net > Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) It seems jdk8u202 was working well with ldap ssl. Since then all other jdk 8 release has the same error as below, any idea what is wrong? I compared the source code, it seems sun.security package has been changed a lot since jdk8u202 javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147) at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ... 7 more -----Original Message----- From: jdk8u-dev > On Behalf Of jdk8u-dev-request at openjdk.java.net Sent: Tuesday, September 21, 2021 6:59 AM To: Wan, Thomas > Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) External Email: Use caution & trust the source before clicking links or opening attachments. Welcome to the jdk8u-dev at openjdk.java.net mailing list! To post to this list, send your message to: jdk8u-dev at openjdk.java.net General information about the mailing list is at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$ If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$ You can also make such adjustments via email by sending a message to: jdk8u-dev-request at openjdk.java.net with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: Grace0208 Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From prasadarao.koppula at oracle.com Tue Sep 21 13:58:45 2021 From: prasadarao.koppula at oracle.com (Prasadrao Koppula) Date: Tue, 21 Sep 2021 13:58:45 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >EDT|SSLConfiguration.java:450|System property jdk.tls.client.SignatureSchemes >is set to >'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_ >128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RS >A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA >_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' These are Ciphersuites not signature schemes. Thanks, Prasad.K >-----Original Message----- >From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of Wan, >Thomas >Sent: Tuesday, September 21, 2021 6:53 PM >To: Bernd Eckenfels ; jdk8u-dev at openjdk.java.net >Subject: RE: jdk8u ssl connection issue > >One step further, I added all SignatureSchemes Supported in the server by >running nmap, here is the error I got > >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >EDT|SSLConfiguration.java:450|System property jdk.tls.client.SignatureSchemes >is set to >'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_ >128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RS >A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA >_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' >javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not supported >by the underlying providers >javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not supported by >the underlying providers >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >EDT|SSLConfiguration.java:478|The current installed providers do not support >signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >EDT|SSLConfiguration.java:478|The current installed providers do not support >signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >EDT|SSLConfiguration.java:478|The current installed providers do not support >signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >EDT|SSLConfiguration.java:478|The current installed providers do not support >signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >EDT|SSLConfiguration.java:478|The current installed providers do not support >signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256 >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >EDT|SSLConfiguration.java:478|The current installed providers do not support >signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >EDT|SSLConfiguration.java:478|The current installed providers do not support >signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256 >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >EDT|SSLConfiguration.java:478|The current installed providers do not support >signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA >javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >EDT|SSLConfiguration.java:478|The current installed providers do not support >signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256 > >From: Bernd Eckenfels >Sent: Tuesday, September 21, 2021 7:52 AM >To: Wan, Thomas ; jdk8u-dev at openjdk.java.net >Subject: Re: jdk8u ssl connection issue > >External Email: Use caution & trust the source before clicking links or opening >attachments. > >Hello, > >I don't see any other changes in 212 besides a PKCS11 change for Tls1.2 which >should not be the case, also it looks like this version re-enabled the Renegotiation >signaling cipher, that should not be a problem but you never know. > >Can you compare the client Hello of a working 1.2 and a failed 1.2 handshake to >see which ciphers and extensions differ? > >Gruss >Bernd >-- >http://bernd.eckenfels.netnet__;!!BqwCqLE!bf7MeZ9guvMDJw7EyXt8rMZQl3k3j6Usxq5vpoEbcwAOZWq >wP6XhG5TqVg$> >________________________________ >Von: Wan, Thomas > >Gesendet: Dienstag, September 21, 2021 1:40 PM >An: Bernd Eckenfels; jdk8u-dev at openjdk.java.netdev at openjdk.java.net> >Betreff: jdk8u ssl connection issue > >Hi Bernd, > >It does work with TLS1.1. > >But in jdk8u202, it works with 1.2 as well. > >All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, but that is not >as secure as TLS1.2 any more. > > >From: Bernd Eckenfels >> >Sent: Tuesday, September 21, 2021 7:32 AM >To: Wan, Thomas >; jdk8u- >dev at openjdk.java.net >Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) > >External Email: Use caution & trust the source before clicking links or opening >attachments. > >Hello, > >You cannot see the reason on your side. You need to check the other side. > >However seeing that your client only propose TLSv1.2 that's a likely candidate, >maybe you need to re-enable TLS 1.1. that,,happened with 8u291 in Oracle >according to this: https://java.com/en/jre-jdk- >cryptoroadmap.htmlcryptoroadmap.html__;!!BqwCqLE!d- >dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$> > >https://java.com/en/configure_crypto.html#DisableTLSv3/__https:/java.com/en/configure_crypto.html*DisableTLS__;Iw!!BqwCqLE!d- >dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$> > >Gruss >Bernd > > >-- >http://bernd.eckenfels.netnet__;!!BqwCqLE!d- >dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$> >________________________________ >Von: Wan, Thomas > >Gesendet: Tuesday, September 21, 2021 1:14:35 PM >An: Bernd Eckenfels >>; jdk8u- >dev at openjdk.java.net dev at openjdk.java.net> >Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) > > >Here is my debug log > >javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >EDT|ClientHello.java:633|Produced ClientHello handshake message ( > >"ClientHello": { > > "client version" : "TLSv1.2", > > "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB >B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", > > "session id" : "", > > "cipher suites" : >"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), >TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), >TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), >TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), >TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), >TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), >TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), >TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), >TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), >TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), >TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), >TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), >TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), >TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), >TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), >TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), >TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), >TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), >TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), >TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), >TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), >TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), >TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), >TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), >TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), >TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), >TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), >TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), >TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), >TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), >TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), >TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), >TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), >TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), >TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), >TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), >TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), >TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), >TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), >TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), >TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), >TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), >TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", > > "compression methods" : "00", > > "extensions" : [ > > "server_name (0)": { > > type=host_name (0), value=unbale.mandtbank.com > > }, > > "status_request (5)": { > > "certificate status type": ocsp > > "OCSP status request": { > > "responder_id": > > "request extensions": { > > > > } > > } > > }, > > "supported_groups (10)": { > > "versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, >sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, >ffdhe4096, ffdhe6144, ffdhe8192] > > }, > > "ec_point_formats (11)": { > > "formats": [uncompressed] > > }, > > "signature_algorithms (13)": { > > "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, >ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, >rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, >rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, >dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] > > }, > > "signature_algorithms_cert (50)": { > > "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, >ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, >rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, >rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, >dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] > > }, > > "status_request_v2 (17)": { > > "cert status request": { > > "certificate status type": ocsp_multi > > "OCSP status request": { > > "responder_id": > > "request extensions": { > > > > } > > } > > } > > }, > > "extended_master_secret (23)": { > > > > }, > > "supported_versions (43)": { > > "versions": [TLSv1.2] > > } > > ] > >} > >) > >javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311 > >javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >EDT|SSLSocketOutputRecord.java:255|Raw write ( > > 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. > > 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... > > 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., > > 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ > > 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= > > 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. > > 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) > > 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 >.g. at ...../.....3 > > 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. > > 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban > > 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... > > 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. > > 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ > > 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. > > 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ > > 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 > > 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ > > 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ > > 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ > > 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... > >) > >javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >EDT|SSLSocketInputRecord.java:451|Raw read: EOF > >javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 >EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't >kickstart handshaking ( > >"throwable" : { > > javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake > > at >java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) > > at >java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) > > at >java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.j >ava:1063) > > at >java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:40 >2) > > at >java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:7 >16) > > at >java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImp >l.java:970) > > at >java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImp >l.java:942) > > at xxxx.main(SSLPoke.java:53) > > Caused by: java.io.EOFException: SSL peer shut down incorrectly > > at >java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.j >ava:167) > > at >java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) > > at >java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) > > ... 6 more} > > > >) > >javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), >length = 2 > >javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >EDT|SSLSocketOutputRecord.java:85|Raw write ( > > 0000: 15 03 03 00 02 02 28 ......( > >) > >javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >EDT|SSLSocketImpl.java:1361|close the underlying socket > >javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) > >javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake > > at >java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321) > > at >java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160) > > at >java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.j >ava:1063) > > at >java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:40 >2) > > at >java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:7 >16) > > at >java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImp >l.java:970) > > at >java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImp >l.java:942) > > at xxx.main(SSLPoke.java:53) > >Caused by: java.io.EOFException: SSL peer shut down incorrectly > > at >java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.j >ava:167) > > at >java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) > > at >java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) > > ... 6 more > > > >From: Bernd Eckenfels >> >Sent: Tuesday, September 21, 2021 7:07 AM >To: Wan, Thomas >; jdk8u- >dev at openjdk.java.net >Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) > > > >External Email: Use caution & trust the source before clicking links or opening >attachments. > > > >It normally means the peer does not like your cipher or protocol selection or >maybe the peer has a wrongly configured certificate. The actual reason why the >peer shuts down the connection so unclear should be logged on the remote site. > > > > > >-- > >http://bernd.eckenfels.netnet__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t- >vd7fVNT6ajpBkkdQ$> > >________________________________ > >Von: jdk8u-dev retn at openjdk.java.net>> im Auftrag von Wan, Thomas >> >Gesendet: Tuesday, September 21, 2021 1:02:05 PM >An: jdk8u-dev at openjdk.java.net dev at openjdk.java.net> >Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) > > > >It seems jdk8u202 was working well with ldap ssl. > >Since then all other jdk 8 release has the same error as below, any idea what is >wrong? >I compared the source code, it seems sun.security package has been changed a >lot since jdk8u202 > >javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 >EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) >javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake > at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) > at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) > at >sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) > at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) > at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) > at >sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:117 >5) > at >sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:114 >7) > at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) >Caused by: java.io.EOFException: SSL peer shut down incorrectly > at >sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) > at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) > at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) > ... 