Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277881

Missing SessionID in TLS1.3 resumption in compatibility mode

    XMLWordPrintable

Details

    • b04
    • generic
    • generic

    Backports

      Description

        A DESCRIPTION OF THE PROBLEM :
        originally reported here: https://github.com/openjdk/jdk/pull/6084#discussion_r742347040
        When jdk.tls.client.useCompatibilityMode is true (default), TLSv1.3 ClientHello message should always contain a non-empty SessionID, as defined in https://datatracker.ietf.org/doc/html/rfc8446#appendix-D.4

        However, the SessionID is empty when a TLSv1.3 session is resumed:
        - sessionId is set to empty here https://github.com/openjdk/jdk/blob/04a806ec86a388b8de31d42f904c4321beb69e14/src/java.base/share/classes/sun/security/ssl/ClientHello.java#L406
        - not updated because it's TLS 1.3 https://github.com/openjdk/jdk/blob/04a806ec86a388b8de31d42f904c4321beb69e14/src/java.base/share/classes/sun/security/ssl/ClientHello.java#L535
        - not updated because session is not null https://github.com/openjdk/jdk/blob/04a806ec86a388b8de31d42f904c4321beb69e14/src/java.base/share/classes/sun/security/ssl/ClientHello.java#L577

        It appears to work reasonably well with middleboxes, but one of our customers reported a broken TLS1.3 server implementation that skips ServerHello message (and immediately sends ChangeCipherSpec) when SessionID in ClientHello is empty

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Run the following code with -Djavax.net.debug=ssl,handshake

        public static void main(String[] args) throws NoSuchAlgorithmException, IOException {
        String HOST = "bugreport.java.com";
        int PORT = 443;
        SSLContext ctx = SSLContext.getDefault();
        SSLSocketFactory fac = ctx.getSocketFactory();
        Socket cli = fac.createSocket(HOST, PORT);
        cli.getOutputStream().write(0);
        cli.shutdownOutput();
        cli.getInputStream().read();
        Socket cli2 = fac.createSocket(HOST, PORT);
        cli2.getOutputStream().write(0);
        }
        Search output for "Produced ClientHello handshake message"

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Both ClientHello messages produced contain non-empty SessionIDs
        ACTUAL -
        Only the first ClientHello contains sessionID, the second one does not

        CUSTOMER SUBMITTED WORKAROUND :
        Disable TLS 1.3 when communicating with broken server, fall back to TLS 1.2

        FREQUENCY : always


        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8295928 Missing SessionID in TLS1.3 resumption in compatibility mode

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8296122 Missing SessionID in TLS1.3 resumption in compatibility mode

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8296128 Missing SessionID in TLS1.3 resumption in compatibility mode

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8296475 Missing SessionID in TLS1.3 resumption in compatibility mode

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8300758 Missing SessionID in TLS1.3 resumption in compatibility mode

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8300760 Missing SessionID in TLS1.3 resumption in compatibility mode

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8300761 Missing SessionID in TLS1.3 resumption in compatibility mode

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8306465 Missing SessionID in TLS1.3 resumption in compatibility mode

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved
            links to

            Commit Commit openjdk/jdk8u-dev/b94b5684

            Commit Commit openjdk/jdk11u-dev/8f5ae914

            Commit Commit openjdk/jdk13u-dev/34bbb8bc

            Commit Commit openjdk/jdk15u-dev/88a30519

            Commit Commit openjdk/jdk17u-dev/5ff0ebd5

            Commit Commit openjdk/jdk/9d99a377

            Review Review openjdk/jdk8u-dev/300

            Review Review openjdk/jdk11u-dev/1496

            Review Review openjdk/jdk13u-dev/423

            Review Review openjdk/jdk15u-dev/297

            Review Review openjdk/jdk17u-dev/807

            Review Review openjdk/jdk/6583

            Activity

              People

                ascarpino Anthony Scarpino
                webbuggrp Webbug Group
                Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: