-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P4
-
Affects Version/s: 16, 17
-
Component/s: security-libs
-
b16
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8374192 | 11.0.31 | Antonio Vieiro | P4 | Resolved | Fixed | master |
signature_algorithms extension is present, but the algorithms are unreconginzed or unsupported, JSSE peers should send fatal alert immediately.
For example, in this case, it's unnecssary to try to produce ServerHello, Certificate and ServerKeyExchange messages.
javax.net.ssl|ERROR|10|main|2021-03-08 22:36:08.645 CST|TransportContext.java:361|Fatal (INTERNAL_ERROR): No supported signature algorithm for RSA key (
"throwable" : {
javax.net.ssl.SSLException: No supported signature algorithm for RSA key
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:356)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeMessage.<init>(DHServerKeyExchange.java:137)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeProducer.produce(DHServerKeyExchange.java:481)
at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1120)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:853)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:812)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:199)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1501)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:915)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1006)
at java.base/java.io.InputStream.read(InputStream.java:218)
at com.tencent.tls.Utils.readIn(Utils.java:166)
at com.tencent.tls.JdkServer.acceptNoEx(JdkServer.java:107)
at com.tencent.tls.TlsServer.main(TlsServer.java:74)}
For example, in this case, it's unnecssary to try to produce ServerHello, Certificate and ServerKeyExchange messages.
javax.net.ssl|ERROR|10|main|2021-03-08 22:36:08.645 CST|TransportContext.java:361|Fatal (INTERNAL_ERROR): No supported signature algorithm for RSA key (
"throwable" : {
javax.net.ssl.SSLException: No supported signature algorithm for RSA key
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:356)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeMessage.<init>(DHServerKeyExchange.java:137)
at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeProducer.produce(DHServerKeyExchange.java:481)
at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1120)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:853)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:812)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:199)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1501)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:915)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1006)
at java.base/java.io.InputStream.read(InputStream.java:218)
at com.tencent.tls.Utils.readIn(Utils.java:166)
at com.tencent.tls.JdkServer.acceptNoEx(JdkServer.java:107)
at com.tencent.tls.TlsServer.main(TlsServer.java:74)}
- backported by
-
JDK-8374192 JSSE should fail fast if there isn't supported signature algorithm
-
- Resolved
-
- relates to
-
JDK-8242141 New System Properties to configure the TLS signature schemes
-
- Resolved
-
- links to
-
Commit
openjdk/jdk/99b4bab3
-
Commit(master)
openjdk/jdk11u-dev/7441d387
-
Review
openjdk/jdk/2876
-
Review(master)
openjdk/jdk11u-dev/3126
(1 links to)