7 more > >-----Original Message----- >From: jdk8u-dev retn at openjdk.java.net>> On Behalf Of jdk8u-dev- >request at openjdk.java.net >Sent: Tuesday, September 21, 2021 6:59 AM >To: Wan, Thomas > >Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) > >External Email: Use caution & trust the source before clicking links or opening >attachments. > >Welcome to the jdk8u-dev at openjdk.java.netdev at openjdk.java.net> mailing list! > >To post to this list, send your message to: > > jdk8u-dev at openjdk.java.net > >General information about the mailing list is at: > > >https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk >8u- >dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG >3GLURaDcAw$man/listinfo/jdk8u- >dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG >3GLURaDcAw$> > >If you ever want to unsubscribe or change your options (eg, switch to or from >digest mode, change your password, etc.), visit your subscription page at: > > >https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jd >k8u- >dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34e >Hn1NDQe90P94kowG3GLAPC2SIg$penjdk.java.net/mailman/options/jdk8u- >dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34e >Hn1NDQe90P94kowG3GLAPC2SIg$> > > >You can also make such adjustments via email by sending a message to: > > jdk8u-dev-request at openjdk.java.netrequest at openjdk.java.net> > >with the word `help' in the subject or body (don't include the quotes), and you >will get back a message with instructions. > >You must know your password to change your options (including changing the >password, itself) or to unsubscribe without confirmation. It is: > > Grace0208 > >Normally, Mailman will remind you of your openjdk.java.net mailing list >passwords once every month, although you can disable this if you prefer. This >reminder will also include instructions on how to unsubscribe or change your >account options. There is also a button on your options page that will email your >current password to you. > >************************************************************** >******** >This email may contain privileged and/or confidential information that is intended >solely for the use of the addressee. If you are not the intended recipient or >entity, you are strictly prohibited from disclosing, copying, distributing or using >any of the information contained in the transmission. If you received this >communication in error, please contact the sender immediately and destroy the >material in its entirety, whether electronic or hard copy. This communication >may contain nonpublic personal information about consumers subject to the >restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may >not directly or indirectly reuse or disclose such information for any purpose other >than to provide the services for which you are receiving the information. There >are risks associated with the use of electronic transmission. The sender of this >information does not control the method of transmittal or service providers and >assumes no duty or obligation for the security, receipt, or third party interception >of this transmission. From prasadarao.koppula at oracle.com Tue Sep 21 14:09:00 2021 From: prasadarao.koppula at oracle.com (Prasadrao Koppula) Date: Tue, 21 Sep 2021 14:09:00 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: To set the client side ciphersuites use: jdk.tls.client.ciphersuites Server side: jdk.tls.server.ciphersuites >From the TLSv1.2 client debug logs, looks like server not happy with the extensions present in the Client's ClientHello. Which provider and version server has? To understand issue further, If you are able capture the server side logs, please share. Thanks, Prasad.K >-----Original Message----- >From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >Prasadrao Koppula >Sent: Tuesday, September 21, 2021 7:29 PM >To: Wan, Thomas ; Bernd Eckenfels >; jdk8u-dev at openjdk.java.net >Subject: RE: jdk8u ssl connection issue > >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' > >These are Ciphersuites not signature schemes. > >Thanks, >Prasad.K > >>-----Original Message----- >>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >>Wan, Thomas >>Sent: Tuesday, September 21, 2021 6:53 PM >>To: Bernd Eckenfels ; >>jdk8u-dev at openjdk.java.net >>Subject: RE: jdk8u ssl connection issue >> >>One step further, I added all SignatureSchemes Supported in the server >>by running nmap, here is the error I got >> >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not >>EDT|supported >>by the underlying providers >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not >>EDT|supported by >>the underlying providers >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256 >> >>From: Bernd Eckenfels >>Sent: Tuesday, September 21, 2021 7:52 AM >>To: Wan, Thomas ; jdk8u-dev at openjdk.java.net >>Subject: Re: jdk8u ssl connection issue >> >>External Email: Use caution & trust the source before clicking links or >>opening attachments. >> >>Hello, >> >>I don't see any other changes in 212 besides a PKCS11 change for Tls1.2 >>which should not be the case, also it looks like this version >>re-enabled the Renegotiation signaling cipher, that should not be a problem but >you never know. >> >>Can you compare the client Hello of a working 1.2 and a failed 1.2 >>handshake to see which ciphers and extensions differ? >> >>Gruss >>Bernd >>-- >>http://bernd.eckenfels.net. >>net__;!!BqwCqLE!bf7MeZ9guvMDJw7EyXt8rMZQl3k3j6Usxq5vpoEbcwAOZWq >>wP6XhG5TqVg$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Dienstag, September 21, 2021 1:40 PM >>An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> >>Betreff: jdk8u ssl connection issue >> >>Hi Bernd, >> >>It does work with TLS1.1. >> >>But in jdk8u202, it works with 1.2 as well. >> >>All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, >>but that is not as secure as TLS1.2 any more. >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:32 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links or >>opening attachments. >> >>Hello, >> >>You cannot see the reason on your side. You need to check the other side. >> >>However seeing that your client only propose TLSv1.2 that's a likely >>candidate, maybe you need to re-enable TLS 1.1. that,,happened with >>8u291 in Oracle according to this: https://java.com/en/jre-jdk- >>cryptoroadmap.html>dk- >>cryptoroadmap.html__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$> >> >>https://java.com/en/configure_crypto.html#DisableTLS>.com/ >>v3/__https:/java.com/en/configure_crypto.html*DisableTLS__;Iw!!BqwCqLE! >>d- dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$> >> >>Gruss >>Bernd >> >> >>-- >>http://bernd.eckenfels.net. >>net__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Tuesday, September 21, 2021 1:14:35 PM >>An: Bernd Eckenfels >>>; jdk8u- >>dev at openjdk.java.net >dev at openjdk.java.net> >>Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >>Here is my debug log >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|ClientHello.java:633|Produced ClientHello handshake message ( >> >>"ClientHello": { >> >> "client version" : "TLSv1.2", >> >> "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF >DB >>B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", >> >> "session id" : "", >> >> "cipher suites" : >>"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), >>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), >>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), >>TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), >>TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), >>TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), >>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), >>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), >>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), >>TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), >>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), >>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), >>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), >>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), >>TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), >>TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), >>TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), >>TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), >>TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", >> >> "compression methods" : "00", >> >> "extensions" : [ >> >> "server_name (0)": { >> >> type=host_name (0), value=unbale.mandtbank.com >> >> }, >> >> "status_request (5)": { >> >> "certificate status type": ocsp >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> }, >> >> "supported_groups (10)": { >> >> "versions": [secp256r1, secp384r1, secp521r1, sect283k1, >>sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, >>ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] >> >> }, >> >> "ec_point_formats (11)": { >> >> "formats": [uncompressed] >> >> }, >> >> "signature_algorithms (13)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "signature_algorithms_cert (50)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "status_request_v2 (17)": { >> >> "cert status request": { >> >> "certificate status type": ocsp_multi >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> } >> >> }, >> >> "extended_master_secret (23)": { >> >> >> >> }, >> >> "supported_versions (43)": { >> >> "versions": [TLSv1.2] >> >> } >> >> ] >> >>} >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:255|Raw write ( >> >> 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. >> >> 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... >> >> 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., >> >> 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ >> >> 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= >> >> 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. >> >> 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) >> >> 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 >>.g. at ...../.....3 >> >> 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. >> >> 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban >> >> 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... >> >> 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. >> >> 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ >> >> 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. >> >> 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ >> >> 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 >> >> 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ >> >> 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ >> >> 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ >> >> 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketInputRecord.java:451|Raw read: EOF >> >>javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 >>EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't >>kickstart handshaking ( >> >>"throwable" : { >> >> javax.net.ssl.SSLHandshakeException: Remote host terminated the >> handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketI >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocke >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocke >>tImp >>l.java:942) >> >> at xxxx.main(SSLPoke.java:53) >> >> Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRe >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152 >>) >> >> ... 6 more} >> >> >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 >>EDT|alert(handshake_failure), >>length = 2 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:85|Raw write ( >> >> 0000: 15 03 03 00 02 02 28 ......( >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1361|close the underlying socket >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) >> >>javax.net.ssl.SSLHandshakeException: Remote host terminated the >>handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketI >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocke >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocke >>tImp >>l.java:942) >> >> at xxx.main(SSLPoke.java:53) >> >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRe >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152 >>) >> >> ... 6 more >> >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:07 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>External Email: Use caution & trust the source before clicking links or >>opening attachments. >> >> >> >>It normally means the peer does not like your cipher or protocol >>selection or maybe the peer has a wrongly configured certificate. The >>actual reason why the peer shuts down the connection so unclear should be >logged on the remote site. >> >> >> >> >> >>-- >> >>http://bernd.eckenfels.net. >>net__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t- >>vd7fVNT6ajpBkkdQ$> >> >>________________________________ >> >>Von: jdk8u-dev >retn at openjdk.java.net>> im Auftrag von Wan, Thomas >>> >>Gesendet: Tuesday, September 21, 2021 1:02:05 PM >>An: jdk8u-dev at openjdk.java.net >>> >>Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>It seems jdk8u202 was working well with ldap ssl. >> >>Since then all other jdk 8 release has the same error as below, any >>idea what is wrong? >>I compared the source code, it seems sun.security package has been >>changed a lot since jdk8u202 >> >>javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 >>EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) >>javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake >> at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) >> at >>sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300 >) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) >> at >sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) >> at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java >>:117 >>5) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java >>:114 >>7) >> at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> at >>sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) >> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) >> ... 7 more >> >>-----Original Message----- >>From: jdk8u-dev >retn at openjdk.java.net>> On Behalf Of jdk8u-dev- >>request at openjdk.java.net >>Sent: Tuesday, September 21, 2021 6:59 AM >>To: Wan, Thomas > >>Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Welcome to the jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> mailing list! >> >>To post to this list, send your message to: >> >> jdk8u-dev at openjdk.java.net >> >>General information about the mailing list is at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listi >>nfo/jdk >>8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$>il >>man/listinfo/jdk8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$> >> >>If you ever want to unsubscribe or change your options (eg, switch to >>or from digest mode, change your password, etc.), visit your subscription page >at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/optio >>ns/jd >>k8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$o >>penjdk.java.net/mailman/options/jdk8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$> >> >> >>You can also make such adjustments via email by sending a message to: >> >> jdk8u-dev-request at openjdk.java.net>request at openjdk.java.net> >> >>with the word `help' in the subject or body (don't include the quotes), >>and you will get back a message with instructions. >> >>You must know your password to change your options (including changing >>the password, itself) or to unsubscribe without confirmation. It is: >> >> Grace0208 >> >>Normally, Mailman will remind you of your openjdk.java.net mailing list >>passwords once every month, although you can disable this if you >>prefer. This reminder will also include instructions on how to >>unsubscribe or change your account options. There is also a button on >>your options page that will email your current password to you. >> >>************************************************************* >* >>******** >>This email may contain privileged and/or confidential information that >>is intended solely for the use of the addressee. If you are not the >>intended recipient or entity, you are strictly prohibited from >>disclosing, copying, distributing or using any of the information >>contained in the transmission. If you received this communication in >>error, please contact the sender immediately and destroy the material >>in its entirety, whether electronic or hard copy. This communication >>may contain nonpublic personal information about consumers subject to >>the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley >>Act. You may not directly or indirectly reuse or disclose such >>information for any purpose other than to provide the services for >>which you are receiving the information. There are risks associated >>with the use of electronic transmission. The sender of this >>information does not control the method of transmittal or service providers and >assumes no duty or obligation for the security, receipt, or third party interception >of this transmission. From xwan at mtb.com Tue Sep 21 14:42:09 2021 From: xwan at mtb.com (Wan, Thomas) Date: Tue, 21 Sep 2021 14:42:09 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: HI Prasad, Thanks for helping. The main issue is that I have a demising server with end of life. I cannot see anything in server side. Thanks for pointing out that I set ciphers as SignatureScheme. I corrected it, still have issues javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.331 EDT|SSLConfiguration.java:450|System property jdk.tls.client.SignatureSchemes is set to 'SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA' javax.net.ssl|WARNING|01|main|2021-09-21 10:39:21.362 EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not supported by the underlying providers javax.net.ssl|WARNING|01|main|2021-09-21 10:39:21.362 EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not supported by the underlying providers javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA512withECDSA javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA512withRSA javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA384withECDSA javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA384withRSA javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA256withECDSA javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA256withRSA javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA256withDSA javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA1withECDSA javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA1withRSA javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA1withDSA javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.565 EDT|SSLExtensions.java:260|Ignore, context unavailable extension: status_request javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:373|Ignore unsupported signature scheme: ed25519 javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:373|Ignore unsupported signature scheme: ed448 javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:373|Ignore unsupported signature scheme: ecdsa_sha224 javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:373|Ignore unsupported signature scheme: rsa_sha224 javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:373|Ignore unsupported signature scheme: dsa_sha224 javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:393|Ignore disabled signature scheme: rsa_md5 javax.net.ssl|INFO|01|main|2021-09-21 10:39:21.565 EDT|AlpnExtension.java:178|No available application protocols javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.565 EDT|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.565 EDT|SSLExtensions.java:260|Ignore, context unavailable extension: status_request_v2 javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.565 EDT|SSLExtensions.java:260|Ignore, context unavailable extension: renegotiation_info javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.581 EDT|ClientHello.java:575|Produced ClientHello handshake message ( -----Original Message----- From: Prasadrao Koppula Sent: Tuesday, September 21, 2021 10:09 AM To: Prasadrao Koppula ; Wan, Thomas ; Bernd Eckenfels ; jdk8u-dev at openjdk.java.net Subject: RE: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. To set the client side ciphersuites use: jdk.tls.client.ciphersuites Server side: jdk.tls.server.ciphersuites >From the TLSv1.2 client debug logs, looks like server not happy with the extensions present in the Client's ClientHello. Which provider and version server has? To understand issue further, If you are able capture the server side logs, please share. Thanks, Prasad.K >-----Original Message----- >From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >Prasadrao Koppula >Sent: Tuesday, September 21, 2021 7:29 PM >To: Wan, Thomas ; Bernd Eckenfels >; jdk8u-dev at openjdk.java.net >Subject: RE: jdk8u ssl connection issue > >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' > >These are Ciphersuites not signature schemes. > >Thanks, >Prasad.K > >>-----Original Message----- >>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >>Wan, Thomas >>Sent: Tuesday, September 21, 2021 6:53 PM >>To: Bernd Eckenfels ; >>jdk8u-dev at openjdk.java.net >>Subject: RE: jdk8u ssl connection issue >> >>One step further, I added all SignatureSchemes Supported in the server >>by running nmap, here is the error I got >> >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not >>EDT|supported >>by the underlying providers >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not >>EDT|supported by >>the underlying providers >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256 >> >>From: Bernd Eckenfels >>Sent: Tuesday, September 21, 2021 7:52 AM >>To: Wan, Thomas ; jdk8u-dev at openjdk.java.net >>Subject: Re: jdk8u ssl connection issue >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>I don't see any other changes in 212 besides a PKCS11 change for >>Tls1.2 which should not be the case, also it looks like this version >>re-enabled the Renegotiation signaling cipher, that should not be a >>problem but >you never know. >> >>Can you compare the client Hello of a working 1.2 and a failed 1.2 >>handshake to see which ciphers and extensions differ? >> >>Gruss >>Bernd >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!bf7MeZ9guvMDJw7EyXt8rMZQl3k3j6Usxq5vpoEbcwAOZWq >>wP6XhG5TqVg$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Dienstag, September 21, 2021 1:40 PM >>An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> >>Betreff: jdk8u ssl connection issue >> >>Hi Bernd, >> >>It does work with TLS1.1. >> >>But in jdk8u202, it works with 1.2 as well. >> >>All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, >>but that is not as secure as TLS1.2 any more. >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:32 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>You cannot see the reason on your side. You need to check the other side. >> >>However seeing that your client only propose TLSv1.2 that's a likely >>candidate, maybe you need to re-enable TLS 1.1. that,,happened with >>8u291 in Oracle according to this: >>https://urldefense.com/v3/__https://java.com/en/jre-jdk-__;!!BqwCqLE!b >>34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7EEMiCyHw$ >>cryptoroadmap.html>j >>dk- >>cryptoroadmap.html__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$> >> >>https://urldefense.com/v3/__https://java.com/en/configure_crypto.html* >>DisableTLS__;Iw!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpn >>Ia6h7FCRFj2Eg$ >>>O5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Ff98ppRg$ >>.com/ >>v3/__https://urldefense.com/v3/__https://java.com/en/configure_crypto. >>html*DisableTLS__;Iw!!BqwCqLE!__;Kg!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk >>89qZDdMaJK7p6W0lZFpnIa6h7Elp5RtnA$ >>d- dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$> >> >>Gruss >>Bernd >> >> >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Tuesday, September 21, 2021 1:14:35 PM >>An: Bernd Eckenfels >>>; jdk8u- >>dev at openjdk.java.net >dev at openjdk.java.net> >>Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >>Here is my debug log >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|ClientHello.java:633|Produced ClientHello handshake message ( >> >>"ClientHello": { >> >> "client version" : "TLSv1.2", >> >> "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF >DB >>B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", >> >> "session id" : "", >> >> "cipher suites" : >>"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), >>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), >>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), >>TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), >>TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), >>TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), >>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), >>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), >>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), >>TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), >>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), >>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), >>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), >>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), >>TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), >>TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), >>TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), >>TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), >>TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", >> >> "compression methods" : "00", >> >> "extensions" : [ >> >> "server_name (0)": { >> >> type=host_name (0), value=unbale.mandtbank.com >> >> }, >> >> "status_request (5)": { >> >> "certificate status type": ocsp >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> }, >> >> "supported_groups (10)": { >> >> "versions": [secp256r1, secp384r1, secp521r1, sect283k1, >>sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, >>ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] >> >> }, >> >> "ec_point_formats (11)": { >> >> "formats": [uncompressed] >> >> }, >> >> "signature_algorithms (13)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "signature_algorithms_cert (50)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "status_request_v2 (17)": { >> >> "cert status request": { >> >> "certificate status type": ocsp_multi >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> } >> >> }, >> >> "extended_master_secret (23)": { >> >> >> >> }, >> >> "supported_versions (43)": { >> >> "versions": [TLSv1.2] >> >> } >> >> ] >> >>} >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = >>EDT|311 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:255|Raw write ( >> >> 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. >> >> 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... >> >> 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., >> >> 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ >> >> 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= >> >> 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. >> >> 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) >> >> 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 >>.g. at ...../.....3 >> >> 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. >> >> 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban >> >> 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... >> >> 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. >> >> 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ >> >> 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. >> >> 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ >> >> 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 >> >> 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ >> >> 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ >> >> 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ >> >> 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketInputRecord.java:451|Raw read: EOF >> >>javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 >>EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't >>kickstart handshaking ( >> >>"throwable" : { >> >> javax.net.ssl.SSLHandshakeException: Remote host terminated the >> handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxxx.main(SSLPoke.java:53) >> >> Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more} >> >> >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 >>EDT|alert(handshake_failure), >>length = 2 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:85|Raw write ( >> >> 0000: 15 03 03 00 02 02 28 ......( >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1361|close the underlying socket >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) >> >>javax.net.ssl.SSLHandshakeException: Remote host terminated the >>handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxx.main(SSLPoke.java:53) >> >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more >> >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:07 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >> >> >>It normally means the peer does not like your cipher or protocol >>selection or maybe the peer has a wrongly configured certificate. The >>actual reason why the peer shuts down the connection so unclear should >>be >logged on the remote site. >> >> >> >> >> >>-- >> >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t- >>vd7fVNT6ajpBkkdQ$> >> >>________________________________ >> >>Von: jdk8u-dev >retn at openjdk.java.net>> im Auftrag von Wan, Thomas >>> >>Gesendet: Tuesday, September 21, 2021 1:02:05 PM >>An: jdk8u-dev at openjdk.java.net >>> >>Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>It seems jdk8u202 was working well with ldap ssl. >> >>Since then all other jdk 8 release has the same error as below, any >>idea what is wrong? >>I compared the source code, it seems sun.security package has been >>changed a lot since jdk8u202 >> >>javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 >>EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) >>javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake >> at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) >> at >>sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java: >>1300 >) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) >> at >sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) >> at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:117 >>5) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:114 >>7) >> at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> at >>sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) >> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) >> ... 7 more >> >>-----Original Message----- >>From: jdk8u-dev >retn at openjdk.java.net>> On Behalf Of jdk8u-dev- >>request at openjdk.java.net >>Sent: Tuesday, September 21, 2021 6:59 AM >>To: Wan, Thomas > >>Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Welcome to the jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> mailing list! >> >>To post to this list, send your message to: >> >> jdk8u-dev at openjdk.java.net >> >>General information about the mailing list is at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/list >>i >>nfo/jdk >>8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$>a >>il >>man/listinfo/jdk8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$> >> >>If you ever want to unsubscribe or change your options (eg, switch to >>or from digest mode, change your password, etc.), visit your >>subscription page >at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/opti >>o >>ns/jd >>k8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$o >>penjdk.java.net/mailman/options/jdk8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$> >> >> >>You can also make such adjustments via email by sending a message to: >> >> jdk8u-dev-request at openjdk.java.net>request at openjdk.java.net> >> >>with the word `help' in the subject or body (don't include the >>quotes), and you will get back a message with instructions. >> >>You must know your password to change your options (including changing >>the password, itself) or to unsubscribe without confirmation. It is: >> >> Grace0208 >> >>Normally, Mailman will remind you of your openjdk.java.net mailing >>list passwords once every month, although you can disable this if you >>prefer. This reminder will also include instructions on how to >>unsubscribe or change your account options. There is also a button on >>your options page that will email your current password to you. >> >>************************************************************* >* >>******** >>This email may contain privileged and/or confidential information that >>is intended solely for the use of the addressee. If you are not the >>intended recipient or entity, you are strictly prohibited from >>disclosing, copying, distributing or using any of the information >>contained in the transmission. If you received this communication in >>error, please contact the sender immediately and destroy the material >>in its entirety, whether electronic or hard copy. This communication >>may contain nonpublic personal information about consumers subject to >>the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley >>Act. You may not directly or indirectly reuse or disclose such >>information for any purpose other than to provide the services for >>which you are receiving the information. There are risks associated >>with the use of electronic transmission. The sender of this >>information does not control the method of transmittal or service >>providers and >assumes no duty or obligation for the security, receipt, or third party >interception of this transmission. