Name: nt126004 Date: 05/17/2002


FULL PRODUCT VERSION :
java version "1.3.1_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1_02-b02)
Java HotSpot(TM) Client VM (build 1.3.1_02-b02, mixed mode)

FULL OPERATING SYSTEM VERSION :Microsoft Windows 2000
[Version 5.00.2195]


A DESCRIPTION OF THE PROBLEM :
JSSE reports the signature length exactly 0x3000 bytes too
long. I came across this bug while doing interoperability
testing between JacORB(Java ORB) as server and TAO(C++ ORB)
as client using SLLIOP. The SSL negotiation is failing
because of JSSE reporting wrong signature length.

I have created a simple server SimpleSSLServer.java which
uses SSLServerSocket. And the simple client is "openssl
s_client". Both Client and server uses the certificates
signed by a common CA certificate.

This bug is discussed in openssl mailing list here is the link:
http://www.mail-archive.com/###@###.###/msg08342.html


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.create CA certificate using openssl(ca.pem)
$ openssl req -out ca.pem -new -x509
generates CA certificate(ca.pem )and CA key(privkey.pem )

2.create client certificate and sign it by CA certificate
using openssl

3.create server_key_store and certificate request using
keytool
$ keytool -genkey -alias server_alias -keystore
server_key_store

$ keytool -certreq -alias server_alias -keystore
server_key_store -file server_cert_req.pem

4. sign the server certificate request with CA certificate
using openssl
$ openssl x509 -req -in server_cert_req.pem -CA ca.pem -
CAkey privkey.pem -CAserial ca.srl -out
server_signed_cert.pem


5.import the CA certificate into server_key_store using
keytool
$ keytool -import -keystore server_key_store -alias
server_ca_alias -file ca.pem


6.import the CA signed server certificate into the
server_key_store using keytool
$ keytool -import -keystore server_key_store -alias
server_alias -file server_signed_cert.pem

7. run the simple ssl server
$ java -Djavax.net.ssl.keyStore=server_key_store -
Djavax.net.ssl.keyStorePassword=testserverDjavax.net.ssl.tru
stStore=server_key_store SimpleSSLServer

8. run the openssl simple client
$ openssl s_client -cert client_cert.pem -key
client_key.pem -CAfile ca.pem -debug -host <host> -port
<port>



EXPECTED VERSUS ACTUAL BEHAVIOR :
I would expected successful SSL hand shake process. But
instead I got the following results.


ERROR MESSAGES/STACK TRACES THAT OCCUR :
Client is throwing the following output. Error message is at the end of the
client output


Server output:
$ java -Xbootclasspath/p:%JAVA_HOME%\jre\lib\ext\jcert.jar;%
JAVA_HOME%\jre\lib\ext\jnet.jar;%JAVA_HOME%
\jre\lib\ext\jsse.jar;%JAVA_HOME%\jre\lib\rt.jar;%
CLASSPATH% -Djavax.net.ssl.keyStore=server_key_store -
Djavax.net.ssl.keyStorePassword=testserver -
Djavax.net.ssl.trustStore=server_key_store SimpleSSLServer

Client added count 0

Client output:
$ openssl s_client -cert client_cert.pem -key
client_key.pem -CAfile ca.pem -debug -host <host> -port 9991

