Details
-
Bug
-
Resolution: Fixed
-
P2
-
11, 12
-
b13
-
generic
-
generic
-
Not verified
Backports
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8217123 | 11.0.3 | Jamil Nimeh | P2 | Resolved | Fixed | master |
JDK-8211041 | 11.0.2 | Jamil Nimeh | P2 | Resolved | Fixed | b01 |
JDK-8211067 | 11.0.1 | Jamil Nimeh | P2 | Closed | Fixed | b11 |
JDK-8256899 | openjdk8u272 | Martin Balao Alonso | P2 | Closed | Fixed | b06 |
JDK-8243720 | 8u261 | Prasadarao Koppula | P2 | Closed | Fixed | b05 |
JDK-8247054 | emb-8u261 | Prasadarao Koppula | P2 | Resolved | Fixed | team |
Description
/Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home/bin/java -version
java version "11" 2018-09-25
Java(TM) SE Runtime Environment 18.9 (build 11+28)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11+28, mixed mode)
A DESCRIPTION OF THE PROBLEM :
I am currently in the process of adding TLS 1.3 support into netty-tcnative[1] which uses JNI to make use of OpenSSL for it. During this work I noticed that I received test-failures when mutual auth is used and the JDK implementation is used on the client side. When using the JDK implementation on the server and client side all works as expected. Also if I use another protocol (like TLSv1.2) all works as expected.
The problem I am observing is that the client seems to sent the certificate âtoo lateâ and so the server (which uses openssl) will report and error that the client did not provide an certificate (even when it was required).
For more details and debug logs see:
http://mail.openjdk.java.net/pipermail/security-dev/2018-September/018240.html
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
See:
https://github.com/normanmaurer/jdktls13bugreproducer
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Handshake and mutual auth completes successfully.
ACTUAL -
Server is not able to see the client cert.
---------- BEGIN SOURCE ----------
https://github.com/normanmaurer/jdktls13bugreproducer
---------- END SOURCE ----------
FREQUENCY : always
Attachments
Issue Links
- backported by
-
JDK-8211041 TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
- Resolved
-
JDK-8217123 TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
- Resolved
-
JDK-8247054 TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
- Resolved
-
JDK-8211067 TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
- Closed
-
JDK-8243720 TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
- Closed
-
JDK-8256899 TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
- Closed
- relates to
-
JDK-8210989 RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2
- Resolved