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From xwan at mtb.com Tue Sep 21 19:56:20 2021 From: xwan at mtb.com (Wan, Thomas) Date: Tue, 21 Sep 2021 19:56:20 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: Hi Prasad/Bernd, Any other suggestion? My test code is very simple, same ssl key certificate, connect to the same host and port where there is no logging. Jdk 8u202 works fine, openjdk-1.8.0.292 And openjdk-1.8.0.302 does not. With jdk8u202, I can tell Algorithm: [SHA256withRSA] is used. System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); SSLSocketFactory ssf = null; // set up key manager to do server authentication SSLContext ctx; KeyManagerFactory kmf; KeyStore ks; char[] passphrase = passwd.toCharArray(); ctx = SSLContext.getInstance("TLS"); kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(System.getProperty( "javax.net.ssl.keyStore")), passphrase); kmf.init(ks, passphrase); ctx.init(kmf.getKeyManagers(), null, null); ssf = ctx.getSocketFactory(); //SSLSocketFactory sslsocketfactory = (SSLSocketFactory) ssf. SSLSocket sslsocket = (SSLSocket) ssf.createSocket(args[0], Integer.parseInt(args[1])); InputStream in = sslsocket.getInputStream(); OutputStream out = sslsocket.getOutputStream(); // Write a test byte to get a reaction :) out.write(1); while (in.available() > 0) { System.out.print(in.read()); } Tom -----Original Message----- From: Prasadrao Koppula Sent: Tuesday, September 21, 2021 10:09 AM To: Prasadrao Koppula ; Wan, Thomas ; Bernd Eckenfels ; jdk8u-dev at openjdk.java.net Subject: RE: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. To set the client side ciphersuites use: jdk.tls.client.ciphersuites Server side: jdk.tls.server.ciphersuites >From the TLSv1.2 client debug logs, looks like server not happy with the extensions present in the Client's ClientHello. Which provider and version server has? To understand issue further, If you are able capture the server side logs, please share. Thanks, Prasad.K >-----Original Message----- >From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >Prasadrao Koppula >Sent: Tuesday, September 21, 2021 7:29 PM >To: Wan, Thomas ; Bernd Eckenfels >; jdk8u-dev at openjdk.java.net >Subject: RE: jdk8u ssl connection issue > >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' > >These are Ciphersuites not signature schemes. > >Thanks, >Prasad.K > >>-----Original Message----- >>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >>Wan, Thomas >>Sent: Tuesday, September 21, 2021 6:53 PM >>To: Bernd Eckenfels ; >>jdk8u-dev at openjdk.java.net >>Subject: RE: jdk8u ssl connection issue >> >>One step further, I added all SignatureSchemes Supported in the server >>by running nmap, here is the error I got >> >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not >>EDT|supported >>by the underlying providers >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not >>EDT|supported by >>the underlying providers >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256 >> >>From: Bernd Eckenfels >>Sent: Tuesday, September 21, 2021 7:52 AM >>To: Wan, Thomas ; jdk8u-dev at openjdk.java.net >>Subject: Re: jdk8u ssl connection issue >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>I don't see any other changes in 212 besides a PKCS11 change for >>Tls1.2 which should not be the case, also it looks like this version >>re-enabled the Renegotiation signaling cipher, that should not be a >>problem but >you never know. >> >>Can you compare the client Hello of a working 1.2 and a failed 1.2 >>handshake to see which ciphers and extensions differ? >> >>Gruss >>Bernd >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!bf7MeZ9guvMDJw7EyXt8rMZQl3k3j6Usxq5vpoEbcwAOZWq >>wP6XhG5TqVg$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Dienstag, September 21, 2021 1:40 PM >>An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> >>Betreff: jdk8u ssl connection issue >> >>Hi Bernd, >> >>It does work with TLS1.1. >> >>But in jdk8u202, it works with 1.2 as well. >> >>All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, >>but that is not as secure as TLS1.2 any more. >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:32 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>You cannot see the reason on your side. You need to check the other side. >> >>However seeing that your client only propose TLSv1.2 that's a likely >>candidate, maybe you need to re-enable TLS 1.1. that,,happened with >>8u291 in Oracle according to this: >>https://urldefense.com/v3/__https://java.com/en/jre-jdk-__;!!BqwCqLE!b >>34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7EEMiCyHw$ >>cryptoroadmap.html>j >>dk- >>cryptoroadmap.html__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$> >> >>https://urldefense.com/v3/__https://java.com/en/configure_crypto.html* >>DisableTLS__;Iw!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpn >>Ia6h7FCRFj2Eg$ >>>O5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Ff98ppRg$ >>.com/ >>v3/__https://urldefense.com/v3/__https://java.com/en/configure_crypto. >>html*DisableTLS__;Iw!!BqwCqLE!__;Kg!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk >>89qZDdMaJK7p6W0lZFpnIa6h7Elp5RtnA$ >>d- dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$> >> >>Gruss >>Bernd >> >> >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Tuesday, September 21, 2021 1:14:35 PM >>An: Bernd Eckenfels >>>; jdk8u- >>dev at openjdk.java.net >dev at openjdk.java.net> >>Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >>Here is my debug log >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|ClientHello.java:633|Produced ClientHello handshake message ( >> >>"ClientHello": { >> >> "client version" : "TLSv1.2", >> >> "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF >DB >>B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", >> >> "session id" : "", >> >> "cipher suites" : >>"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), >>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), >>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), >>TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), >>TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), >>TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), >>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), >>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), >>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), >>TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), >>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), >>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), >>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), >>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), >>TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), >>TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), >>TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), >>TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), >>TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", >> >> "compression methods" : "00", >> >> "extensions" : [ >> >> "server_name (0)": { >> >> type=host_name (0), value=unbale.mandtbank.com >> >> }, >> >> "status_request (5)": { >> >> "certificate status type": ocsp >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> }, >> >> "supported_groups (10)": { >> >> "versions": [secp256r1, secp384r1, secp521r1, sect283k1, >>sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, >>ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] >> >> }, >> >> "ec_point_formats (11)": { >> >> "formats": [uncompressed] >> >> }, >> >> "signature_algorithms (13)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "signature_algorithms_cert (50)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "status_request_v2 (17)": { >> >> "cert status request": { >> >> "certificate status type": ocsp_multi >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> } >> >> }, >> >> "extended_master_secret (23)": { >> >> >> >> }, >> >> "supported_versions (43)": { >> >> "versions": [TLSv1.2] >> >> } >> >> ] >> >>} >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = >>EDT|311 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:255|Raw write ( >> >> 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. >> >> 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... >> >> 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., >> >> 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ >> >> 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= >> >> 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. >> >> 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) >> >> 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 >>.g. at ...../.....3 >> >> 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. >> >> 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban >> >> 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... >> >> 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. >> >> 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ >> >> 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. >> >> 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ >> >> 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 >> >> 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ >> >> 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ >> >> 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ >> >> 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketInputRecord.java:451|Raw read: EOF >> >>javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 >>EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't >>kickstart handshaking ( >> >>"throwable" : { >> >> javax.net.ssl.SSLHandshakeException: Remote host terminated the >> handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxxx.main(SSLPoke.java:53) >> >> Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more} >> >> >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 >>EDT|alert(handshake_failure), >>length = 2 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:85|Raw write ( >> >> 0000: 15 03 03 00 02 02 28 ......( >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1361|close the underlying socket >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) >> >>javax.net.ssl.SSLHandshakeException: Remote host terminated the >>handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxx.main(SSLPoke.java:53) >> >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more >> >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:07 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >> >> >>It normally means the peer does not like your cipher or protocol >>selection or maybe the peer has a wrongly configured certificate. The >>actual reason why the peer shuts down the connection so unclear should >>be >logged on the remote site. >> >> >> >> >> >>-- >> >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t- >>vd7fVNT6ajpBkkdQ$> >> >>________________________________ >> >>Von: jdk8u-dev >retn at openjdk.java.net>> im Auftrag von Wan, Thomas >>> >>Gesendet: Tuesday, September 21, 2021 1:02:05 PM >>An: jdk8u-dev at openjdk.java.net >>> >>Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>It seems jdk8u202 was working well with ldap ssl. >> >>Since then all other jdk 8 release has the same error as below, any >>idea what is wrong? >>I compared the source code, it seems sun.security package has been >>changed a lot since jdk8u202 >> >>javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 >>EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) >>javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake >> at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) >> at >>sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java: >>1300 >) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) >> at >sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) >> at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:117 >>5) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:114 >>7) >> at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> at >>sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) >> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) >> ... 7 more >> >>-----Original Message----- >>From: jdk8u-dev >retn at openjdk.java.net>> On Behalf Of jdk8u-dev- >>request at openjdk.java.net >>Sent: Tuesday, September 21, 2021 6:59 AM >>To: Wan, Thomas > >>Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Welcome to the jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> mailing list! >> >>To post to this list, send your message to: >> >> jdk8u-dev at openjdk.java.net >> >>General information about the mailing list is at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/list >>i >>nfo/jdk >>8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$>a >>il >>man/listinfo/jdk8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$> >> >>If you ever want to unsubscribe or change your options (eg, switch to >>or from digest mode, change your password, etc.), visit your >>subscription page >at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/opti >>o >>ns/jd >>k8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$o >>penjdk.java.net/mailman/options/jdk8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$> >> >> >>You can also make such adjustments via email by sending a message to: >> >> jdk8u-dev-request at openjdk.java.net>request at openjdk.java.net> >> >>with the word `help' in the subject or body (don't include the >>quotes), and you will get back a message with instructions. >> >>You must know your password to change your options (including changing >>the password, itself) or to unsubscribe without confirmation. It is: >> >> Grace0208 >> >>Normally, Mailman will remind you of your openjdk.java.net mailing >>list passwords once every month, although you can disable this if you >>prefer. This reminder will also include instructions on how to >>unsubscribe or change your account options. There is also a button on >>your options page that will email your current password to you. >> >>************************************************************* >* >>******** >>This email may contain privileged and/or confidential information that >>is intended solely for the use of the addressee. If you are not the >>intended recipient or entity, you are strictly prohibited from >>disclosing, copying, distributing or using any of the information >>contained in the transmission. If you received this communication in >>error, please contact the sender immediately and destroy the material >>in its entirety, whether electronic or hard copy. This communication >>may contain nonpublic personal information about consumers subject to >>the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley >>Act. You may not directly or indirectly reuse or disclose such >>information for any purpose other than to provide the services for >>which you are receiving the information. There are risks associated >>with the use of electronic transmission. The sender of this >>information does not control the method of transmittal or service >>providers and >assumes no duty or obligation for the security, receipt, or third party >interception of this transmission. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From ecki at zusammenkunft.net Tue Sep 21 20:34:33 2021 From: ecki at zusammenkunft.net (Bernd Eckenfels) Date: Tue, 21 Sep 2021 20:34:33 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: I had no time to compare your handshakes, you really should do that. However as an additional point - I noticed you actually test with 8-versions which have the new tlsv1.3 backport code (with new extensions). I suspect one of them is the reason, did you try 8u252, which is the last version with the old code (you will see a difference in debug logging format). If that still works we know it's not caused by 212 but by the backport. BTW it's much easier if you contact your commercial java support provider, that's why we pay them. We are kind of abusing the development list with this. -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas Gesendet: Tuesday, September 21, 2021 9:56:20 PM An: Prasadrao Koppula ; Bernd Eckenfels ; jdk8u-dev at openjdk.java.net Betreff: RE: jdk8u ssl connection issue Hi Prasad/Bernd, Any other suggestion? My test code is very simple, same ssl key certificate, connect to the same host and port where there is no logging. Jdk 8u202 works fine, openjdk-1.8.0.292 And openjdk-1.8.0.302 does not. With jdk8u202, I can tell Algorithm: [SHA256withRSA] is used. System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); SSLSocketFactory ssf = null; // set up key manager to do server authentication SSLContext ctx; KeyManagerFactory kmf; KeyStore ks; char[] passphrase = passwd.toCharArray(); ctx = SSLContext.getInstance("TLS"); kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(System.getProperty( "javax.net.ssl.keyStore")), passphrase); kmf.init(ks, passphrase); ctx.init(kmf.getKeyManagers(), null, null); ssf = ctx.getSocketFactory(); //SSLSocketFactory sslsocketfactory = (SSLSocketFactory) ssf. SSLSocket sslsocket = (SSLSocket) ssf.createSocket(args[0], Integer.parseInt(args[1])); InputStream in = sslsocket.getInputStream(); OutputStream out = sslsocket.getOutputStream(); // Write a test byte to get a reaction :) out.write(1); while (in.available() > 0) { System.out.print(in.read()); } Tom -----Original Message----- From: Prasadrao Koppula Sent: Tuesday, September 21, 2021 10:09 AM To: Prasadrao Koppula ; Wan, Thomas ; Bernd Eckenfels ; jdk8u-dev at openjdk.java.net Subject: RE: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. To set the client side ciphersuites use: jdk.tls.client.ciphersuites Server side: jdk.tls.server.ciphersuites >From the TLSv1.2 client debug logs, looks like server not happy with the extensions