CONNECTED(00000003)
write to 0814E7F8 [0814F5F0] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ......W... .....
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .........f......
0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 ................
0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a..
0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...........@...
0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 ................
0060 - 00 80 a8 17 da 1f 2c 84-5d 28 4d 81 27 4e c9 73 ......,.](M.'N.s
0070 - 0a 45 15 26 cd 2e e1 f0-0b ad 63 05 66 3f de 1a .E.&......c.f?..
0080 - d0 fb ..
read from 0814E7F8 [08154B50] (7 bytes => 7 (0x7))
0000 - 16 03 01 07 c6 02 ......
0007 - <SPACES/NULS>
read from 0814E7F8 [08154B57] (1988 bytes => 1441 (0x5A1))
0000 - 00 46 03 01 3c d6 e9 c6-dd af 97 b5 28 89 6b 2d .F..<.......(.k-
0010 - c3 e2 a9 2e 73 b9 b2 e1-e6 c3 a9 39 ae c5 ca e4 ....s......9....
0020 - 81 ca 81 90 20 3c d6 e9-c6 56 7c e7 85 db 6f ea .... <...V|...o.
0030 - 66 f4 5f 0e 1c 38 41 29-9f 71 3b dc 47 a8 62 60 f._..8A).q;.G.b`
0040 - e6 44 c4 e6 3c 00 13 00-0b 00 06 39 00 06 36 00 .D..<......9..6.
0050 - 03 40 30 82 03 3c 30 82-02 a5 02 01 59 30 0d 06 .@0..<0.....Y0..
0060 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 30 5e 31 0b .*.H........0^1.
0070 - 30 09 06 03 55 04 06 13-02 55 53 31 0b 30 09 06 0...U....US1.0..
0080 - 03 55 04 08 13 02 4d 4f-31 0c 30 0a 06 03 55 04 .U....MO1.0...U.
0090 - 0a 13 03 4f 43 49 31 11-30 0f 06 03 55 04 0b 13 ...OCI1.0...U...
00a0 - 08 4d 61 63 68 6f 20 43-41 31 21 30 1f 06 09 2a .Macho CA1!0...*
00b0 - 86 48 86 f7 0d 01 09 01-16 12 6d 61 63 68 6f 63 .H........machoc
00c0 - 61 40 6f 63 69 77 65 62-2e 63 6f 6d 30 1e 17 0d ###@###.###0...
00d0 - 30 32 30 35 30 33 31 37-35 39 31 34 5a 17 0d 30 020503175914Z..0
00e0 - 32 30 36 30 32 31 37 35-39 31 34 5a 30 56 31 0b 20602175914Z0V1.
00f0 - 30 09 06 03 55 04 06 13-02 55 53 31 0b 30 09 06 0...U....US1.0..
0100 - 03 55 04 08 13 02 4d 4f-31 0c 30 0a 06 03 55 04 .U....MO1.0...U.
0110 - 07 13 03 53 54 4c 31 0c-30 0a 06 03 55 04 0a 13 ...STL1.0...U...
0120 - 03 4f 43 49 31 0b 30 09-06 03 55 04 0b 13 02 49 .OCI1.0...U....I
0130 - 53 31 11 30 0f 06 03 55-04 03 13 08 54 61 72 69 S1.0...U....Tari
0140 - 20 50 72 61 30 82 01 b7-30 82 01 2c 06 07 2a 86 Pra0...0..,..*.
0150 - 48 ce 38 04 01 30 82 01-1f 02 81 81 00 fd 7f 53 H.8..0.........S
0160 - 81 1d 75 12 29 52 df 4a-9c 2e ec e4 e7 f6 11 b7 ..u.)R.J........
0170 - 52 3c ef 44 00 c3 1e 3f-80 b6 51 26 69 45 5d 40 R<.D...?..Q&iE]@
0180 - 22 51 fb 59 3d 8d 58 fa-bf c5 f5 ba 30 f6 cb 9b "Q.Y=.X.....0...
0190 - 55 6c d7 81 3b 80 1d 34-6f f2 66 60 b7 6b 99 50 Ul..;..4o.f`.k.P
01a0 - a5 a4 9f 9f e8 04 7b 10-22 c2 4f bb a9 d7 fe b7 ......{.".O.....
01b0 - c6 1b f8 3b 57 e7 c6 a8-a6 15 0f 04 fb 83 f6 d3 ...;W...........
