-
Bug
-
Resolution: Fixed
-
P3
-
11, 12
-
b16
-
Not verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8230579 | 11.0.6-oracle | Jamil Nimeh | P3 | Resolved | Fixed | b01 |
JDK-8233977 | 11.0.6 | Jamil Nimeh | P3 | Resolved | Fixed | b04 |
JDK-8256884 | openjdk8u272 | Martin Balao Alonso | P3 | Closed | Fixed | b06 |
JDK-8243715 | 8u261 | Prasadarao Koppula | P3 | Resolved | Fixed | b05 |
JDK-8247048 | emb-8u261 | Prasadarao Koppula | P3 | Resolved | Fixed | team |
When an SSLSocket or SSLEngine is created and not forced to do only TLS 1.3, even after the TLS 1.3 protocol has been agreed upon there are algorithms in the CertificateRequest message (specifically the signature_algorithms extension) that are disallowed (see RFC 8446, sec 4.2.3 near the end).
A sample CR message sent by a server that will negotiate any TLS version, but has negotiated TLS 1.3 looks like this:
javax.net.ssl|DEBUG|0A|pool-1-thread-1|2018-10-06 23:29:58.515 PDT|CertificateRequest.java:859|Produced CertificateRequest message (
"CertificateRequest": {
"certificate_request_context": "",
"extensions": [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
}
]
}
Note the DSA and SHA-224 based algorithms in both the signature_algorithms and signature_algorithms_cert extensions.
If, however, the SSLSocket/Engine is created such that only TLS 1.3 is an allowed protocol, then the signature algorithms do not contain these disallowed schemes:
javax.net.ssl|DEBUG|0A|pool-1-thread-1|2018-10-06 23:46:44.999 PDT|CertificateRequest.java:859|Produced CertificateRequest message (
"CertificateRequest": {
"certificate_request_context": "",
"extensions": [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
}
]
}
A sample CR message sent by a server that will negotiate any TLS version, but has negotiated TLS 1.3 looks like this:
javax.net.ssl|DEBUG|0A|pool-1-thread-1|2018-10-06 23:29:58.515 PDT|CertificateRequest.java:859|Produced CertificateRequest message (
"CertificateRequest": {
"certificate_request_context": "",
"extensions": [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
}
]
}
Note the DSA and SHA-224 based algorithms in both the signature_algorithms and signature_algorithms_cert extensions.
If, however, the SSLSocket/Engine is created such that only TLS 1.3 is an allowed protocol, then the signature algorithms do not contain these disallowed schemes:
javax.net.ssl|DEBUG|0A|pool-1-thread-1|2018-10-06 23:46:44.999 PDT|CertificateRequest.java:859|Produced CertificateRequest message (
"CertificateRequest": {
"certificate_request_context": "",
"extensions": [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
}
]
}
- backported by
-
JDK-8230579 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
- Resolved
-
JDK-8233977 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
- Resolved
-
JDK-8243715 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
- Resolved
-
JDK-8247048 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
- Resolved
-
JDK-8256884 TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
- Closed