present in the Client's ClientHello. Which provider and version server has? To understand issue further, If you are able capture the server side logs, please share. Thanks, Prasad.K >-----Original Message----- >From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >Prasadrao Koppula >Sent: Tuesday, September 21, 2021 7:29 PM >To: Wan, Thomas ; Bernd Eckenfels >; jdk8u-dev at openjdk.java.net >Subject: RE: jdk8u ssl connection issue > >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' > >These are Ciphersuites not signature schemes. > >Thanks, >Prasad.K > >>-----Original Message----- >>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >>Wan, Thomas >>Sent: Tuesday, September 21, 2021 6:53 PM >>To: Bernd Eckenfels ; >>jdk8u-dev at openjdk.java.net >>Subject: RE: jdk8u ssl connection issue >> >>One step further, I added all SignatureSchemes Supported in the server >>by running nmap, here is the error I got >> >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not >>EDT|supported >>by the underlying providers >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not >>EDT|supported by >>the underlying providers >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256 >> >>From: Bernd Eckenfels >>Sent: Tuesday, September 21, 2021 7:52 AM >>To: Wan, Thomas ; jdk8u-dev at openjdk.java.net >>Subject: Re: jdk8u ssl connection issue >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>I don't see any other changes in 212 besides a PKCS11 change for >>Tls1.2 which should not be the case, also it looks like this version >>re-enabled the Renegotiation signaling cipher, that should not be a >>problem but >you never know. >> >>Can you compare the client Hello of a working 1.2 and a failed 1.2 >>handshake to see which ciphers and extensions differ? >> >>Gruss >>Bernd >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!bf7MeZ9guvMDJw7EyXt8rMZQl3k3j6Usxq5vpoEbcwAOZWq >>wP6XhG5TqVg$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Dienstag, September 21, 2021 1:40 PM >>An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> >>Betreff: jdk8u ssl connection issue >> >>Hi Bernd, >> >>It does work with TLS1.1. >> >>But in jdk8u202, it works with 1.2 as well. >> >>All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, >>but that is not as secure as TLS1.2 any more. >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:32 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>You cannot see the reason on your side. You need to check the other side. >> >>However seeing that your client only propose TLSv1.2 that's a likely >>candidate, maybe you need to re-enable TLS 1.1. that,,happened with >>8u291 in Oracle according to this: >>https://urldefense.com/v3/__https://java.com/en/jre-jdk-__;!!BqwCqLE!b >>34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7EEMiCyHw$ >>cryptoroadmap.html>j >>dk- >>cryptoroadmap.html__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$> >> >>https://urldefense.com/v3/__https://java.com/en/configure_crypto.html* >>DisableTLS__;Iw!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpn >>Ia6h7FCRFj2Eg$ >>>O5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Ff98ppRg$ >>.com/ >>v3/__https://urldefense.com/v3/__https://java.com/en/configure_crypto. >>html*DisableTLS__;Iw!!BqwCqLE!__;Kg!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk >>89qZDdMaJK7p6W0lZFpnIa6h7Elp5RtnA$ >>d- dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$> >> >>Gruss >>Bernd >> >> >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Tuesday, September 21, 2021 1:14:35 PM >>An: Bernd Eckenfels >>>; jdk8u- >>dev at openjdk.java.net >dev at openjdk.java.net> >>Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >>Here is my debug log >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|ClientHello.java:633|Produced ClientHello handshake message ( >> >>"ClientHello": { >> >> "client version" : "TLSv1.2", >> >> "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF >DB >>B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", >> >> "session id" : "", >> >> "cipher suites" : >>"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), >>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), >>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), >>TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), >>TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), >>TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), >>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), >>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), >>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), >>TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), >>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), >>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), >>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), >>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), >>TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), >>TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), >>TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), >>TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), >>TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", >> >> "compression methods" : "00", >> >> "extensions" : [ >> >> "server_name (0)": { >> >> type=host_name (0), value=unbale.mandtbank.com >> >> }, >> >> "status_request (5)": { >> >> "certificate status type": ocsp >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> }, >> >> "supported_groups (10)": { >> >> "versions": [secp256r1, secp384r1, secp521r1, sect283k1, >>sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, >>ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] >> >> }, >> >> "ec_point_formats (11)": { >> >> "formats": [uncompressed] >> >> }, >> >> "signature_algorithms (13)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "signature_algorithms_cert (50)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "status_request_v2 (17)": { >> >> "cert status request": { >> >> "certificate status type": ocsp_multi >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> } >> >> }, >> >> "extended_master_secret (23)": { >> >> >> >> }, >> >> "supported_versions (43)": { >> >> "versions": [TLSv1.2] >> >> } >> >> ] >> >>} >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = >>EDT|311 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:255|Raw write ( >> >> 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. >> >> 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... >> >> 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., >> >> 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ >> >> 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= >> >> 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. >> >> 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) >> >> 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 >>.g. at ...../.....3 >> >> 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. >> >> 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban >> >> 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... >> >> 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. >> >> 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ >> >> 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. >> >> 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ >> >> 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 >> >> 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ >> >> 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ >> >> 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ >> >> 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketInputRecord.java:451|Raw read: EOF >> >>javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 >>EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't >>kickstart handshaking ( >> >>"throwable" : { >> >> javax.net.ssl.SSLHandshakeException: Remote host terminated the >> handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxxx.main(SSLPoke.java:53) >> >> Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more} >> >> >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 >>EDT|alert(handshake_failure), >>length = 2 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:85|Raw write ( >> >> 0000: 15 03 03 00 02 02 28 ......( >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1361|close the underlying socket >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) >> >>javax.net.ssl.SSLHandshakeException: Remote host terminated the >>handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxx.main(SSLPoke.java:53) >> >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more >> >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:07 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >> >> >>It normally means the peer does not like your cipher or protocol >>selection or maybe the peer has a wrongly configured certificate. The >>actual reason why the peer shuts down the connection so unclear should >>be >logged on the remote site. >> >> >> >> >> >>-- >> >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t- >>vd7fVNT6ajpBkkdQ$> >> >>________________________________ >> >>Von: jdk8u-dev >retn at openjdk.java.net>> im Auftrag von Wan, Thomas >>> >>Gesendet: Tuesday, September 21, 2021 1:02:05 PM >>An: jdk8u-dev at openjdk.java.net >>> >>Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>It seems jdk8u202 was working well with ldap ssl. >> >>Since then all other jdk 8 release has the same error as below, any >>idea what is wrong? >>I compared the source code, it seems sun.security package has been >>changed a lot since jdk8u202 >> >>javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 >>EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) >>javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake >> at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) >> at >>sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java: >>1300 >) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) >> at >sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) >> at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:117 >>5) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:114 >>7) >> at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> at >>sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) >> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) >> ... 7 more >> >>-----Original Message----- >>From: jdk8u-dev >retn at openjdk.java.net>> On Behalf Of jdk8u-dev- >>request at openjdk.java.net >>Sent: Tuesday, September 21, 2021 6:59 AM >>To: Wan, Thomas > >>Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Welcome to the jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> mailing list! >> >>To post to this list, send your message to: >> >> jdk8u-dev at openjdk.java.net >> >>General information about the mailing list is at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/list >>i >>nfo/jdk >>8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$>a >>il >>man/listinfo/jdk8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$> >> >>If you ever want to unsubscribe or change your options (eg, switch to >>or from digest mode, change your password, etc.), visit your >>subscription page >at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/opti >>o >>ns/jd >>k8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$o >>penjdk.java.net/mailman/options/jdk8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$> >> >> >>You can also make such adjustments via email by sending a message to: >> >> jdk8u-dev-request at openjdk.java.net>request at openjdk.java.net> >> >>with the word `help' in the subject or body (don't include the >>quotes), and you will get back a message with instructions. >> >>You must know your password to change your options (including changing >>the password, itself) or to unsubscribe without confirmation. It is: >> >> Grace0208 >> >>Normally, Mailman will remind you of your openjdk.java.net mailing >>list passwords once every month, although you can disable this if you >>prefer. This reminder will also include instructions on how to >>unsubscribe or change your account options. There is also a button on >>your options page that will email your current password to you. >> >>************************************************************* >* >>******** >>This email may contain privileged and/or confidential information that >>is intended solely for the use of the addressee. If you are not the >>intended recipient or entity, you are strictly prohibited from >>disclosing, copying, distributing or using any of the information >>contained in the transmission. If you received this communication in >>error, please contact the sender immediately and destroy the material >>in its entirety, whether electronic or hard copy. This communication >>may contain nonpublic personal information about consumers subject to >>the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley >>Act. You may not directly or indirectly reuse or disclose such >>information for any purpose other than to provide the services for >>which you are receiving the information. There are risks associated >>with the use of electronic transmission. The sender of this >>information does not control the method of transmittal or service >>providers and >assumes no duty or obligation for the security, receipt, or third party >interception of this transmission. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From xwan at mtb.com Tue Sep 21 21:24:58 2021 From: xwan at mtb.com (Wan, Thomas) Date: Tue, 21 Sep 2021 21:24:58 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: If I do have to go with versions with backporr which has tls1.3, anything can I do about it? Get Outlook for iOS ________________________________ From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 4:34:33 PM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. I had no time to compare your handshakes, you really should do that. However as an additional point - I noticed you actually test with 8-versions which have the new tlsv1.3 backport code (with new extensions). I suspect one of them is the reason, did you try 8u252, which is the last version with the old code (you will see a difference in debug logging format). If that still works we know it?s not caused by 212 but by the backport. BTW it?s much easier if you contact your commercial java support provider, that?s why we pay them. We are kind of abusing the development list with this. -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas Gesendet: Tuesday, September 21, 2021 9:56:20 PM An: Prasadrao Koppula ; Bernd Eckenfels ; jdk8u-dev at openjdk.java.net Betreff: RE: jdk8u ssl connection issue Hi Prasad/Bernd, Any other suggestion? My test code is very simple, same ssl key certificate, connect to the same host and port where there is no logging. Jdk 8u202 works fine, openjdk-1.8.0.292 And openjdk-1.8.0.302 does not. With jdk8u202, I can tell Algorithm: [SHA256withRSA] is used. System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); SSLSocketFactory ssf = null; // set up key manager to do server authentication SSLContext ctx; KeyManagerFactory kmf; KeyStore ks; char[] passphrase = passwd.toCharArray(); ctx = SSLContext.getInstance("TLS"); kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(System.getProperty( "javax.net.ssl.keyStore")), passphrase); kmf.init(ks, passphrase); ctx.init(kmf.getKeyManagers(), null, null); ssf = ctx.getSocketFactory(); //SSLSocketFactory sslsocketfactory = (SSLSocketFactory) ssf. SSLSocket sslsocket = (SSLSocket) ssf.createSocket(args[0], Integer.parseInt(args[1])); InputStream in = sslsocket.getInputStream(); OutputStream out = sslsocket.getOutputStream(); // Write a test byte to get a reaction :) out.write(1); while (in.available() > 0) { System.out.print(in.read()); } Tom -----Original Message----- From: Prasadrao Koppula Sent: Tuesday, September 21, 2021 10:09 AM To: Prasadrao Koppula ; Wan, Thomas ; Bernd Eckenfels ; jdk8u-dev at openjdk.java.net Subject: RE: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. To set the client side ciphersuites use: jdk.tls.client.ciphersuites Server side: jdk.tls.server.ciphersuites >From the TLSv1.2 client debug logs, looks like server not happy with the extensions present in the Client's ClientHello. Which provider and version server has? To understand issue further, If you are able capture the server side logs, please share. Thanks, Prasad.K >-----Original Message----- >From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >Prasadrao Koppula >Sent: Tuesday, September 21, 2021 7:29 PM >To: Wan, Thomas ; Bernd Eckenfels >; jdk8u-dev at openjdk.java.net >Subject: RE: jdk8u ssl connection issue > >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' > >These are Ciphersuites not signature schemes. > >Thanks, >Prasad.K > >>-----Original Message----- >>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >>Wan, Thomas >>Sent: Tuesday, September 21, 2021 6:53 PM >>To: Bernd Eckenfels ; >>jdk8u-dev at openjdk.java.net >>Subject: RE: jdk8u ssl connection issue >> >>One step further, I added all SignatureSchemes Supported in the server >>by running nmap, here is the error I got >> >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not >>EDT|supported >>by the underlying providers >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not >>EDT|supported by >>the underlying providers >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256 >> >>From: Bernd Eckenfels >>Sent: Tuesday, September 21, 2021 7:52 AM >>To: Wan, Thomas ; jdk8u-dev at openjdk.java.net >>Subject: Re: jdk8u ssl connection issue >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>I don't see any other changes in 212 besides a PKCS11 change for >>Tls1.2 which should not be the case, also it looks like this version >>re-enabled the Renegotiation signaling cipher, that should not be a >>problem but >you never know. >> >>Can you compare the client Hello of a working 1.2 and a failed 1.2 >>handshake to see which ciphers and extensions differ? >> >>Gruss >>Bernd >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!bf7MeZ9guvMDJw7EyXt8rMZQl3k3j6Usxq5vpoEbcwAOZWq >>wP6XhG5TqVg$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Dienstag, September 21, 2021 1:40 PM >>An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> >>Betreff: jdk8u ssl connection issue >> >>Hi Bernd, >> >>It does work with TLS1.1. >> >>But in jdk8u202, it works with 1.2 as well. >> >>All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, >>but that is not as secure as TLS1.2 any more. >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:32 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>You cannot see the reason on your side. You need to check the other side. >> >>However seeing that your client only propose TLSv1.2 that's a likely >>candidate, maybe you need to re-enable TLS 1.1. that,,happened with >>8u291 in Oracle according to this: >>https://urldefense.com/v3/__https://java.com/en/jre-jdk-__;!!BqwCqLE!b >>34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7EEMiCyHw$ >>cryptoroadmap.html>j >>dk- >>cryptoroadmap.html__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$> >> >>https://urldefense.com/v3/__https://java.com/en/configure_crypto.html* >>DisableTLS__;Iw!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpn >>Ia6h7FCRFj2Eg$ >>>O5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Ff98ppRg$ >>.com/ >>v3/__https://urldefense.com/v3/__https://java.com/en/configure_crypto. >>html*DisableTLS__;Iw!!BqwCqLE!__;Kg!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk >>89qZDdMaJK7p6W0lZFpnIa6h7Elp5RtnA$ >>d- dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$> >> >>Gruss >>Bernd >> >> >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Tuesday, September 21, 2021 1:14:35 PM >>An: Bernd Eckenfels >>>; jdk8u- >>dev at openjdk.java.net >dev at openjdk.java.net> >>Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >>Here is my debug log >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|ClientHello.java:633|Produced ClientHello handshake message ( >> >>"ClientHello": { >> >> "client version" : "TLSv1.2", >> >> "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF >DB >>B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", >> >> "session id" : "", >> >> "cipher suites" : >>"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), >>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), >>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), >>TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), >>TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), >>TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), >>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), >>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), >>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), >>TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), >>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), >>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), >>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), >>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), >>TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), >>TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), >>TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), >>TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), >>TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", >> >> "compression methods" : "00", >> >> "extensions" : [ >> >> "server_name (0)": { >> >> type=host_name (0), value=unbale.mandtbank.com >> >> }, >> >> "status_request (5)": { >> >> "certificate status type": ocsp >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> }, >> >> "supported_groups (10)": { >> >> "versions": [secp256r1, secp384r1, secp521r1, sect283k1, >>sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, >>ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] >> >> }, >> >> "ec_point_formats (11)": { >> >> "formats": [uncompressed] >> >> }, >> >> "signature_algorithms (13)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "signature_algorithms_cert (50)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "status_request_v2 (17)": { >> >> "cert status request": { >> >> "certificate status type": ocsp_multi >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> } >> >> }, >> >> "extended_master_secret (23)": { >> >> >> >> }, >> >> "supported_versions (43)": { >> >> "versions": [TLSv1.2] >> >> } >> >> ] >> >>} >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = >>EDT|311 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:255|Raw write ( >> >> 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. >> >> 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... >> >> 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., >> >> 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ >> >> 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= >> >> 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. >> >> 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) >> >> 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 >>.g. at ...../.....3 >> >> 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. >> >> 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban >> >> 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... >> >> 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. >> >> 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ >> >> 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. >> >> 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ >> >> 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 >> >> 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ >> >> 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ >> >> 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ >> >> 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketInputRecord.java:451|Raw read: EOF >> >>javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 >>EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't >>kickstart handshaking ( >> >>"throwable" : { >> >> javax.net.ssl.SSLHandshakeException: Remote host terminated the >> handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxxx.main(SSLPoke.java:53) >> >> Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more} >> >> >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 >>EDT|alert(handshake_failure), >>length = 2 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:85|Raw write ( >> >> 0000: 15 03 03 00 02 02 28 ......( >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1361|close the underlying socket >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) >> >>javax.net.ssl.SSLHandshakeException: Remote host terminated the >>handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxx.main(SSLPoke.java:53) >> >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more >> >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:07 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >> >> >>It normally means the peer does not like your cipher or protocol >>selection or maybe the peer has a wrongly configured certificate. The >>actual reason why the peer shuts down the connection so unclear should >>be >logged on the remote site. >> >> >> >> >> >>-- >> >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t- >>vd7fVNT6ajpBkkdQ$> >> >>________________________________ >> >>Von: jdk8u-dev >retn at openjdk.java.net>> im Auftrag von Wan, Thomas >>> >>Gesendet: Tuesday, September 21, 2021 1:02:05 PM >>An: jdk8u-dev at openjdk.java.net >>> >>Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>It seems jdk8u202 was working well with ldap ssl. >> >>Since then all other jdk 8 release has the same error as below, any >>idea what is wrong? >>I compared the source code, it seems sun.security package has been >>changed a lot since jdk8u202 >> >>javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 >>EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) >>javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake >> at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) >> at >>sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java: >>1300 >) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) >> at >sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) >> at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:117 >>5) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:114 >>7) >> at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> at >>sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) >> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) >> ... 7 more >> >>-----Original Message----- >>From: jdk8u-dev >retn at openjdk.java.net>> On Behalf Of jdk8u-dev- >>request at openjdk.java.net >>Sent: Tuesday, September 21, 2021 6:59 AM >>To: Wan, Thomas > >>Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Welcome to the jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> mailing list! >> >>To post to this list, send your message to: >> >> jdk8u-dev at openjdk.java.net >> >>General information about the mailing list is at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/list >>i >>nfo/jdk >>8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$>a >>il >>man/listinfo/jdk8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$> >> >>If you ever want to unsubscribe or change your options (eg, switch to >>or from digest mode, change your password, etc.), visit your >>subscription page >at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/opti >>o >>ns/jd >>k8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$o >>penjdk.java.net/mailman/options/jdk8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$> >> >> >>You can also make such adjustments via email by sending a message to: >> >> jdk8u-dev-request at openjdk.java.net>request at openjdk.java.net> >> >>with the word `help' in the subject or body (don't include the >>quotes), and you will get back a message with instructions. >> >>You must know your password to change your options (including changing >>the password, itself) or to unsubscribe without confirmation. It is: >> >> Grace0208 >> >>Normally, Mailman will remind you of your openjdk.java.net mailing >>list passwords once every month, although you can disable this if you >>prefer. This reminder will also include instructions on how to >>unsubscribe or change your account options. There is also a button on >>your options page that will email your current password to you. >> >>************************************************************* >* >>******** >>This email may contain privileged and/or confidential information that >>is intended solely for the use of the addressee. If you are not the >>intended recipient or entity, you are strictly prohibited from >>disclosing, copying, distributing or using any of the information >>contained in the transmission. If you received this communication in >>error, please contact the sender immediately and destroy the material >>in its entirety, whether electronic or hard copy. This communication >>may contain nonpublic personal information about consumers subject to >>the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley >>Act. You may not directly or indirectly reuse or disclose such >>information for any purpose other than to provide the services for >>which you are receiving the information. There are risks associated >>with the use of electronic transmission. The sender of this >>information does not control the method of transmittal or service >>providers and >assumes no duty or obligation for the security, receipt, or third party >interception of this transmission. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From ecki at zusammenkunft.net Wed Sep 22 03:50:17 2021 From: ecki at zusammenkunft.net (Bernd Eckenfels) Date: Wed, 22 Sep 2021 03:50:17 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: Find out which extension is the problem, some can be disabled. (I think for example OCSP requests might be new). Alternatively you might try out the commercial Azul Java, until January it provides a OpenJSSE compatibility provider if I remember correctly. -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas Gesendet: Tuesday, September 21, 2021 11:24:58 PM An: Bernd Eckenfels ; jdk8u-dev at openjdk.java.net Betreff: Re: jdk8u ssl connection issue If I do have to go with versions with backporr which has tls1.3, anything can I do about it? Get Outlook for iOS ________________________________ From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 4:34:33 PM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. I had no time to compare your handshakes, you really should do that. However as an additional point - I noticed you actually test with 8-versions which have the new tlsv1.3 backport code (with new extensions). I suspect one of them is the reason, did you try 8u252, which is the last version with the old code (you will see a difference in debug logging format). If that still works we know it?s not caused by 212 but by the backport. BTW it?s much easier if you contact your commercial java support provider, that?s why we pay them. We are kind of abusing the development list with this. -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas Gesendet: Tuesday, September 21, 2021 9:56:20 PM An: Prasadrao Koppula ; Bernd Eckenfels ; jdk8u-dev at openjdk.java.net Betreff: RE: jdk8u ssl connection issue Hi Prasad/Bernd, Any other suggestion? My test code is very simple, same ssl key certificate, connect to the same host and port where there is no logging. Jdk 8u202 works fine, openjdk-1.8.0.292 And openjdk-1.8.0.302 does not. With jdk8u202, I can tell Algorithm: [SHA256withRSA] is used. System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); SSLSocketFactory ssf = null; // set up key manager to do server authentication SSLContext ctx; KeyManagerFactory kmf; KeyStore ks; char[] passphrase = passwd.toCharArray(); ctx = SSLContext.getInstance("TLS"); kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(System.getProperty( "javax.net.ssl.keyStore")), passphrase); kmf.init(ks, passphrase); ctx.init(kmf.getKeyManagers(), null, null); ssf = ctx.getSocketFactory(); //SSLSocketFactory sslsocketfactory = (SSLSocketFactory) ssf. SSLSocket sslsocket = (SSLSocket) ssf.createSocket(args[0], Integer.parseInt(args[1])); InputStream in = sslsocket.getInputStream(); OutputStream out = sslsocket.getOutputStream(); // Write a test byte to get a reaction :) out.write(1); while (in.available() > 0) { System.out.print(in.read()); } Tom -----Original Message----- From: Prasadrao Koppula Sent: Tuesday, September 21, 2021 10:09 AM To: Prasadrao Koppula ; Wan, Thomas ; Bernd Eckenfels ; jdk8u-dev at openjdk.java.net Subject: RE: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. To set the client side ciphersuites use: jdk.tls.client.ciphersuites Server side: jdk.tls.server.ciphersuites >From the TLSv1.2 client debug logs, looks like server not happy with the extensions present in the Client's ClientHello. Which provider and version server has? To understand issue further, If you are able capture the server side logs, please share. Thanks, Prasad.K >-----Original Message----- >From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >Prasadrao Koppula >Sent: Tuesday, September 21, 2021 7:29 PM >To: Wan, Thomas ; Bernd Eckenfels >; jdk8u-dev at openjdk.java.net >Subject: RE: jdk8u ssl connection issue > >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' > >These are Ciphersuites not signature schemes. > >Thanks, >Prasad.K > >>-----Original Message----- >>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >>Wan, Thomas >>Sent: Tuesday, September 21, 2021 6:53 PM >>To: Bernd Eckenfels ; >>jdk8u-dev at openjdk.java.net >>Subject: RE: jdk8u ssl connection issue >> >>One step further, I added all SignatureSchemes Supported in the server >>by running nmap, here is the error I got >> >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not >>EDT|supported >>by the underlying providers >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not >>EDT|supported by >>the underlying providers >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256 >> >>From: Bernd Eckenfels >>Sent: Tuesday, September 21, 2021 7:52 AM >>To: Wan, Thomas ; jdk8u-dev at openjdk.java.net >>Subject: Re: jdk8u ssl connection issue >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>I don't see any other changes in 212 besides a PKCS11 change for >>Tls1.2 which should not be the case, also it looks like this version >>re-enabled the Renegotiation signaling cipher, that should not be a >>problem but >you never know. >> >>Can you compare the client Hello of a working 1.2 and a failed 1.2 >>handshake to see which ciphers and extensions differ? >> >>Gruss >>Bernd >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!bf7MeZ9guvMDJw7EyXt8rMZQl3k3j6Usxq5vpoEbcwAOZWq >>wP6XhG5TqVg$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Dienstag, September 21, 2021 1:40 PM >>An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> >>Betreff: jdk8u ssl connection issue >> >>Hi Bernd, >> >>It does work with TLS1.1. >> >>But in jdk8u202, it works with 1.2 as well. >> >>All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, >>but that is not as secure as TLS1.2 any more. >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:32 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>You cannot see the reason on your side. You need to check the other side. >> >>However seeing that your client only propose TLSv1.2 that's a likely >>candidate, maybe you need to re-enable TLS 1.1. that,,happened with >>8u291 in Oracle according to this: >>https://urldefense.com/v3/__https://java.com/en/jre-jdk-__;!!BqwCqLE!b >>34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7EEMiCyHw$ >>cryptoroadmap.html>j >>dk- >>cryptoroadmap.html__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$> >> >>https://urldefense.com/v3/__https://java.com/en/configure_crypto.html* >>DisableTLS__;Iw!