Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8209965

The "supported_groups" extension in ServerHellos

    XMLWordPrintable

Details

    • b20
    • b09

    Backports

      Description

        Reported in OpenJDK:
        http://mail.openjdk.java.net/pipermail/security-dev/2018-August/018005.html
        ----------
        While testing the recently released RC of JDK11 against the Apache Ant
        project, I happened to run into an odd error. I have now been able to
        reproduce this using the following, pretty trivial code:

        import java.net.URL;
        import java.io.InputStream;

        public class Fetch {
             public static void main(final String[] args) throws Exception {
                 final URL targetURL = new
        URL("https://repository.jboss.org/nexus/content/groups/public/javax/media/jai-core/1.1.3/jai-core-1.1.3.pom");
                 try (final InputStream is =
        targetURL.openConnection().getInputStream()) {
                     is.read();
                 }
                 System.out.println("Done");
             }
        }

        All it does is opens a (HTTPS) connection against an endpoint to read
        some content. This code works fine in Java 8 and even Java 10. I'm
        pretty sure this was working fine even in Java 11 early access builds,
        but I don't have any such build/binary at hand to be certain.

        However, using the latest (OpenJDK) RC of Java 11 (both on Mac OS and
        Linux) downloaded from[1]:

        openjdk version "11" 2018-09-25
        OpenJDK Runtime Environment 18.9 (build 11+28)
        OpenJDK 64-Bit Server VM 18.9 (build 11+28, mixed mode)

        it fails with:


        Exception in thread "main" javax.net.ssl.SSLHandshakeException:
        extension (10) should not be presented in server_hello
            at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
            at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
            at
        java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
            at
        java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
            at
        java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
            at
        java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:71)
            at
        java.base/sun.security.ssl.ServerHello$ServerHelloMessage.<init>(ServerHello.java:173)
            at
        java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:864)
            at
        java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
            at
        java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
            at
        java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
            at
        java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
            at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
            at
        java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
            at
        java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
            at
        java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
            at
        java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
            at
        java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
            at
        java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
            at
        java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
            at
        java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
            at Fetch.main(Fetch.java:7)


        [1] http://jdk.java.net/11/

        -Jaikiran


        http://mail.openjdk.java.net/pipermail/security-dev/2018-August/018006.html
        -------------
        As noted in that exception message, it appears that the server is
        sending a "supported_groups" extension in its ServerHello message
        (TLSv1.2). Reading about it, this seems to be a common issue with
        certain servers and certain SSL implementations have added support to be
        lenient with such servers https://github.com/openssl/openssl/pull/4463/files

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8210005 The "supported_groups" extension in ServerHellos

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8214320 The "supported_groups" extension in ServerHellos

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8217139 The "supported_groups" extension in ServerHellos

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8243722 The "supported_groups" extension in ServerHellos

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8247056 The "supported_groups" extension in ServerHellos

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8256881 The "supported_groups" extension in ServerHellos

            • P3 - Major loss of function.
            • Closed
            duplicates

            Bug - A problem which impairs or prevents the functions of the product. JDK-8209982 SSL handshake fails on an (apparently) correct certificate, working in jdk10

            • P3 - Major loss of function.
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. JDK-8210974 No extensions debug log for ClientHello

            • P3 - Major loss of function.
            • Closed

            CSR - null JDK-8202625 TLS 1.3 Implementation

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed
            There are no Sub-Tasks for this issue.

            Activity

              People

                xuelei Xuelei Fan
                xuelei Xuelei Fan
                Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: