-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
8u191
-
x86_64
-
windows_vista
ADDITIONAL SYSTEM INFORMATION :
Windows 64-bit
A DESCRIPTION OF THE PROBLEM :
By default SSL Session should be cached and resumed when SSL client send the Session ID in the ClientHello message. It is working in jre1.8.0_144 but not working in jre1.8.0_191.
REGRESSION : Last worked in version 8u181
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create SSL Server Socket with some keystore/truststore. Attached SSLServer.java creates 1234 port.
2. Using OpenSSL (version OpenSSL 1.0.1l 15 Jan 2015) sends the following
openssl s_client -connect localhost:1234 -sess_out 1234session.txt
3. Wait for command to complete
4. Send again the following command
openssl s_client -connect localhost:1234 -sess_in 1234session.txt
5. Compare the SessionID from Step 2 & 4.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Both the session ID should be same.
ACTUAL -
1. With PATH set to C:\Program Files\Java\jre1.8.0_144\bin - SSL session is getting resumed, when client is sending Session ID.
*** ClientHello, TLSv1.2
RandomCookie: GMT: 841895482 bytes = { 66, 43, 119, 176, 44, 21, 135, 143, 36, 171, 219, 255, 193, 32, 202, 251, 117, 253, 86, 136, 99, 235, 124, 15, 138, 246, 21, 48 }
Session ID: {91, 237, 95, 152, 155, 143, 144, 12, 116, 227, 140, 198, 130, 221, 9, 188, 120, 149, 245, 220, 12, 252, 242, 134, 178, 119, 58, 199, 245, 147, 16, 110}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
.......
***
%% Resuming [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
2. With PATH set to C:\Program Files\Java\jre1.8.0_191\bin - Every time new Session is created, even when client is sending Session ID
*** ClientHello, TLSv1.2
RandomCookie: GMT: -2147078053 bytes = { 244, 80, 6, 243, 75, 183, 71, 97, 129, 11, 149, 179, 236, 33, 207, 224, 68, 186, 42, 20, 195, 29, 111, 224, 80, 231, 203, 209 }
Session ID: {91, 237, 95, 254, 102, 172, 225, 195, 221, 174, 237, 28, 224, 225, 48, 74, 53, 196, 242, 217, 152, 182, 19, 255, 91, 142, 145, 189, 110, 9, 227, 97}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
.....
***
%% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL]
Standard ciphersuite chosen: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
%% Negotiating: [Session-2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
---------- BEGIN SOURCE ----------
import java.io.*;
import java.net.*;
import java.security.*;
import java.util.*;
import javax.net.*;
import javax.net.ssl.*;
public class SSLServer implements Runnable
{
/**
* The port we will listen on
*/
private int port;
/**
* A list of open connections
*/
private Set connections = new HashSet();
/**
* KeyStore for storing our public/private key pair
*/
private KeyStore _truststore;
/**
* KeyStore for storing the server's public key
*/
private KeyStore _keystore;
/**
* Used to generate a SocketFactory
*/
private SSLContext sslContext;
/**
* A list of visible postings
*/
private Set postings = new HashSet();
/**
* Passphrase for accessing our authentication keystore
*/
static private final String passphrase = "manage";
/**
* A source of secure random numbers
*/
static private SecureRandom secureRandom;
/**
* Create a Server that listens on the given port.
