Thanks Xuelei, Do you mean to create an RFE at openjdk https://bugs.openjdk.java.net/ ?
On Tue, Jan 22, 2019 at 5:02 AM Xuelei Fan <xuelei....@oracle.com> wrote: > Hi Amir, > > I can see the problem for incompatible impl. Would you mind submit an > OpenJDK enhancement for a workaround? > > Thanks & Regards, > > Xuelei > On 1/20/2019 4:10 PM, Amir Khassaia wrote: > > Xuelei, > > I have a sample socket client for the device TLS issue but its not very > helpful as any socket client created on top of JDK will do, the last > problem was apparent only when talking to a specific hardware device which > refused to negotiate TLS session (I've seen several odd TLS implementations > that were intolerant to Java changes in various ways over the years and > compatibility could always be assured through config changes, this time > around less so). > > Some of the hardware TLS stacks can range from small oddities to being > completely broken by small changes as they can contain outdated and poorly > implemented TLS stacks that are very sensitive so even a small change can > break them and thats why its always important to have levers provided to > control almost every aspect of the handshake. > > I have a sample in my gist ( > https://gist.github.com/amir-khassaia/04347ca88526f4b958b3326968a905c0), > apologies its in Kotlin. When ran with java 8, 9, 10 there were no issues. > With java 11 this worked on most devices but I've had a device at a remote > location that was not in my control that I've had to diagnose the handshake > failure on using java 11 it was intolerant to TLS 1.2 client hello from > Java 11 but fine with TLS 1.1 as the new extensions are not present. It > would be fine with TLS 1.2 client hello from Java 10 and earlier as I > mentioned. > > Javax.net.debug output > ------------------------------- > javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.395 > AEDT|SSLCipher.java:437|jdk.tls.keyLimits: entry = AES/GCM/NoPadding > KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472 > javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433 > AEDT|ServerNameExtension.java:255|Unable to indicate server name > javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433 > AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: > server_name > javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433 > AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: > status_request > javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443 > AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not > supported by the underlying providers > javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444 > AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported > by the underlying providers > javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449 > AEDT|AlpnExtension.java:161|No available application protocols > javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449 > AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: > application_layer_protocol_negotiation > javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450 > AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: > status_request_v2 > javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453 > AEDT|ClientHello.java:651|Produced ClientHello handshake message ( > "ClientHello": { > "client version" : "TLSv1.2", > "random" : "1A BA E8 FC 59 00 AB DF 9A 1A 07 94 24 7F 34 3D > 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68", > "session id" : "", > "cipher suites" : > "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), > TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), > TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]", > "compression methods" : "00", > "extensions" : [ > "supported_groups (10)": { > "versions": [secp256r1, secp384r1, secp521r1, secp160k1] > }, > "ec_point_formats (11)": { > "formats": [uncompressed] > }, > "signature_algorithms (13)": { > "signature schemes": [ecdsa_secp256r1_sha256, > ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, > rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, > rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, > rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, > ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5] > }, > "signature_algorithms_cert (50)": { > "signature schemes": [ecdsa_secp256r1_sha256, > ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, > rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, > rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, > rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, > ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5] > }, > "extended_master_secret (23)": { > <empty> > }, > "supported_versions (43)": { > "versions": [TLSv1.2, TLSv1.1] > }, > "renegotiation_info (65,281)": { > "renegotiated connection": [<no renegotiated connection>] > } > ] > } > ) > javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455 > AEDT|Alert.java:232|Received alert message ( > "Alert": { > "level" : "fatal", > "description": "handshake_failure" > } > ) > javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456 > AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Received fatal > alert: handshake_failure ( > "throwable" : { > javax.net.ssl.SSLHandshakeException: Received fatal alert: > handshake_failure > at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128) > at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) > at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279) > at > java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181) > at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) > at > java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) > at > java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) > at > java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) > at SslSocketClient.main(SslSocketClient.kt:47)} > > ) > javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457 > AEDT|SSLSocketImpl.java:1361|close the underlying socket > javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457 > AEDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) > Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received > fatal alert: handshake_failure > at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128) > at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) > at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279) > at > java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181) > at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) > at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) > at > java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) > at > java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) > at SslSocketClient.main(SslSocketClient.kt:47) > > > > > Wireshark TLS 1.2 Java 8 client hello > ------------------------------------------------- > Secure Sockets Layer > TLSv1.2 Record Layer: Handshake Protocol: Client Hello > Content Type: Handshake (22) > Version: TLS 1.2 (0x0303) > Length: 157 > Handshake Protocol: Client Hello > Handshake Type: Client Hello (1) > Length: 153 > Version: TLS 1.2 (0x0303) > Random: 5c34044c709feae39585e4db8e41b0170fbf9fa428b38941... > GMT Unix Time: Jan 8, 2019 13:00:44.000000000 AUS Eastern > Daylight Time > Random Bytes: > 709feae39585e4db8e41b0170fbf9fa428b38941983ddb53... > Session ID Length: 0 > Cipher Suites Length: 44 > Cipher Suites (22 suites) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > (0xc023) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > (0xc027) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > (0xc025) > Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) > Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) > Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) > Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > (0xc02b) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > (0xc02f) > Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 > (0xc02d) > Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) > Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) > Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) > Compression Methods Length: 1 > Compression Methods (1 method) > Compression Method: null (0) > Extensions Length: 68 > Extension: supported_groups (len=22) > Type: supported_groups (10) > Length: 22 > Supported Groups List Length: 20 > Supported Groups (10 groups) > Supported Group: secp256r1 (0x0017) > Supported Group: secp384r1 (0x0018) > Supported Group: secp521r1 (0x0019) > Supported Group: sect283k1 (0x0009) > Supported Group: sect283r1 (0x000a) > Supported Group: sect409k1 (0x000b) > Supported Group: sect409r1 (0x000c) > Supported Group: sect571k1 (0x000d) > Supported Group: sect571r1 (0x000e) > Supported Group: secp256k1 (0x0016) > Extension: ec_point_formats (len=2) > Type: ec_point_formats (11) > Length: 2 > EC point formats Length: 1 > Elliptic curves point formats (1) > EC point format: uncompressed (0) > Extension: signature_algorithms (len=28) > Type: signature_algorithms (13) > Length: 28 > Signature Hash Algorithms Length: 26 > Signature Hash Algorithms (13 algorithms) > Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) > Signature Hash Algorithm Hash: SHA512 (6) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: rsa_pkcs1_sha512 (0x0601) > Signature Hash Algorithm Hash: SHA512 (6) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) > Signature Hash Algorithm Hash: SHA384 (5) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: rsa_pkcs1_sha384 (0x0501) > Signature Hash Algorithm Hash: SHA384 (5) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: rsa_pkcs1_sha256 (0x0401) > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: SHA256 DSA (0x0402) > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: DSA (2) > Signature Algorithm: SHA224 ECDSA (0x0303) > Signature Hash Algorithm Hash: SHA224 (3) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: SHA224 RSA (0x0301) > Signature