01c0 - c5 1e c3 02 35 54 13 5a-16 91 32 f6 75 f3 ae 2b ....5T.Z..2.u..+
01d0 - 61 d7 2a ef f2 22 03 19-9d d1 48 01 c7 02 15 00 a.*.."....H.....
01e0 - 97 60 50 8f 15 23 0b cc-b2 92 b9 82 a2 eb 84 0b .`P..#..........
01f0 - f0 58 1c f5 02 81 81 00-f7 e1 a0 85 d6 9b 3d de .X............=.
0200 - cb bc ab 5c 36 b8 57 b9-79 94 af bb fa 3a ea 82 ...\6.W.y....:..
0210 - f9 57 4c 0b 3d 07 82 67-51 59 57 8e ba d4 59 4f .WL.=..gQYW...YO
0220 - e6 71 07 10 81 80 b4 49-16 71 23 e8 4c 28 16 13 .q.....I.q#.L(..
0230 - b7 cf 09 32 8c c8 a6 e1-3c 16 7a 8b 54 7c 8d 28 ...2....<.z.T|.(
0240 - e0 a3 ae 1e 2b b3 a6 75-91 6e a3 7f 0b fa 21 35 ....+..u.n....!5
0250 - 62 f1 fb 62 7a 01 24 3b-cc a4 f1 be a8 51 90 89 b..bz.$;.....Q..
0260 - a8 83 df e1 5a e5 9f 06-92 8b 66 5e 80 7b 55 25 ....Z.....f^.{U%
0270 - 64 01 4c 3b fe cf 49 2a-03 81 84 00 02 81 80 12 d.L;..I*........
0280 - ad 6f 0d a8 94 04 5c f7-fb c8 28 40 ca d1 84 90 .o....\...(@....
0290 - 66 36 af 02 70 5a 2d 55-33 8e f9 e8 95 97 7e c8 f6..pZ-U3.....~.
02a0 - ad e6 14 d1 8b c9 2d cb-bf 3d b6 3e 88 da 61 c1 ......-..=.>..a.
02b0 - 62 e6 9b b4 0b 50 b9 4b-c6 9c 8a 22 9c 16 84 b2 b....P.K..."....
02c0 - 06 4e ec 39 34 bf eb 85-cc 13 0b 4f b8 12 9d e4 .N.94......O....
02d0 - ea c1 ea cc b2 3d 8e 5f-26 a3 4e 5a bd cc e8 1d .....=._&.NZ....
02e0 - f2 01 04 6f 9d 24 1f 0f-96 1b 7c 60 7f e4 f0 d0 ...o.$....|`....
02f0 - 68 b6 bc 73 6e 2d bc 88-76 6d b4 b4 62 e5 ce 30 h..sn-..vm..b..0
0300 - 0d 06 09 2a 86 48 86 f7-0d 01 01 04 05 00 03 81 ...*.H..........
0310 - 81 00 3a 76 40 ad 3c 0b-a5 90 b9 31 a2 a3 e0 60 ..:v@.<....1...`
0320 - 25 83 ef d6 db ae dc 3a-dd 16 48 a0 99 99 1a b5 %......:..H.....
0330 - e0 f9 f6 77 dc 13 1e 94-85 4f 8b e1 ee 5d a1 7c ...w.....O...].|
0340 - f4 7e cd 64 04 05 07 66-bf 9e 89 72 a5 6e 1a ff .~.d...f...r.n..
0350 - 64 3e 2f 3f 09 15 0c 99-d6 71 09 0a 12 6e 6c 0b d>/?.....q...nl.
0360 - 09 50 ac f5 42 e1 40 1d-75 99 00 b0 b8 fb 3a 5b .P..B.@.u.....:[
0370 - a6 dc 9b 14 6d 3f b7 58-d6 1f 9b e3 2f bc d0 c6 ....m?.X..../...
0380 - 69 b2 9b 73 dd ce 74 eb-2c c2 27 92 09 d5 41 2d i..s..t.,.'...A-
0390 - a5 47 00 02 f0 30 82 02-ec 30 82 02 55 a0 03 02 .G...0...0..U...
03a0 - 01 02 02 01 00 30 0d 06-09 2a 86 48 86 f7 0d 01 .....0...*.H....
03b0 - 01 05 05 00 30 5e 31 0b-30 09 06 03 55 04 06 13 ....0^1.0...U...
03c0 - 02 55 53 31 0b 30 09 06-03 55 04 08 13 02 4d 4f .US1.0...U....MO
03d0 - 31 0c 30 0a 06 03 55 04-0a 13 03 4f 43 49 31 11 1.0...U....OCI1.
03e0 - 30 0f 06 03 55 04 0b 13-08 4d 61 63 68 6f 20 43 0...U....Macho C
03f0 - 41 31 21 30 1f 06 09 2a-86 48 86 f7 0d 01 09 01 A1!0...*.H......
0400 - 16 12 6d 61 63 68 6f 63-61 40 6f 63 69 77 65 62 ..machoca@ociweb
0410 - 2e 63 6f 6d 30 1e 17 0d-30 32 30 33 32 32 30 35 .com0...02032205
0420 - 34 35 30 38 5a 17 0d 30-33 30 33 32 32 30 35 34 4508Z..030322054
