-
Bug
-
Resolution: Won't Fix
-
P3
-
8u25, 9
-
generic
-
generic
FULL PRODUCT VERSION :
JRE 1.8u25 and all subsequent
ADDITIONAL OS VERSION INFORMATION :
Windows 32 bit
A DESCRIPTION OF THE PROBLEM :
The security enhancements described in the release notes for 1.8u25 here: http://www.oracle.com/technetwork/java/javase/8u25-relnotes-2296185.html include 'Unsafe Server Certificate Change in SSL/TLS Renegotiations Not Allowed.'
However, an effect of this is that certificates that contain critical extensions other than a restricted set of OIDs are rejected.
The white list appears to be:
2.5.29.15
2.5.29.37
2.5.29.19
2.5.29.17
2.16.840.1.113730.1.1
A certificate containing - for example - certificatepolicies (2.5.29.32) ir rejected and fails with the exception 'Certificate contains unsupported critical extensions' raised in sun.security.validator.EndEntityChecker.checkRemainingExtensions
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
It works in JRE 1.8 base, u5 u11 and u20
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
TLS 1.2 handshake shold complete
ERROR MESSAGES/STACK TRACES THAT OCCUR :
TLS1.2 handshake aborts with
'Certificate contains unsupported critical extensions' raised in sun.security.validator.EndEntityChecker.checkRemainingExtensions
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Any JRE client negotiating TLS1.2 with a cert containing a critical extension of e.g. certificatepolicies
---------- END SOURCE ----------
JRE 1.8u25 and all subsequent
ADDITIONAL OS VERSION INFORMATION :
Windows 32 bit
A DESCRIPTION OF THE PROBLEM :
The security enhancements described in the release notes for 1.8u25 here: http://www.oracle.com/technetwork/java/javase/8u25-relnotes-2296185.html include 'Unsafe Server Certificate Change in SSL/TLS Renegotiations Not Allowed.'
However, an effect of this is that certificates that contain critical extensions other than a restricted set of OIDs are rejected.
The white list appears to be:
2.5.29.15
2.5.29.37
2.5.29.19
2.5.29.17
2.16.840.1.113730.1.1
A certificate containing - for example - certificatepolicies (2.5.29.32) ir rejected and fails with the exception 'Certificate contains unsupported critical extensions' raised in sun.security.validator.EndEntityChecker.checkRemainingExtensions
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
It works in JRE 1.8 base, u5 u11 and u20
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
TLS 1.2 handshake shold complete
ERROR MESSAGES/STACK TRACES THAT OCCUR :
TLS1.2 handshake aborts with
'Certificate contains unsupported critical extensions' raised in sun.security.validator.EndEntityChecker.checkRemainingExtensions
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Any JRE client negotiating TLS1.2 with a cert containing a critical extension of e.g. certificatepolicies
---------- END SOURCE ----------
- relates to
-
-
- Resolved
-