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpn >>Ia6h7FCRFj2Eg$ >>>O5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Ff98ppRg$ >>.com/ >>v3/__https://urldefense.com/v3/__https://java.com/en/configure_crypto. >>html*DisableTLS__;Iw!!BqwCqLE!__;Kg!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk >>89qZDdMaJK7p6W0lZFpnIa6h7Elp5RtnA$ >>d- dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$> >> >>Gruss >>Bernd >> >> >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$> >>________________________________ >>Von: Wan, Thomas > >>Gesendet: Tuesday, September 21, 2021 1:14:35 PM >>An: Bernd Eckenfels >>>; jdk8u- >>dev at openjdk.java.net >dev at openjdk.java.net> >>Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >>Here is my debug log >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|ClientHello.java:633|Produced ClientHello handshake message ( >> >>"ClientHello": { >> >> "client version" : "TLSv1.2", >> >> "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF >DB >>B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", >> >> "session id" : "", >> >> "cipher suites" : >>"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), >>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), >>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), >>TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), >>TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), >>TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), >>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), >>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), >>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), >>TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), >>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), >>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), >>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), >>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), >>TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), >>TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), >>TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), >>TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), >>TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", >> >> "compression methods" : "00", >> >> "extensions" : [ >> >> "server_name (0)": { >> >> type=host_name (0), value=unbale.mandtbank.com >> >> }, >> >> "status_request (5)": { >> >> "certificate status type": ocsp >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> }, >> >> "supported_groups (10)": { >> >> "versions": [secp256r1, secp384r1, secp521r1, sect283k1, >>sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, >>ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] >> >> }, >> >> "ec_point_formats (11)": { >> >> "formats": [uncompressed] >> >> }, >> >> "signature_algorithms (13)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "signature_algorithms_cert (50)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "status_request_v2 (17)": { >> >> "cert status request": { >> >> "certificate status type": ocsp_multi >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> } >> >> }, >> >> "extended_master_secret (23)": { >> >> >> >> }, >> >> "supported_versions (43)": { >> >> "versions": [TLSv1.2] >> >> } >> >> ] >> >>} >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = >>EDT|311 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:255|Raw write ( >> >> 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. >> >> 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... >> >> 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., >> >> 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ >> >> 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= >> >> 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. >> >> 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) >> >> 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 >>.g. at ...../.....3 >> >> 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. >> >> 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban >> >> 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... >> >> 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. >> >> 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ >> >> 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. >> >> 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ >> >> 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 >> >> 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ >> >> 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ >> >> 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ >> >> 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketInputRecord.java:451|Raw read: EOF >> >>javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 >>EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't >>kickstart handshaking ( >> >>"throwable" : { >> >> javax.net.ssl.SSLHandshakeException: Remote host terminated the >> handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxxx.main(SSLPoke.java:53) >> >> Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more} >> >> >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 >>EDT|alert(handshake_failure), >>length = 2 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:85|Raw write ( >> >> 0000: 15 03 03 00 02 02 28 ......( >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1361|close the underlying socket >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) >> >>javax.net.ssl.SSLHandshakeException: Remote host terminated the >>handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxx.main(SSLPoke.java:53) >> >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more >> >> >> >>From: Bernd Eckenfels >>> >>Sent: Tuesday, September 21, 2021 7:07 AM >>To: Wan, Thomas >; jdk8u- >>dev at openjdk.java.net >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >> >> >>It normally means the peer does not like your cipher or protocol >>selection or maybe the peer has a wrongly configured certificate. The >>actual reason why the peer shuts down the connection so unclear should >>be >logged on the remote site. >> >> >> >> >> >>-- >> >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>. >>net__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t- >>vd7fVNT6ajpBkkdQ$> >> >>________________________________ >> >>Von: jdk8u-dev >retn at openjdk.java.net>> im Auftrag von Wan, Thomas >>> >>Gesendet: Tuesday, September 21, 2021 1:02:05 PM >>An: jdk8u-dev at openjdk.java.net >>> >>Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>It seems jdk8u202 was working well with ldap ssl. >> >>Since then all other jdk 8 release has the same error as below, any >>idea what is wrong? >>I compared the source code, it seems sun.security package has been >>changed a lot since jdk8u202 >> >>javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 >>EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) >>javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake >> at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) >> at >>sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java: >>1300 >) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) >> at >sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) >> at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:117 >>5) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:114 >>7) >> at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> at >>sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) >> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) >> ... 7 more >> >>-----Original Message----- >>From: jdk8u-dev >retn at openjdk.java.net>> On Behalf Of jdk8u-dev- >>request at openjdk.java.net >>Sent: Tuesday, September 21, 2021 6:59 AM >>To: Wan, Thomas > >>Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Welcome to the jdk8u-dev at openjdk.java.net>dev at openjdk.java.net> mailing list! >> >>To post to this list, send your message to: >> >> jdk8u-dev at openjdk.java.net >> >>General information about the mailing list is at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/list >>i >>nfo/jdk >>8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$>a >>il >>man/listinfo/jdk8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$> >> >>If you ever want to unsubscribe or change your options (eg, switch to >>or from digest mode, change your password, etc.), visit your >>subscription page >at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/opti >>o >>ns/jd >>k8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$o >>penjdk.java.net/mailman/options/jdk8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$> >> >> >>You can also make such adjustments via email by sending a message to: >> >> jdk8u-dev-request at openjdk.java.net>request at openjdk.java.net> >> >>with the word `help' in the subject or body (don't include the >>quotes), and you will get back a message with instructions. >> >>You must know your password to change your options (including changing >>the password, itself) or to unsubscribe without confirmation. It is: >> >> Grace0208 >> >>Normally, Mailman will remind you of your openjdk.java.net mailing >>list passwords once every month, although you can disable this if you >>prefer. This reminder will also include instructions on how to >>unsubscribe or change your account options. There is also a button on >>your options page that will email your current password to you. >> >>************************************************************* >* >>******** >>This email may contain privileged and/or confidential information that >>is intended solely for the use of the addressee. If you are not the >>intended recipient or entity, you are strictly prohibited from >>disclosing, copying, distributing or using any of the information >>contained in the transmission. If you received this communication in >>error, please contact the sender immediately and destroy the material >>in its entirety, whether electronic or hard copy. This communication >>may contain nonpublic personal information about consumers subject to >>the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley >>Act. You may not directly or indirectly reuse or disclose such >>information for any purpose other than to provide the services for >>which you are receiving the information. There are risks associated >>with the use of electronic transmission. The sender of this >>information does not control the method of transmittal or service >>providers and >assumes no duty or obligation for the security, receipt, or third party >interception of this transmission. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From xwan at mtb.com Wed Sep 22 11:03:08 2021 From: xwan at mtb.com (Wan, Thomas) Date: Wed, 22 Sep 2021 11:03:08 +0000 Subject: jdk8u ssl connection issue In-Reply-To: References: Message-ID: I tried 8u252, It works well. Unfortunately we need run this in openshift, we don't have the older jdk 8 available. Anything I can do to deal with backport ? From: Bernd Eckenfels Sent: Tuesday, September 21, 2021 4:35 PM To: Wan, Thomas ; jdk8u-dev at openjdk.java.net Subject: Re: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. I had no time to compare your handshakes, you really should do that. However as an additional point - I noticed you actually test with 8-versions which have the new tlsv1.3 backport code (with new extensions). I suspect one of them is the reason, did you try 8u252, which is the last version with the old code (you will see a difference in debug logging format). If that still works we know it's not caused by 212 but by the backport. BTW it's much easier if you contact your commercial java support provider, that's why we pay them. We are kind of abusing the development list with this. -- http://bernd.eckenfels.net ________________________________ Von: Wan, Thomas > Gesendet: Tuesday, September 21, 2021 9:56:20 PM An: Prasadrao Koppula >; Bernd Eckenfels >; jdk8u-dev at openjdk.java.net > Betreff: RE: jdk8u ssl connection issue Hi Prasad/Bernd, Any other suggestion? My test code is very simple, same ssl key certificate, connect to the same host and port where there is no logging. Jdk 8u202 works fine, openjdk-1.8.0.292 And openjdk-1.8.0.302 does not. With jdk8u202, I can tell Algorithm: [SHA256withRSA] is used. System.setProperty("javax.net.ssl.keyStore", keyFilename); System.setProperty("javax.net.ssl.keyStorePassword", passwd); SSLSocketFactory ssf = null; // set up key manager to do server authentication SSLContext ctx; KeyManagerFactory kmf; KeyStore ks; char[] passphrase = passwd.toCharArray(); ctx = SSLContext.getInstance("TLS"); kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(System.getProperty( "javax.net.ssl.keyStore")), passphrase); kmf.init(ks, passphrase); ctx.init(kmf.getKeyManagers(), null, null); ssf = ctx.getSocketFactory(); //SSLSocketFactory sslsocketfactory = (SSLSocketFactory) ssf. SSLSocket sslsocket = (SSLSocket) ssf.createSocket(args[0], Integer.parseInt(args[1])); InputStream in = sslsocket.getInputStream(); OutputStream out = sslsocket.getOutputStream(); // Write a test byte to get a reaction :) out.write(1); while (in.available() > 0) { System.out.print(in.read()); } Tom -----Original Message----- From: Prasadrao Koppula > Sent: Tuesday, September 21, 2021 10:09 AM To: Prasadrao Koppula >; Wan, Thomas >; Bernd Eckenfels >; jdk8u-dev at openjdk.java.net Subject: RE: jdk8u ssl connection issue External Email: Use caution & trust the source before clicking links or opening attachments. To set the client side ciphersuites use: jdk.tls.client.ciphersuites Server side: jdk.tls.server.ciphersuites >From the TLSv1.2 client debug logs, looks like server not happy with the extensions present in the Client's ClientHello. Which provider and version server has? To understand issue further, If you are able capture the server side logs, please share. Thanks, Prasad.K >-----Original Message----- >From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >Prasadrao Koppula >Sent: Tuesday, September 21, 2021 7:29 PM >To: Wan, Thomas >; Bernd Eckenfels >>; jdk8u-dev at openjdk.java.net >Subject: RE: jdk8u ssl connection issue > >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' > >These are Ciphersuites not signature schemes. > >Thanks, >Prasad.K > >>-----Original Message----- >>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of >>Wan, Thomas >>Sent: Tuesday, September 21, 2021 6:53 PM >>To: Bernd Eckenfels >; >>jdk8u-dev at openjdk.java.net >>Subject: RE: jdk8u ssl connection issue >> >>One step further, I added all SignatureSchemes Supported in the server >>by running nmap, here is the error I got >> >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933 >>EDT|SSLConfiguration.java:450|System property >>EDT|jdk.tls.client.SignatureSchemes >>is set to >>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES >_ >>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R >S >>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS >A >>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_ >>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256' >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not >>EDT|supported >>by the underlying providers >>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965 >>EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not >>EDT|supported by >>the underlying providers >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256 >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA >>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980 >>EDT|SSLConfiguration.java:478|The current installed providers do not >>EDT|support >>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256 >> >>From: Bernd Eckenfels > >>Sent: Tuesday, September 21, 2021 7:52 AM >>To: Wan, Thomas >; jdk8u-dev at openjdk.java.net >>Subject: Re: jdk8u ssl connection issue >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>I don't see any other changes in 212 besides a PKCS11 change for >>Tls1.2 which should not be the case, also it looks like this version >>re-enabled the Renegotiation signaling cipher, that should not be a >>problem but >you never know. >> >>Can you compare the client Hello of a working 1.2 and a failed 1.2 >>handshake to see which ciphers and extensions differ? >> >>Gruss >>Bernd >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>>. >>net__;!!BqwCqLE!bf7MeZ9guvMDJw7EyXt8rMZQl3k3j6Usxq5vpoEbcwAOZWq >>wP6XhG5TqVg$> >>________________________________ >>Von: Wan, Thomas >> >>Gesendet: Dienstag, September 21, 2021 1:40 PM >>An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net >>dev at openjdk.java.net> >>Betreff: jdk8u ssl connection issue >> >>Hi Bernd, >> >>It does work with TLS1.1. >> >>But in jdk8u202, it works with 1.2 as well. >> >>All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, >>but that is not as secure as TLS1.2 any more. >> >> >>From: Bernd Eckenfels >>>> >>Sent: Tuesday, September 21, 2021 7:32 AM >>To: Wan, Thomas >>; jdk8u- >>dev at openjdk.java.net> >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Hello, >> >>You cannot see the reason on your side. You need to check the other side. >> >>However seeing that your client only propose TLSv1.2 that's a likely >>candidate, maybe you need to re-enable TLS 1.1. that,,happened with >>8u291 in Oracle according to this: >>https://urldefense.com/v3/__https://java.com/en/jre-jdk-__;!!BqwCqLE!b >>34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7EEMiCyHw$ >>cryptoroadmap.html>>j >>dk- >>cryptoroadmap.html__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$> >> >>https://urldefense.com/v3/__https://java.com/en/configure_crypto.html* >>DisableTLS__;Iw!