0430 - 35 30 38 5a 30 5e 31 0b-30 09 06 03 55 04 06 13 508Z0^1.0...U...
0440 - 02 55 53 31 0b 30 09 06-03 55 04 08 13 02 4d 4f .US1.0...U....MO
0450 - 31 0c 30 0a 06 03 55 04-0a 13 03 4f 43 49 31 11 1.0...U....OCI1.
0460 - 30 0f 06 03 55 04 0b 13-08 4d 61 63 68 6f 20 43 0...U....Macho C
0470 - 41 31 21 30 1f 06 09 2a-86 48 86 f7 0d 01 09 01 A1!0...*.H......
0480 - 16 12 6d 61 63 68 6f 63-61 40 6f 63 69 77 65 62 ..machoca@ociweb
0490 - 2e 63 6f 6d 30 81 9f 30-0d 06 09 2a 86 48 86 f7 .com0..0...*.H..
04a0 - 0d 01 01 01 05 00 03 81-8d 00 30 81 89 02 81 81 ..........0.....
04b0 - 00 c0 17 c0 18 d4 99 19-ec 2d 77 eb 49 f6 6a 2e .........-w.I.j.
04c0 - 94 fd 3e 79 1f 2a c6 65-a8 3e 35 91 44 40 0f bc ..>y.*.e.>5.D@..
04d0 - be db 80 3d ed 89 5d ba-0a 58 8e af 3d 90 45 84 ...=..]..X..=.E.
04e0 - 1c 21 4d 2b 5c 05 f2 ab-fb 44 f8 7c f0 03 52 6d .!M+\....D.|..Rm
04f0 - c7 5a 31 2d d2 be 32 c4-3a 2e 7b 88 44 ce db 0d .Z1-..2.:.{.D...
0500 - 7b da e5 a6 38 13 5e 12-07 75 a5 c2 ed cd 02 2b {...8.^..u.....+
0510 - ef 1e 7e a2 19 c6 0d de-bb fe e3 8d 4b f4 b8 25 ..~.........K..%
0520 - d1 55 04 0b 54 ae 5c 56-d7 5b cc 47 39 d5 06 55 .U..T.\V.[.G9..U
0530 - 8d 02 03 01 00 01 a3 81-b9 30 81 b6 30 1d 06 03 .........0..0...
0540 - 55 1d 0e 04 16 04 14 39-dd 7c a5 de 49 5f 8f ee U......9.|..I_..
0550 - 5c 56 b3 20 7f 43 9b 99-b6 97 55 30 81 86 06 03 \V. .C....U0....
0560 - 55 1d 23 04 7f 30 7d 80-14 39 dd 7c a5 de 49 5f U.#..0}..9.|..I_
0570 - 8f ee 5c 56 b3 20 7f 43-9b 99 b6 97 55 a1 62 a4 ..\V. .C....U.b.
0580 - 60 30 5e 31 0b 30 09 06-03 55 04 06 13 02 55 53 `0^1.0...U....US
0590 - 31 0b 30 09 06 03 55 04-08 13 02 4d 4f 31 0c 30 1.0...U....MO1.0
05a0 - 0a .
read from 0814E7F8 [081550F8] (547 bytes => 547 (0x223))
0000 - 06 03 55 04 0a 13 03 4f-43 49 31 11 30 0f 06 03 ..U....OCI1.0...
0010 - 55 04 0b 13 08 4d 61 63-68 6f 20 43 41 31 21 30 U....Macho CA1!0
0020 - 1f 06 09 2a 86 48 86 f7-0d 01 09 01 16 12 6d 61 ...*.H........ma
0030 - 63 68 6f 63 61 40 6f 63-69 77 65 62 2e 63 6f 6d ###@###.###
0040 - 82 01 00 30 0c 06 03 55-1d 13 04 05 30 03 01 01 ...0...U....0...
0050 - ff 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
0060 - 03 81 81 00 a6 d1 26 fb-93 6e 27 f1 46 d1 fc f9 ......&..n'.F...
0070 - e5 0a 34 b7 64 eb 3f 53-35 6d 73 06 41 b8 b4 05 ..4.d.?S5ms.A...
0080 - 1c d2 27 b3 d7 a9 13 84-2b b8 c5 86 46 4c 10 51 ..'.....+...FL.Q
0090 - ef e8 ed ab ad 01 9f a9-8d fb 3b f2 1b c4 b8 cd ..........;.....
00a0 - f3 7f d5 19 06 71 5c 1e-3f 24 08 b8 89 b3 68 36 .....q\.?$....h6
00b0 - 5f 37 12 fb 28 70 45 02-53 1d 85 12 ac e8 05 83 _7..(pE.S.......
00c0 - 76 f4 76 6a 1f 10 17 0f-99 a8 fa 89 5a d2 bd b6 v.vj........Z...
00d0 - 1a 11 f2 09 2d f8 8f 0a-38 cb af 65 c9 48 97 1b ....-...8..e.H..
00e0 - 62 15 b4 6a 0c 00 01 37-00 81 00 f4 88 fd 58 4e b..j...7......XN
00f0 - 49 db cd 20 b4 9d e4 91-07 36 6b 33 6c 38 0d 45 I.. .....6k3l8.E