* Start the background listening thread
*/
public SSLServer( int port ) {
this.port = port;
System.setProperty("javax.net.debug", "ssl");
new Thread( this ).start();
}
private void setupServerTrustStore() throws GeneralSecurityException, IOException {
_truststore = KeyStore.getInstance( "JKS" );
_truststore.load( new FileInputStream( "C:\\common\\conf\\platform_truststore.jks" ),
passphrase.toCharArray() );
}
private void setupServerKeystore() throws GeneralSecurityException, IOException {
_keystore = KeyStore.getInstance( "JKS" );
_keystore.load( new FileInputStream( "C:\\common\\conf\\ssos.jks" ),
passphrase.toCharArray() );
}
private void setupSSLContext() throws GeneralSecurityException, IOException {
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509" );
tmf.init( _truststore );
KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
kmf.init( _keystore, passphrase.toCharArray() );
sslContext = SSLContext.getInstance( "TLS" );
sslContext.init( kmf.getKeyManagers(),
tmf.getTrustManagers(),
secureRandom );
}
/**
* Background thread: accept new connections
*/
public void run() {
try {
setupServerTrustStore();
setupServerKeystore();
setupSSLContext();
SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
SSLServerSocket ss = (SSLServerSocket)sf.createServerSocket( port );
// Require client authorization
ss.setNeedClientAuth( false );
System.out.println( "Listening on port "+port+"..." );
while (true) {
SSLSocket socket = (SSLSocket)ss.accept();
System.out.println( "Got connection from "+socket );
socket.startHandshake();
Thread.sleep(2000);
socket.close();
System.out.println( "Closed Connection, Checking Again for New Connection.." );
}
} catch( Exception ie ) {
ie.printStackTrace();
}
}
/**
* Remove a connection that has been closed from our set
* of open connections
*/
// void removeConnection( ConnectionProcessor cp ) {
// connections.remove( cp );
// }
/**
* Return an iteration over open connections
*/
Iterator getConnections() {
return connections.iterator();
}
// /**
// * Add a posting to the list of postings
// */
// void addPosting( Posting posting ) {
// postings.add( posting );
//System.out.println( "list is "+postings.size() );
// }
/**
* Return an iteration over visible postings
*/
Iterator getPostings() {
return postings.iterator();
}
/**
* Create and start a Server. The port number must
* be provided on the command line
*/
static public void main( String args[] ) {
if (args.length != 1) {
System.err.println( "Usage: java Server [port number]" );
System.exit( 1 );
}
int port = Integer.parseInt( args[0] );
System.out.println( "Wait while secure random numbers are initialized...." );
secureRandom = new SecureRandom();
secureRandom.nextInt();
System.out.println( "Done." );
new SSLServer( port );
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
None.
FREQUENCY : always
Windows 64-bit
A DESCRIPTION OF THE PROBLEM :
By default SSL Session should be cached and resumed when SSL client send the Session ID in the ClientHello message. It is working in jre1.8.0_144 but not working in jre1.8.0_191.
REGRESSION : Last worked in version 8u181
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create SSL Server Socket with some keystore/truststore. Attached SSLServer.java creates 1234 port.
2. Using OpenSSL (version OpenSSL 1.0.1l 15 Jan 2015) sends the following
openssl s_client -connect localhost:1234 -sess_out 1234session.txt
3. Wait for command to complete
4. Send again the following command
openssl s_client -connect localhost:1234 -sess_in 1234session.txt
5. Compare the SessionID from Step 2 & 4.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Both the session ID should be same.
ACTUAL -
1. With PATH set to C:\Program Files\Java\jre1.8.0_144\bin - SSL session is getting resumed, when client is sending Session ID.
*** ClientHello, TLSv1.2
RandomCookie: GMT: 841895482 bytes = { 66, 43, 119, 176, 44, 21, 135, 143, 36, 171, 219, 255, 193, 32, 202, 251, 117, 253, 86, 136, 99, 235, 124, 15, 138, 246, 21, 48 }
Session ID: {91, 237, 95, 152, 155, 143, 144, 12, 116, 227, 140, 198, 130, 221, 9, 188, 120, 149, 245, 220, 12, 252, 242, 134, 178, 119, 58, 199, 245, 147, 16, 110}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
.......
***
%% Resuming [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
2. With PATH set to C:\Program Files\Java\jre1.8.0_191\bin - Every time new Session is created, even when client is sending Session ID
*** ClientHello, TLSv1.2
RandomCookie: GMT: -2147078053 bytes = { 244, 80, 6, 243, 75, 183, 71, 97, 129, 11, 149, 179, 236, 33, 207, 224, 68, 186, 42, 20, 195, 29, 111, 224, 80, 231, 203, 209 }
Session ID: {91, 237, 95, 254, 102, 172, 225, 195, 221, 174, 237, 28, 224, 225, 48, 74, 53, 196, 242, 217, 152, 182, 19, 255, 91, 142, 145, 189, 110, 9, 227, 97}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
.....
***
%% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL]
Standard ciphersuite chosen: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
%% Negotiating: [Session-2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
---------- BEGIN SOURCE ----------
import java.io.*;
import java.net.*;
import java.security.*;
import java.util.*;
import javax.net.*;
import javax.net.ssl.*;
public class SSLServer implements Runnable
{
/**
* The port we will listen on
*/
private int port;
/**
* A list of open connections
*/
private Set connections = new HashSet();
/**
* KeyStore for storing our public/private key pair
*/
private KeyStore _truststore;
/**
* KeyStore for storing the server's public key
*/
private KeyStore _keystore;
/**
* Used to generate a SocketFactory
*/
private SSLContext sslContext;
/**
* A list of visible postings
*/
private Set postings = new HashSet();
/**
* Passphrase for accessing our authentication keystore
*/
static private final String passphrase = "manage";
/**
* A source of secure random numbers
*/
static private SecureRandom secureRandom;
/**
* Create a Server that listens on the given port.
* Start the background listening thread
*/
public SSLServer( int port ) {
this.port = port;
System.setProperty("javax.net.debug", "ssl");
new Thread( this ).start();
}
private void setupServerTrustStore() throws GeneralSecurityException, IOException {
_truststore = KeyStore.getInstance( "JKS" );
_truststore.load( new FileInputStream( "C:\\common\\conf\\platform_truststore.jks" ),
passphrase.toCharArray() );
}
private void setupServerKeystore() throws GeneralSecurityException, IOException {
_keystore = KeyStore.getInstance( "JKS" );
_keystore.load( new FileInputStream( "C:\\common\\conf\\ssos.jks" ),
passphrase.toCharArray() );
}
private void setupSSLContext() throws GeneralSecurityException, IOException {
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509" );
tmf.init( _truststore );
KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
kmf.init( _keystore, passphrase.toCharArray() );
sslContext = SSLContext.getInstance( "TLS" );
sslContext.init( kmf.getKeyManagers(),
tmf.getTrustManagers(),
secureRandom );
}
/**
* Background thread: accept new connections
*/
public void run() {
try {
setupServerTrustStore();
setupServerKeystore();
setupSSLContext();
SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
SSLServerSocket ss = (SSLServerSocket)sf.createServerSocket( port );
// Require client authorization
ss.setNeedClientAuth( false );
System.out.println( "Listening on port "+port+"..." );
while (true) {
SSLSocket socket = (SSLSocket)ss.accept();
System.out.println( "Got connection from "+socket );
socket.startHandshake();
Thread.sleep(2000);
socket.close();
System.out.println( "Closed Connection, Checking Again for New Connection.." );
}
} catch( Exception ie ) {
ie.printStackTrace();
}
}
/**
* Remove a connection that has been closed from our set
* of open connections
*/
// void removeConnection( ConnectionProcessor cp ) {
// connections.remove( cp );
// }
/**
* Return an iteration over open connections
*/
Iterator getConnections() {
return connections.iterator();
}
// /**
// * Add a posting to the list of postings
// */
// void addPosting( Posting posting ) {
// postings.add( posting );
//System.out.println( "list is "+postings.size() );
// }
/**
* Return an iteration over visible postings
*/
Iterator getPostings() {
return postings.iterator();
}
/**
* Create and start a Server. The port number must
* be provided on the command line
*/
static public void main( String args[] ) {
if (args.length != 1) {
System.err.println( "Usage: java Server [port number]" );
System.exit( 1 );
}
int port = Integer.parseInt( args[0] );
System.out.println( "Wait while secure random numbers are initialized...." );
secureRandom = new SecureRandom();
secureRandom.nextInt();
System.out.println( "Done." );
new SSLServer( port );
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
None.
FREQUENCY : always