Details
-
Bug
-
Resolution: Fixed
-
P4
-
12
-
b19
-
Verified
Description
ADDITIONAL SYSTEM INFORMATION :
Tested in OpenJDK 13 and also 11.0.6+10.
A DESCRIPTION OF THE PROBLEM :
According to https://www.java.com/en/configure_crypto.html setting an SSL context of a specific version makes this version the upper limit to be used.
But this is not the case.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start JShell and execute:
System.setProperty("javax.net.debug", "ssl:handshake:verbose")
javax.net.ssl.SSLContext sslContext = javax.net.ssl.SSLContext.getInstance("TLSv1.2")
sslContext.init(null, null, null)
java.net.http.HttpClient.newBuilder().sslContext(sslContext).build().send(java.net.http.HttpRequest.newBuilder(new java.net.URI("https://tls1.3speaking.url")).GET().build(), java.net.http.HttpResponse.BodyHandlers.ofString()).body()
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
TLS1.2 being used
ACTUAL -
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.229 CET|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
...
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
...
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.245 CET|ServerHello.java:871|Consuming ServerHello handshake message (
"ServerHello": {
...
"supported_versions (43)": {
"selected version": [TLSv1.3]
...
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.245 CET|ServerHello.java:967|Negotiated protocol version: TLSv1.3
CUSTOMER SUBMITTED WORKAROUND :
Disable TLS1.3 completely in the runtime using jdk.tls.disabledAlgorithms in conf/security/java.security mentioned on the same page.
Or using SSLParameters like mentioned on the same page:
javax.net.ssl.SSLParameters sslParameters = new javax.net.ssl.SSLParameters()
sslParameters.setProtocols(new String[] {"TLSv1.2"})
...
.sslParameters(sslParameters)
FREQUENCY : always
Tested in OpenJDK 13 and also 11.0.6+10.
A DESCRIPTION OF THE PROBLEM :
According to https://www.java.com/en/configure_crypto.html setting an SSL context of a specific version makes this version the upper limit to be used.
But this is not the case.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start JShell and execute:
System.setProperty("javax.net.debug", "ssl:handshake:verbose")
javax.net.ssl.SSLContext sslContext = javax.net.ssl.SSLContext.getInstance("TLSv1.2")
sslContext.init(null, null, null)
java.net.http.HttpClient.newBuilder().sslContext(sslContext).build().send(java.net.http.HttpRequest.newBuilder(new java.net.URI("https://tls1.3speaking.url")).GET().build(), java.net.http.HttpResponse.BodyHandlers.ofString()).body()
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
TLS1.2 being used
ACTUAL -
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.229 CET|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
...
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
...
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.245 CET|ServerHello.java:871|Consuming ServerHello handshake message (
"ServerHello": {
...
"supported_versions (43)": {
"selected version": [TLSv1.3]
...
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.245 CET|ServerHello.java:967|Negotiated protocol version: TLSv1.3
CUSTOMER SUBMITTED WORKAROUND :
Disable TLS1.3 completely in the runtime using jdk.tls.disabledAlgorithms in conf/security/java.security mentioned on the same page.
Or using SSLParameters like mentioned on the same page:
javax.net.ssl.SSLParameters sslParameters = new javax.net.ssl.SSLParameters()
sslParameters.setProtocols(new String[] {"TLSv1.2"})
...
.sslParameters(sslParameters)
FREQUENCY : always
Attachments
Issue Links
- relates to
-
JDK-8239594 jdk.tls.client.protocols is not respected
- Closed