Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277881

Missing SessionID in TLS1.3 resumption in compatibility mode

XMLWordPrintable

    • b04
    • generic
    • generic

        A DESCRIPTION OF THE PROBLEM :
        originally reported here: https://github.com/openjdk/jdk/pull/6084#discussion_r742347040
        When jdk.tls.client.useCompatibilityMode is true (default), TLSv1.3 ClientHello message should always contain a non-empty SessionID, as defined in https://datatracker.ietf.org/doc/html/rfc8446#appendix-D.4

        However, the SessionID is empty when a TLSv1.3 session is resumed:
        - sessionId is set to empty here https://github.com/openjdk/jdk/blob/04a806ec86a388b8de31d42f904c4321beb69e14/src/java.base/share/classes/sun/security/ssl/ClientHello.java#L406
        - not updated because it's TLS 1.3 https://github.com/openjdk/jdk/blob/04a806ec86a388b8de31d42f904c4321beb69e14/src/java.base/share/classes/sun/security/ssl/ClientHello.java#L535
        - not updated because session is not null https://github.com/openjdk/jdk/blob/04a806ec86a388b8de31d42f904c4321beb69e14/src/java.base/share/classes/sun/security/ssl/ClientHello.java#L577

        It appears to work reasonably well with middleboxes, but one of our customers reported a broken TLS1.3 server implementation that skips ServerHello message (and immediately sends ChangeCipherSpec) when SessionID in ClientHello is empty

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Run the following code with -Djavax.net.debug=ssl,handshake

        public static void main(String[] args) throws NoSuchAlgorithmException, IOException {
        String HOST = "bugreport.java.com";
        int PORT = 443;
        SSLContext ctx = SSLContext.getDefault();
        SSLSocketFactory fac = ctx.getSocketFactory();
        Socket cli = fac.createSocket(HOST, PORT);
        cli.getOutputStream().write(0);
        cli.shutdownOutput();
        cli.getInputStream().read();
        Socket cli2 = fac.createSocket(HOST, PORT);
        cli2.getOutputStream().write(0);
        }
        Search output for "Produced ClientHello handshake message"

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Both ClientHello messages produced contain non-empty SessionIDs
        ACTUAL -
        Only the first ClientHello contains sessionID, the second one does not

        CUSTOMER SUBMITTED WORKAROUND :
        Disable TLS 1.3 when communicating with broken server, fall back to TLS 1.2

        FREQUENCY : always


              ascarpino Anthony Scarpino
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: