-
Bug
-
Resolution: Fixed
-
P3
-
11, 12
-
b18
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8242329 | 14.0.2 | Xuelei Fan | P3 | Resolved | Fixed | b02 |
| JDK-8246364 | 13.0.4 | Xuelei Fan | P3 | Resolved | Fixed | b04 |
| JDK-8242336 | 11.0.8-oracle | Xuelei Fan | P3 | Resolved | Fixed | b03 |
| JDK-8243137 | 11.0.8 | Xuelei Fan | P3 | Resolved | Fixed | b01 |
| JDK-8243704 | 8u261 | Prasadarao Koppula | P3 | Resolved | Fixed | b05 |
| JDK-8247037 | emb-8u261 | Prasadarao Koppula | P3 | Resolved | Fixed | team |
If ClientHello has no key_share extension for (EC)DHE key exchange, JSSE server alerts internal_error, for example,
javax.net.ssl|DEBUG|01|main|2018-12-20 20:43:03.059 CST|ClientHello.java:806|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
"session id" : "3E C3 93 BB D5 2B AC A2 36 00 AB D1 41 C1 C4 3B 4B 1A 32 91 79 92 9E 43 3D 2C F6 89 65 5F 04 28",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"supported_groups (10)": {
"versions": [secp256r1]
},
"signature_algorithms (13)": {
"signature schemes": [rsa_pss_rsae_sha256, rsa_pss_pss_sha256]
},
"signature_algorithms_cert (50)": {
"signature schemes": [rsa_pkcs1_sha512, rsa_pkcs1_sha384, rsa_pkcs1_sha256, rsa_sha224, rsa_pkcs1_sha1, rsa_md5, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512]
}
]
}
)
... ...
javax.net.ssl|DEBUG|01|main|2018-12-20 20:43:03.088 CST|ServerHello.java:580|Produced ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "86 03 CD FB 91 24 39 FC 8E FE 35 07 FF C3 E0 42 FB 3C B4 B9 99 C4 6D A5 19 AF F4 C7 C2 C2 D3 17",
"session id" : "3E C3 93 BB D5 2B AC A2 36 00 AB D1 41 C1 C4 3B 4B 1A 32 91 79 92 9E 43 3D 2C F6 89 65 5F 04 28",
"cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
}
]
}
)
... ...
javax.net.ssl|ERROR|01|main|2018-12-20 20:43:03.093 CST|TransportContext.java:313|Fatal (INTERNAL_ERROR): Not negotiated key shares (
"throwable" : {
javax.net.ssl.SSLException: Not negotiated key shares
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
at java.base/sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:595)
at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1224)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1160)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:849)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:810)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:425)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:799)
at java.base/java.io.InputStream.read(InputStream.java:213)
at SimpleJSSEServer.readIn(SimpleJSSEServer.java:37)
at SimpleJSSEServer.main(SimpleJSSEServer.java:24)}
)
But RFC 8446 section 9.2 states:
- If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted.
Servers receiving a ClientHello which does not conform to these requirements MUST abort the handshake with a "missing_extension" alert.
So, the server should alert missing_extension immediately, but not send ServerHello and then alert internal_error.
javax.net.ssl|DEBUG|01|main|2018-12-20 20:43:03.059 CST|ClientHello.java:806|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
"session id" : "3E C3 93 BB D5 2B AC A2 36 00 AB D1 41 C1 C4 3B 4B 1A 32 91 79 92 9E 43 3D 2C F6 89 65 5F 04 28",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"supported_groups (10)": {
"versions": [secp256r1]
},
"signature_algorithms (13)": {
"signature schemes": [rsa_pss_rsae_sha256, rsa_pss_pss_sha256]
},
"signature_algorithms_cert (50)": {
"signature schemes": [rsa_pkcs1_sha512, rsa_pkcs1_sha384, rsa_pkcs1_sha256, rsa_sha224, rsa_pkcs1_sha1, rsa_md5, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512]
}
]
}
)
... ...
javax.net.ssl|DEBUG|01|main|2018-12-20 20:43:03.088 CST|ServerHello.java:580|Produced ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "86 03 CD FB 91 24 39 FC 8E FE 35 07 FF C3 E0 42 FB 3C B4 B9 99 C4 6D A5 19 AF F4 C7 C2 C2 D3 17",
"session id" : "3E C3 93 BB D5 2B AC A2 36 00 AB D1 41 C1 C4 3B 4B 1A 32 91 79 92 9E 43 3D 2C F6 89 65 5F 04 28",
"cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
}
]
}
)
... ...
javax.net.ssl|ERROR|01|main|2018-12-20 20:43:03.093 CST|TransportContext.java:313|Fatal (INTERNAL_ERROR): Not negotiated key shares (
"throwable" : {
javax.net.ssl.SSLException: Not negotiated key shares
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
at java.base/sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:595)
at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1224)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1160)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:849)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:810)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:425)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:799)
at java.base/java.io.InputStream.read(InputStream.java:213)
at SimpleJSSEServer.readIn(SimpleJSSEServer.java:37)
at SimpleJSSEServer.main(SimpleJSSEServer.java:24)}
)
But RFC 8446 section 9.2 states:
- If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted.
Servers receiving a ClientHello which does not conform to these requirements MUST abort the handshake with a "missing_extension" alert.
So, the server should alert missing_extension immediately, but not send ServerHello and then alert internal_error.
- backported by
-
JDK-8242329 Missing key_share extension for (EC)DHE key exchange should alert missing_extension
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
(1 backported by)