Hash Algorithm Hash: SHA224 (3) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: SHA224 DSA (0x0302) > Signature Hash Algorithm Hash: SHA224 (3) > Signature Hash Algorithm Signature: DSA (2) > Signature Algorithm: ecdsa_sha1 (0x0203) > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: rsa_pkcs1_sha1 (0x0201) > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: SHA1 DSA (0x0202) > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: DSA (2) > Extension: extended_master_secret (len=0) > Type: extended_master_secret (23) > Length: 0 > > > > Wireshark Java 11 TLS 1.2 Client hello > ---------------------------------------------------- > Secure Sockets Layer > TLSv1.2 Record Layer: Handshake Protocol: Client Hello > Content Type: Handshake (22) > Version: TLS 1.2 (0x0303) > Length: 185 > Handshake Protocol: Client Hello > Handshake Type: Client Hello (1) > Length: 181 > Version: TLS 1.2 (0x0303) > Random: 37f32691301b6b9d45bb62c6268915819881b8ebd95f152c... > GMT Unix Time: Sep 30, 1999 19:00:01.000000000 AUS Eastern > Standard Time > Random Bytes: > 301b6b9d45bb62c6268915819881b8ebd95f152c41c7e483... > Session ID Length: 0 > Cipher Suites Length: 10 > Cipher Suites (5 suites) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > (0xc023) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > (0xc027) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) > Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) > Compression Methods Length: 1 > Compression Methods (1 method) > Compression Method: null (0) > Extensions Length: 130 > Extension: supported_groups (len=10) > Type: supported_groups (10) > Length: 10 > Supported Groups List Length: 8 > Supported Groups (4 groups) > Supported Group: secp256r1 (0x0017) > Supported Group: secp384r1 (0x0018) > Supported Group: secp521r1 (0x0019) > Supported Group: secp160k1 (0x000f) > Extension: ec_point_formats (len=2) > Type: ec_point_formats (11) > Length: 2 > EC point formats Length: 1 > Elliptic curves point formats (1) > EC point format: uncompressed (0) > Extension: signature_algorithms (len=42) > Type: signature_algorithms (13) > Length: 42 > Signature Hash Algorithms Length: 40 > Signature Hash Algorithms (20 algorithms) > Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) > Signature Hash Algorithm Hash: SHA384 (5) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) > Signature Hash Algorithm Hash: SHA512 (6) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (4) > Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (5) > Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (6) > Signature Algorithm: rsa_pss_pss_sha256 (0x0809) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (9) > Signature Algorithm: rsa_pss_pss_sha384 (0x080a) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (10) > Signature Algorithm: rsa_pss_pss_sha512 (0x080b) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (11) > Signature Algorithm: rsa_pkcs1_sha256 (0x0401) > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: rsa_pkcs1_sha384 (0x0501) > Signature Hash Algorithm Hash: SHA384 (5) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: rsa_pkcs1_sha512 (0x0601) > Signature Hash Algorithm Hash: SHA512 (6) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: SHA256 DSA (0x0402) > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: DSA (2) > Signature Algorithm: SHA224 ECDSA (0x0303) > Signature Hash Algorithm Hash: SHA224 (3) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: SHA224 RSA (0x0301) > Signature Hash Algorithm Hash: SHA224 (3) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: SHA224 DSA (0x0302) > Signature Hash Algorithm Hash: SHA224 (3) > Signature Hash Algorithm Signature: DSA (2) > Signature Algorithm: ecdsa_sha1 (0x0203) > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: rsa_pkcs1_sha1 (0x0201) > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: SHA1 DSA (0x0202) > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: DSA (2) > Signature Algorithm: MD5 RSA (0x0101) > Signature Hash Algorithm Hash: MD5 (1) > Signature Hash Algorithm Signature: RSA (1) > Extension: signature_algorithms_cert (len=42) > Type: signature_algorithms_cert (50) > Length: 42 > Signature Hash Algorithms Length: 40 > Signature Hash Algorithms (20 algorithms) > Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) > Signature Hash Algorithm Hash: SHA384 (5) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) > Signature Hash Algorithm Hash: SHA512 (6) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (4) > Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (5) > Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (6) > Signature Algorithm: rsa_pss_pss_sha256 (0x0809) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (9) > Signature Algorithm: rsa_pss_pss_sha384 (0x080a) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (10) > Signature Algorithm: rsa_pss_pss_sha512 (0x080b) > Signature Hash Algorithm Hash: Unknown (8) > Signature Hash Algorithm Signature: Unknown (11) > Signature Algorithm: rsa_pkcs1_sha256 (0x0401) > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: rsa_pkcs1_sha384 (0x0501) > Signature Hash Algorithm Hash: SHA384 (5) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: rsa_pkcs1_sha512 (0x0601) > Signature Hash Algorithm Hash: SHA512 (6) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: SHA256 DSA (0x0402) > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: DSA (2) > Signature Algorithm: SHA224 ECDSA (0x0303) > Signature Hash Algorithm Hash: SHA224 (3) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: SHA224 RSA (0x0301) > Signature Hash Algorithm Hash: SHA224 (3) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: SHA224 DSA (0x0302) > Signature Hash Algorithm Hash: SHA224 (3) > Signature Hash Algorithm Signature: DSA (2) > Signature Algorithm: ecdsa_sha1 (0x0203) > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Algorithm: rsa_pkcs1_sha1 (0x0201) > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: RSA (1) > Signature Algorithm: SHA1 DSA (0x0202) > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: DSA (2) > Signature Algorithm: MD5 RSA (0x0101) > Signature Hash Algorithm Hash: MD5 (1) > Signature Hash Algorithm Signature: RSA (1) > Extension: extended_master_secret (len=0) > Type: extended_master_secret (23) > Length: 0 > Extension: supported_versions (len=5) > Type: supported_versions (43) > Length: 5 > Supported Versions length: 4 > Supported Version: TLS 1.2 (0x0303) > Supported Version: TLS 1.1 (0x0302) > Extension: renegotiation_info (len=1) > Type: renegotiation_info (65281) > Length: 1 > Renegotiation Info extension > Renegotiation info extension length: 0 > > > > > > > On Mon, Jan 21, 2019 at 10:37 AM Xuelei Fan <xuelei....@oracle.com> wrote: > >> Hi Amir, >> >> Normally, the extension should have no impact if it cannot be recognized >> by the server. It's good to be able to disable extensions if not >> needed. I need to evaluate the priority of it although. Did you have a >> simple test code that I can reproduce the issue? >> >> Thanks, >> >> Xuelei >> On 1/20/2019 3:03 PM, Amir Khassaia wrote: >> >> Greetings Xuelei, >> To follow up on this, the certificate in the connection is a red herring >> and not important. It's actually a very unusual behaviour by >> talk.google.com endpoint to encapsulate an error message inside a >> certificate. >> >> As per the output I included: >> >> *"certificate" : { >> *>* "version" : "v3", >> *>* "serial number" : "00 90 76 89 18 E9 33 93 A0", >> *>* "signature algorithm": "SHA256withRSA", >> *>* "issuer" : "CN=invalid2.invalid, OU="No SNI provided; >> *>* please fix your client."", >> *>* "not before" : "2015-01-01 11:00:00.000 AEDT", >> *>* "not after" : "2030-01-01 11:00:00.000 AEDT", >> *>* "subject" : "CN=invalid2.invalid, OU="No SNI provided; >> *>* please fix your client."",* >> >> This certificate simply masks the TLS interoperability issue as an >> untrusted certificate issue. >> >> The fact is, some of the extensions sent by JSSE are changes to TLS 1.2 >> to support TLS 1.3, this however affects some clients adversely in practice >> and usually JDK provides properties to turn new enhancements off and work >> around such behaviour, for the extensions I mentioned this is not provided >> and hence they are always sent for client sockets unless TLSv1.2 is not in >> use. >> >> The impact to us is that upgrading to JDK11 means for some endpoints or >> devices that are not 100% compliant to the spec the security is reduced as >> we have to now work around to drop connections to these to TLSv1.1 or >> TLS1.0 or not to move to Java 11 at all. >> >> My request is simply to have all of the new extensions configurable on >> individual basis so that they can be turned off if needed for compatibility >> just like most other security enhancements that were delivered in the past. >> >> It appears some of the issues can come from >> >> - inclusion of RSASSA-PSS alg in TLS 1.2 handshakes but these can >> disabled at least >> >> -signature_algorithms_cert and supported_versions extensions which seem >> to be hardcoded for TLS 1.2 (I was not able to conclusively identify which >> of these caused my troubles) >> >> https://tools.ietf.org/html/rfc8446#section-1.3 does say that TLS 1.2 >> clients are affected but in an optional manner.Just today I've encountered >> another Java 11 interop issue with TLS but this time with a physical device >> which can have a long shelf life yet running a simple client socket >> handshake abruptly terminates the connection upon client hello (no >> server_hello at all), and downgrading the JRE below 11 works fine. I'm >> including a trace for that as well: javax.net.ssl|DEBUG|01|main|2019-01-08 >> 13:40:14.395 AEDT|SSLCipher.java:437|jdk.tls.keyLimits: entry = >> AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472 >> >> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433 >> AEDT|ServerNameExtension.java:255|Unable to indicate server name >> >> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433 >> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: >> server_name >> >> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433 >> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: >> status_request >> >> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443 >> AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not >> supported by the underlying providers >> >> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444 >> AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported >> by the underlying providers >> >> javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449 >> AEDT|AlpnExtension.java:161|No available application protocols >> >> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449 >> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: >> application_layer_protocol_negotiation >> >> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450 >> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: >> status_request_v2 >> >> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453 >> AEDT|ClientHello.java:651|Produced ClientHello handshake message ( >> >> "ClientHello": { >> >> "client version" : "TLSv1.2", >> >> "random" : "1A BA E8 FC 59 00 AB DF 9A 1A 07 94 24 7F 34 >> 3D 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68", >> >> "session id" : "", >> >> "cipher suites" : >> "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), >> TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), >> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), >> TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]", >> >> "compression methods" : "00", >> >> "extensions" : [ >> >> "supported_groups (10)": { >> >> "versions": [secp256r1, secp384r1, secp521r1, secp160k1] >> >> }, >> >> "ec_point_formats (11)": { >> >> "formats": [uncompressed] >> >> }, >> >> "signature_algorithms (13)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, >> rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, >> ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5] >> >> }, >> >> "signature_algorithms_cert (50)": { >> >> "signature schemes": [ecdsa_secp256r1_sha256, >> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, >> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, >> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, >> rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, >> ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5] >> >> }, >> >> "extended_master_secret (23)": { >> >> <empty> >> >> }, >> >> "supported_versions (43)": { >> >> "versions": [TLSv1.2, TLSv1.1] >> >> }, >> >> "renegotiation_info (65,281)": { >> >> "renegotiated connection": [<no renegotiated connection>] >> >> } >> >> ] >> >> } >> >> ) >> >> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455 >> AEDT|Alert.java:232|Received alert message ( >> >> "Alert": { >> >> "level" : "fatal", >> >> "description": "handshake_failure" >> >> } >> >> ) >> >> javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456 >> AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Received fatal >> alert: handshake_failure ( >> >> "throwable" : { >> >> javax.net.ssl.SSLHandshakeException: Received fatal alert: >> handshake_failure >> >> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128) >> >> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) >> >> at >> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) >> >> at >> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279) >> >> at >> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181) >> >> at >> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) >> >> at >> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) >> >> at >> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) >> >> at >> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) >> >> at SslSocketClient.main(SslSocketClient.kt:47)} >> >> >> ) >> >> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457 >> AEDT|SSLSocketImpl.java:1361|close the underlying socket >> >> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457 >> AEDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) >> >> Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received >> fatal alert: handshake_failure >> >> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128) >> >> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) >> >> at >> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) >> >> at >> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279) >> >> at >> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181) >> >> at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) >> >> at >> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) >> >> at >> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) >> >> at >> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) >> >> at SslSocketClient.main(SslSocketClient.kt:47) >> >> >> >> >> I've sent my reply earlier but neither got it posted nor denied >> notification so trying again. >> >>