0100 - 1d 0f 7c 88 b3 1c 7c 5b-2d 8e f6 f3 c9 23 c0 43 ..|...|[-....#.C
0110 - f0 a5 5b 18 8d 8e bb 55-8c b8 5d 38 d3 34 fd 7c ..[....U..]8.4.|
0120 - 17 57 43 a3 1d 18 6c de-33 21 2c b5 2a ff 3c e1 .WC...l.3!,.*.<.
0130 - b1 29 40 18 11 8d 7c 84-a7 0a 72 d6 86 c4 03 19 .)@...|...r.....
0140 - c8 07 29 7a ca 95 0c d9-96 9f ab d0 0a 50 9b 02 ..)z.........P..
0150 - 46 d3 08 3d 66 a4 5d 41-9f 9c 7c bd 89 4b 22 19 F..=f.]A..|..K".
0160 - 26 ba ab a2 5e c3 55 e9-2f 78 c7 00 01 02 00 80 &...^.U./x......
0170 - 4d 38 3e cc 6d 4e 71 f4-71 0f f2 b9 e5 b4 5f 7d M8>.mNq.q....._}
0180 - ee 3d 3e 66 8d d9 2e e3-d2 6f 9d 7d 97 06 85 a1 .=>f.....o.}....
0190 - c4 fb 77 00 9f b9 13 f4-e4 55 48 43 c8 d3 5a f8 ..w......UHC..Z.
01a0 - 79 ac c6 bb 8d 73 31 e4-13 1a 50 61 16 e6 f6 61 y....s1...Pa...a
01b0 - 96 12 43 a6 23 9e 61 e3-3c a0 ee 29 78 a9 99 b1 ..C.#.a.<..)x...
01c0 - 86 86 65 4b 89 60 a0 b7-d9 57 0a 2e 2e 48 2a 9f ..eK.`...W...H*.
01d0 - ed 37 e2 83 ce be e4 43-7c 19 5a ed b9 6d 8d dd .7.....C|.Z..m..
01e0 - a7 ba 9d 0e 23 56 33 e3-6a 66 e1 7f 74 1f 9e 71 ....#V3.jf..t..q
01f0 - 30 2d 02 14 1b 31 83 22-e6 50 ea ac cf 79 b7 1c 0-...1.".P...y..
0200 - ed df cf 8e 57 73 9f a1-02 15 00 8a 10 ba 5d b2 ....Ws........].
0210 - 0f 99 65 7d 53 8f b0 5f-c5 3f d1 67 eb 73 f6 0e ..e}S.._.?.g.s..
0223 - <SPACES/NULS>
depth=1 /C=US/ST=MO/O=OCI/OU=Macho CA/Email=###@###.###
verify return:1
depth=0 /C=US/ST=MO/L=STL/O=OCI/OU=IS/CN=Tari Pra
verify return:1
write to 0814E7F8 [0815EB78] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 32 ......2
18911:error:1408D108:SSL routines:SSL3_GET_KEY_EXCHANGE:wrong signature length:s
3_clnt.c:1053:

This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.io.*;
import java.net.*;
import javax.net.ssl.*;

public class SimpleSSLServer {
    public static void main(String[] args) throws IOException {

SSLServerSocketFactory ssf =
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();

ServerSocket ss = ssf.createServerSocket(9991);
int count = 0;
while(true) {
try {
Socket s = ss.accept();
System.out.println("Client added count " + (count++));
OutputStream out = s.getOutputStream();
BufferedReader in =
new BufferedReader(new InputStreamReader
(s.getInputStream()));
String line = null;
while(( (line = in.readLine()) != null)
&& (!("".equals(line))) ){
System.out.println(line);
}


out.close();
in.close();
s.close();

}catch(Exception e) {
System.out.println("Error:----");
e.printStackTrace();
}
}

    }

}
---------- END SOURCE ----------

CUSTOMER WORKAROUND :
This link describes about the work around for this problem.

http://groups.google.com/groups?q=%22wrong+signature+length%22&hl=en&selm=40373dc3.0108131639.3b69c55d%40posting.google.com&rnum=1
(Review ID: 146247)
======================================================================