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpn >>Ia6h7FCRFj2Eg$ >>>>O5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Ff98ppRg$ >>.com/ >>v3/__https://urldefense.com/v3/__https://java.com/en/configure_crypto. >>html*DisableTLS__;Iw!!BqwCqLE!__;Kg!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk >>89qZDdMaJK7p6W0lZFpnIa6h7Elp5RtnA$ >>d- dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$> >> >>Gruss >>Bernd >> >> >>-- >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>>. >>net__;!!BqwCqLE!d- >>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$> >>________________________________ >>Von: Wan, Thomas >> >>Gesendet: Tuesday, September 21, 2021 1:14:35 PM >>An: Bernd Eckenfels >>>>; jdk8u- >>dev at openjdk.java.net> >dev at openjdk.java.net>> >>Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >>Here is my debug log >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|ClientHello.java:633|Produced ClientHello handshake message ( >> >>"ClientHello": { >> >> "client version" : "TLSv1.2", >> >> "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF >DB >>B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0", >> >> "session id" : "", >> >> "cipher suites" : >>"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), >>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), >>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), >>TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), >>TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), >>TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), >>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), >>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), >>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), >>TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), >>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), >>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), >>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), >>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), >>TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), >>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), >>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), >>TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), >>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), >>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), >>TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), >>TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), >>TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), >>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), >>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), >>TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), >>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), >>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), >>TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), >>TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), >>TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", >> >> "compression methods" : "00", >> >> "extensions" : [ >> >> "server_name (0)": { >> >> type=host_name (0), value=unbale.mandtbank.com >> >> }, >> >> "status_request (5)": { >> >> "certificate status type": ocsp >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> }, >> >> "supported_groups (10)": { >> >> "versions": [secp256r1, secp384r1, secp521r1, sect283k1, >>sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, >>ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] >> >> }, >> >> "ec_point_formats (11)": { >> >> "formats": [uncompressed] >> >> }, >> >> "signature_algorithms (13)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "signature_algorithms_cert (50)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, >>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, >>rsa_pkcs1_sha1, dsa_sha1] >> >> }, >> >> "status_request_v2 (17)": { >> >> "cert status request": { >> >> "certificate status type": ocsp_multi >> >> "OCSP status request": { >> >> "responder_id": >> >> "request extensions": { >> >> >> >> } >> >> } >> >> } >> >> }, >> >> "extended_master_secret (23)": { >> >> >> >> }, >> >> "supported_versions (43)": { >> >> "versions": [TLSv1.2] >> >> } >> >> ] >> >>} >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = >>EDT|311 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:255|Raw write ( >> >> 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c.. >> >> 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&..... >> >> 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V., >> >> 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../ >> >> 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.= >> >> 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5.. >> >> 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.) >> >> 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 >>.g. at ...../.....3 >> >> 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2.............. >> >> 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban >> >> 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com........... >> >> 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . .............. >> >> 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................ >> >> 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". .. >> >> 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................ >> >> 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2 >> >> 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............ >> >> 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................ >> >> 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................ >> >> 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+..... >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketInputRecord.java:451|Raw read: EOF >> >>javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 >>EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't >>kickstart handshaking ( >> >>"throwable" : { >> >> javax.net.ssl.SSLHandshakeException: Remote host terminated the >> handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxxx.main(SSLPoke.java:53) >> >> Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more} >> >> >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 >>EDT|alert(handshake_failure), >>length = 2 >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketOutputRecord.java:85|Raw write ( >> >> 0000: 15 03 03 00 02 02 28 ......( >> >>) >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1361|close the underlying socket >> >>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 >>EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) >> >>javax.net.ssl.SSLHandshakeException: Remote host terminated the >>handshake >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java: >>1 >>321) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116 >>0 >>) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket >>I >>mpl.j >>ava:1063) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>j >>ava:40 >>2) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp >>l >>.java:7 >>16) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:970) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock >>e >>tImp >>l.java:942) >> >> at xxx.main(SSLPoke.java:53) >> >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> >> at >>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR >>e >>cord.j >>ava:167) >> >> at >>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> >> at >>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115 >>2 >>) >> >> ... 6 more >> >> >> >>From: Bernd Eckenfels >>>> >>Sent: Tuesday, September 21, 2021 7:07 AM >>To: Wan, Thomas >>; jdk8u- >>dev at openjdk.java.net> >>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >> >> >>It normally means the peer does not like your cipher or protocol >>selection or maybe the peer has a wrongly configured certificate. The >>actual reason why the peer shuts down the connection so unclear should >>be >logged on the remote site. >> >> >> >> >> >>-- >> >>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34 >>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$ >>>. >>net__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t- >>vd7fVNT6ajpBkkdQ$> >> >>________________________________ >> >>Von: jdk8u-dev >>retn at openjdk.java.net>> im Auftrag von Wan, Thomas >>>> >>Gesendet: Tuesday, September 21, 2021 1:02:05 PM >>An: jdk8u-dev at openjdk.java.net> >>>> >>Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >> >> >>It seems jdk8u202 was working well with ldap ssl. >> >>Since then all other jdk 8 release has the same error as below, any >>idea what is wrong? >>I compared the source code, it seems sun.security package has been >>changed a lot since jdk8u202 >> >>javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 >>EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative) >>javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake >> at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400) >> at >>sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java: >>1300 >) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) >> at >sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813) >> at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:117 >>5) >> at >>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav >>a >>:114 >>7) >> at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53) >>Caused by: java.io.EOFException: SSL peer shut down incorrectly >> at >>sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167) >> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) >> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) >> ... 7 more >> >>-----Original Message----- >>From: jdk8u-dev >>retn at openjdk.java.net>> On Behalf Of jdk8u-dev- >>request at openjdk.java.net> >>Sent: Tuesday, September 21, 2021 6:59 AM >>To: Wan, Thomas >> >>Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode) >> >>External Email: Use caution & trust the source before clicking links >>or opening attachments. >> >>Welcome to the jdk8u-dev at openjdk.java.net >>dev at openjdk.java.net> mailing list! >> >>To post to this list, send your message to: >> >> jdk8u-dev at openjdk.java.net> >> >>General information about the mailing list is at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/list >>i >>nfo/jdk >>8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$>>a >>il >>man/listinfo/jdk8u- >>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow >G >>3GLURaDcAw$> >> >>If you ever want to unsubscribe or change your options (eg, switch to >>or from digest mode, change your password, etc.), visit your >>subscription page >at: >> >> >>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/opti >>o >>ns/jd >>k8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$>o >>penjdk.java.net/mailman/options/jdk8u- >>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34 >e >>Hn1NDQe90P94kowG3GLAPC2SIg$> >> >> >>You can also make such adjustments via email by sending a message to: >> >> jdk8u-dev-request at openjdk.java.net >>request at openjdk.java.net> >> >>with the word `help' in the subject or body (don't include the >>quotes), and you will get back a message with instructions. >> >>You must know your password to change your options (including changing >>the password, itself) or to unsubscribe without confirmation. It is: >> >> Grace0208 >> >>Normally, Mailman will remind you of your openjdk.java.net mailing >>list passwords once every month, although you can disable this if you >>prefer. This reminder will also include instructions on how to >>unsubscribe or change your account options. There is also a button on >>your options page that will email your current password to you. >> >>************************************************************* >* >>******** >>This email may contain privileged and/or confidential information that >>is intended solely for the use of the addressee. If you are not the >>intended recipient or entity, you are strictly prohibited from >>disclosing, copying, distributing or using any of the information >>contained in the transmission. If you received this communication in >>error, please contact the sender immediately and destroy the material >>in its entirety, whether electronic or hard copy. This communication >>may contain nonpublic personal information about consumers subject to >>the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley >>Act. You may not directly or indirectly reuse or disclose such >>information for any purpose other than to provide the services for >>which you are receiving the information. There are risks associated >>with the use of electronic transmission. The sender of this >>information does not control the method of transmittal or service >>providers and >assumes no duty or obligation for the security, receipt, or third party >interception of this transmission. ********************************************************************** This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. From mbalao at redhat.com Tue Sep 28 15:27:42 2021 From: mbalao at redhat.com (Martin Balao) Date: Tue, 28 Sep 2021 11:27:42 -0400 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland In-Reply-To: References: Message-ID: On Mon, Sep 13, 2021 at 10:17 PM Andrew Hughes wrote: > > I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 > Updates Committer. Vote: yes From stooke at redhat.com Tue Sep 28 19:54:20 2021 From: stooke at redhat.com (Simon Tooke) Date: Tue, 28 Sep 2021 15:54:20 -0400 Subject: CFV: New OpenJDK 8 Updates Committer: Jonathan Dowland In-Reply-To: References: Message-ID: <278371fa-033e-ff64-fb63-22634b6e250a@redhat.com> Vote: yes On 2021-09-13 10:16 p.m., Andrew Hughes wrote: > I hereby nominate Jonathan Dowland [0] for the role of an OpenJDK 8 > Updates Committer. > -- Simon Tooke Principal Software Engineer - Java Platform Red Hat Canada, Inc. stooke at redhat.com From alexey at azul.com Thu Sep 30 14:16:41 2021 From: alexey at azul.com (Alexey Bakhtin) Date: Thu, 30 Sep 2021 14:16:41 +0000 Subject: [8u] RFR: 8274595: DisableRMIOverHTTPTest failed: connection refused Message-ID: <9FDAA82F-57CE-4C19-9B2F-2F68F7EDA480@azul.com> Hi, Please review the trivial change to sun/rmi/transport/tcp/DisableRMIOverHttp/DisableRMIOverHTTPTest.java: Bug: https://bugs.openjdk.java.net/browse/JDK-8274595 Webrev: http://cr.openjdk.java.net/~abakhtin/8274595/webrev.v0/ The test fails because of URLConnection behaviour changes caused by JDK-8161016 [1] Initially, the test was created on the base of BlockAcceptTest.java. Unlike BlockAcceptTest, DisableRMIOverHTTPTest does not use http proxy functionality but sets proxy via "http.proxyHost" system property. HttpURLConnection in the JDK8u302 fallbacks to the direct connection in case of connection via proxy fails. As result, this test were passed using direct connection JDK-8161016 changes the behavior of the HttpURLConnection: no fallback to the direct connection. As result, DisableRMIOverHTTPTest fails because of can no connection via dummy proxy. Regards Alexey [1] - https://bugs.openjdk.java.net/browse/JDK-8161016