Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8210846

TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth

    XMLWordPrintable

Details

    • b13
    • generic
    • generic
    • Not verified

    Backports

      Description

        ADDITIONAL SYSTEM INFORMATION :
         /Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home/bin/java -version
        java version "11" 2018-09-25
        Java(TM) SE Runtime Environment 18.9 (build 11+28)
        Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11+28, mixed mode)


        A DESCRIPTION OF THE PROBLEM :
        I am currently in the process of adding TLS 1.3 support into netty-tcnative[1] which uses JNI to make use of OpenSSL for it. During this work I noticed that I received test-failures when mutual auth is used and the JDK implementation is used on the client side. When using the JDK implementation on the server and client side all works as expected. Also if I use another protocol (like TLSv1.2) all works as expected.

        The problem I am observing is that the client seems to sent the certificate “too late” and so the server (which uses openssl) will report and error that the client did not provide an certificate (even when it was required).

        For more details and debug logs see:

        http://mail.openjdk.java.net/pipermail/security-dev/2018-September/018240.html

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        See:

        https://github.com/normanmaurer/jdktls13bugreproducer

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Handshake and mutual auth completes successfully.
        ACTUAL -
        Server is not able to see the client cert.

        ---------- BEGIN SOURCE ----------
        https://github.com/normanmaurer/jdktls13bugreproducer
        ---------- END SOURCE ----------

        FREQUENCY : always


        Attachments

          1. 9057280-debug.txt
            66 kB
            Bradford Wetmore

          Issue Links

            Activity

              People

                jnimeh Jamil Nimeh
                webbuggrp Webbug Group
                Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: