P4
FULL PRODUCT VERSION :
java version "1.4.2_09"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_09-b05)
Java HotSpot(TM) Client VM (build 1.4.2_09-b05, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
Red Hat 9
EXTRA RELEVANT SYSTEM CONFIGURATION :
SSL Accelerator set to only accept connections using TLSv1 and drop connections for SSLv3 and SSL2
A DESCRIPTION OF THE PROBLEM :
An SSL Accelerator is set up in front of our web servers to only accept connections coming in through TLSv1. We are able to connect to the server and get the login page by enabling TLSv1 in the browser. When the applet on the client side attempts to connect to the server through the JRE, the connection is being reset since the JRE is not using TLSv1.
We have attempted to enable TLSv1 by adding the following to the Advanced JRE Runtime Parameters setting in the Control Panel:
-Dhttps.protocols=TLSv1,SSLv3,SSLv2Hello
We see that the setting is partially accepted when looking at the following variable from a dump of the system properties:
javaplugin.jre.params = -Dhttps.protocols=TLSv1,SSLv3,SSLv2Hello
javaplugin.vm.options = -Djava.class.path=C:\PROGRA~1\Java\J2RE14~1.2_0\classes -Xbootclasspath/a:C:\PROGRA~1\Java\J2RE14~1.2_0\lib\plugin.jar -Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote -Djavaplugin.version=1.4.2_09 -Djavaplugin.nodotversion=142_09 -Dbrowser=sun.plugin -DtrustProxy=true -Dapplication.home=C:\PROGRA~1\Java\J2RE14~1.2_0 -Dhttps.protocols=TLSv1,SSLv3,SSLv2Hello -Djava.protocol.handler.pkgs=sun.plugin.net.protocol
line.separator = \r\n
The setting is not implemented in the actual https.protocols variable, as it is still set to the default:
https.protocols = SSLv3,SSLv2Hello
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Set up a server to only accept TLSv1 connections
Set the Advanced JRE Runtime Parameters to the following:
-Dhttps.protocols=TLSv1,SSLv3,SSLv2Hello
Attempt to interact with the server through client side using the JRE
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecting a successful connection as is the case in JRE 1.5.0 by enabling TLSv1
We expected to at least see the https.protocols variable updated to include the TLSv1 protocol. It, however, only lists the default:
https.protocols = SSLv3,SSLv2Hello
ACTUAL -
We observed an error in the status bar of the browser indicating that the applet was notinited.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setNewClient(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.superConnect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.plugin.cache.CachedFileLoader.load(Unknown Source)
at sun.plugin.cache.FileCache.get(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connectWithCache(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setNewClient(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.superConnect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.plugin.cache.CachedFileLoader.load(Unknown Source)
at sun.plugin.cache.FileCache.get(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connectWithCache(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
load: class xxxApplet.class not found.
java.lang.ClassNotFoundException: xxxApplet.class
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setNewClient(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.superConnect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 10 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
There is no workaround with this version that we have found. The only option is to use JRE 1.5.0. This option drops support for any and all clients using Mac systems as no 1.5.0 is availble for that platform.
java version "1.4.2_09"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_09-b05)
Java HotSpot(TM) Client VM (build 1.4.2_09-b05, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
Red Hat 9
EXTRA RELEVANT SYSTEM CONFIGURATION :
SSL Accelerator set to only accept connections using TLSv1 and drop connections for SSLv3 and SSL2
A DESCRIPTION OF THE PROBLEM :
An SSL Accelerator is set up in front of our web servers to only accept connections coming in through TLSv1. We are able to connect to the server and get the login page by enabling TLSv1 in the browser. When the applet on the client side attempts to connect to the server through the JRE, the connection is being reset since the JRE is not using TLSv1.
We have attempted to enable TLSv1 by adding the following to the Advanced JRE Runtime Parameters setting in the Control Panel:
-Dhttps.protocols=TLSv1,SSLv3,SSLv2Hello
We see that the setting is partially accepted when looking at the following variable from a dump of the system properties:
javaplugin.jre.params = -Dhttps.protocols=TLSv1,SSLv3,SSLv2Hello
javaplugin.vm.options = -Djava.class.path=C:\PROGRA~1\Java\J2RE14~1.2_0\classes -Xbootclasspath/a:C:\PROGRA~1\Java\J2RE14~1.2_0\lib\plugin.jar -Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote -Djavaplugin.version=1.4.2_09 -Djavaplugin.nodotversion=142_09 -Dbrowser=sun.plugin -DtrustProxy=true -Dapplication.home=C:\PROGRA~1\Java\J2RE14~1.2_0 -Dhttps.protocols=TLSv1,SSLv3,SSLv2Hello -Djava.protocol.handler.pkgs=sun.plugin.net.protocol
line.separator = \r\n
The setting is not implemented in the actual https.protocols variable, as it is still set to the default:
https.protocols = SSLv3,SSLv2Hello
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Set up a server to only accept TLSv1 connections
Set the Advanced JRE Runtime Parameters to the following:
-Dhttps.protocols=TLSv1,SSLv3,SSLv2Hello
Attempt to interact with the server through client side using the JRE
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecting a successful connection as is the case in JRE 1.5.0 by enabling TLSv1
We expected to at least see the https.protocols variable updated to include the TLSv1 protocol. It, however, only lists the default:
https.protocols = SSLv3,SSLv2Hello
ACTUAL -
We observed an error in the status bar of the browser indicating that the applet was notinited.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setNewClient(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.superConnect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.plugin.cache.CachedFileLoader.load(Unknown Source)
at sun.plugin.cache.FileCache.get(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connectWithCache(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setNewClient(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.superConnect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.plugin.cache.CachedFileLoader.load(Unknown Source)
at sun.plugin.cache.FileCache.get(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connectWithCache(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
load: class xxxApplet.class not found.
java.lang.ClassNotFoundException: xxxApplet.class
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setNewClient(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.superConnect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 10 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
There is no workaround with this version that we have found. The only option is to use JRE 1.5.0. This option drops support for any and all clients using Mac systems as no 1.5.0 is availble for that platform.