Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8246073

Not loading TLS 1.3 ciphers in the absence of setEnabledCipherSuites() call

XMLWordPrintable

    • b05
    • generic
    • generic

      Suppose server supports all protocols(TLSv1, TLSv1.1, TLSv1.2, TLSv1.3) and client supports only TLSv1.3 which sets using setEnabledProtocols() API, then handshake fails.

      Attached the reproducible test case.
      Command to execute test: java ServerClientSSLSocket

      This issue started from JDK8u261 b05 onwards and introduced by task JDK-8243682.
      It's reproducible in JDK8u261 b09 also.
      It's not reproducible in JDK11 or JDK15

      Exception message:
      Exception in thread "main" javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
      at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
      at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:101)
      at sun.security.ssl.TransportContext.kickstart(TransportContext.java:222)
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:389)
      at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:718)
      at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:74)
      at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:801)
      at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)
      at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)
      at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)
      at java.io.InputStreamReader.read(InputStreamReader.java:184)
      at java.io.BufferedReader.fill(BufferedReader.java:161)
      at java.io.BufferedReader.readLine(BufferedReader.java:324)
      at java.io.BufferedReader.readLine(BufferedReader.java:389)
      at ServerClientSSLSocket.doClientSide(ServerClientSSLSocket.java:58)
      at ServerClientSSLSocket.main(ServerClientSSLSocket.java:71)

      Attached full debug log.

      Workaround :
      Set specific cipher suite using setEnabledCipherSuites() API
      eg: sslSocket.setEnabledCipherSuites(new String[]{"TLS_AES_128_GCM_SHA256"});
      or
      Run the program with property -Djdk.tls.client.protocols=TLSv1.3

        1. debug.log
          47 kB
          Abdul Kolarkunnu
        2. ServerClientSSLSocket.java
          5 kB
          Abdul Kolarkunnu

            pkoppula Prasadarao Koppula
            akolarkunnu Abdul Kolarkunnu (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: