Thanks Xuelei, I clearly missed the report somehow On Thu, Feb 14, 2019 at 2:26 PM Xuelei Fan <xuelei....@oracle.com> wrote:
> This bug will be addressed in JDK 11.0.3 and 12. See also: > https://bugs.openjdk.java.net/browse/JDK-8210974 > > Thanks, > Xuelei > > On 2/13/2019 3:58 PM, Amir Khassaia wrote: > > > > Hi, I'd like to report a bug that may confuse others as they diagnose > > TLS handshakes. > > > > The extension logging seems to be affected in JDK 11.0.2, these come up > > as empty in client hello (see below) from Oracle JDK 11.0.2 > > ========================== > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:48.620 > > AEDT|SSLCipher.java:437|jdk.tls.keyLimits: entry = AES/GCM/NoPadding > > KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472 > > javax.net.ssl|WARNING|01|main|2019-02-14 10:51:50.357 > > AEDT|ServerNameExtension.java:255|Unable to indicate server name > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.357 > > AEDT|SSLExtensions.java:256|Ignore, context unavailable extension: > > server_name > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.358 > > AEDT|SSLExtensions.java:256|Ignore, context unavailable extension: > > status_request > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.361 > > AEDT|SupportedGroupsExtension.java:841|Ignore inactive or disabled named > > group: secp160k1 > > javax.net.ssl|WARNING|01|main|2019-02-14 10:51:50.486 > > AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not > > supported by the underlying providers > > javax.net.ssl|WARNING|01|main|2019-02-14 10:51:50.486 > > AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not > > supported by the underlying providers > > javax.net.ssl|INFO|01|main|2019-02-14 10:51:50.513 > > AEDT|AlpnExtension.java:161|No available application protocols > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.514 > > AEDT|SSLExtensions.java:256|Ignore, context unavailable extension: > > application_layer_protocol_negotiation > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.514 > > AEDT|SSLExtensions.java:256|Ignore, context unavailable extension: > > status_request_v2 > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:51:50.516 > > AEDT|ClientHello.java:651|Produced ClientHello handshake message ( > > "ClientHello": { > > "client version" : "TLSv1.2", > > "random" : "3E 3B 04 98 F4 65 C7 CF 2B B2 30 EA AE CE 7D > > C5 51 45 C4 A9 CB D6 F2 39 3F 52 46 77 BE 28 EC 06", > > "session id" : "", > > "cipher suites" : > > "[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), > > TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), > > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), > > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), > > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), > > TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), > > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), > > TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), > > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032)]", > > "compression methods" : "00", > > "extensions" : [ > > ] > > } > > ) > > > > Notice empty extensions, these are actually there on the wire (checked > > with wireshark). > > > > This previously appeared to work, just checked with OpenJDK 11.0.1 and I > > get them: > > > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:54.261 > > AEDT|SSLCipher.java:437|jdk.tls.keyLimits: entry = AES/GCM/NoPadding > > KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472 > > javax.net.ssl|WARNING|01|main|2019-02-14 10:54:56.491 > > AEDT|ServerNameExtension.java:255|Unable to indicate server name > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.492 > > AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: > > server_name > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.492 > > AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: > > status_request > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.494 > > AEDT|SupportedGroupsExtension.java:841|Ignore inactive or disabled named > > group: secp160k1 > > javax.net.ssl|WARNING|01|main|2019-02-14 10:54:56.546 > > AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not > > supported by the underlying providers > > javax.net.ssl|WARNING|01|main|2019-02-14 10:54:56.546 > > AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not > > supported by the underlying providers > > javax.net.ssl|INFO|01|main|2019-02-14 10:54:56.575 > > AEDT|AlpnExtension.java:161|No available application protocols > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.576 > > AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: > > application_layer_protocol_negotiation > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.576 > > AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: > > status_request_v2 > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.577 > > AEDT|SSLExtensions.java:235|Ignore, context unavailable extension: > > renegotiation_info > > javax.net.ssl|DEBUG|01|main|2019-02-14 10:54:56.582 > > AEDT|ClientHello.java:651|Produced ClientHello handshake message ( > > "ClientHello": { > > "client version" : "TLSv1.2", > > "random" : "4E 23 00 5E 22 D3 0D 78 D0 97 B5 E1 16 FB E3 > > 92 B5 90 B0 8E 30 89 BC 72 BA F1 B7 94 71 E7 E8 80", > > "session id" : "", > > "cipher suites" : > > "[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), > > TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), > > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), > > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), > > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), > > TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), > > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), > > TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), > > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), > > TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", > > "compression methods" : "00", > > "extensions" : [ > > "supported_groups (10)": { > > "versions": [secp256r1, secp384r1, secp521r1] > > }, > > "ec_point_formats (11)": { > > "formats": [uncompressed] > > }, > > "signature_algorithms (13)": { > > "signature schemes": [ecdsa_secp256r1_sha256, > > ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pkcs1_sha256, > > rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, > > rsa_pkcs1_sha1, dsa_sha1] > > }, > > "signature_algorithms_cert (50)": { > > "signature schemes": [ecdsa_secp256r1_sha256, > > ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pkcs1_sha256, > > rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, > > rsa_pkcs1_sha1, dsa_sha1] > > }, > > "extended_master_secret (23)": { > > <empty> > > }, > > "supported_versions (43)": { > > "versions": [TLSv1.2, TLSv1.1, TLSv1] > > } > > ] > > } > > ) > > > > Regards, > > Amir > > > > > > >
