-
Bug
-
Resolution: Unresolved
-
P3
-
None
-
22, 23
ADDITIONAL SYSTEM INFORMATION :
OS: Oracle Linux Server release 8.6
JDK: Java(TM) SE Runtime Environment (build 21.0.6+8-LTS-188)
A DESCRIPTION OF THE PROBLEM :
Problem Description
-------------------
A simple HTTP client (See attached H2SNIClient.java, that uses java.net.http.HttpClient) sends HTTPS requests to a server (Tomcat 9) capable of handling SNI.
The server (Tomcat 9) supports SNI with hostnames wls01 and wls02 configured to use WLS01.jks and WLS02.jks respectively, on port 17703. The client (H2SNIClient.java) can optionally send request using HTTP/1.1 or HTTP/2 protocol, with given SNI host.
In the debug response for the request sent with SNI host 'wls02' (along with -Djavax.net.debug=ssl:handshake JVM arg), we find certificate with 'CN=WLS01' being used in case of JDK-23 and JDK-24. However, in case JDK-21 and JDK-25, we find the certificate 'CN=WLS02' used as expected.
Therefore, this is a regression on JDK-23 and JDK-24.
Test Files
----------
H2SNIClient.zip contains the test project along with the following files
test.sh
- Sends HTTP/1.1 and HTTP/2 SNI requests using various JDKs (by setting JAVA_HOME) and prints the certificate's 'subject'
- Requests are sent to a simple web-app running in Tomcat 9 server.
JGet.jks
- Client keystore that trusts the CA's in WLS01.jks and WLS02.jks
WLS01.jks
- JKS configured for SNI host wls01 (See tomcat config below)
WLS02.jks
- JKS configured for SNI host wls02 (See tomcat config below)
Tomcat conf/server.xml config
-----------------------------
<Service name="Catalina">
...
...
<Connector port="17703" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" keystoreFile="conf/WLS01.jks" keystorePass="welcome1" clientAuth="false"
maxThreads="200">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig hostName="wls01">
<Certificate certificateKeystoreFile="conf/WLS01.jks" certificateKeystorePassword="welcome1" type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="wls02">
<Certificate certificateKeystoreFile="conf/WLS02.jks" certificateKeystorePassword="welcome1" type="RSA"/>
</SSLHostConfig>
</Connector>
</Service>
Output of test.sh
-----------------
HTTP/1.1 JDK-21
-------------------------------------------------------------------------------
"subject" : "CN=WLS02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_1_1 200
HTTP/1.1 JDK-23
-------------------------------------------------------------------------------
"subject" : "CN=WLS01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_1_1 200
HTTP/1.1 JDK-25
-------------------------------------------------------------------------------
"subject" : "CN=WLS02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_1_1 200
HTTP/2 JDK-21
-------------------------------------------------------------------------------
"subject" : "CN=WLS02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_2 200
HTTP/2 JDK-23
-------------------------------------------------------------------------------
"subject" : "CN=WLS01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_2 200
HTTP/2 JDK-25
-------------------------------------------------------------------------------
"subject" : "CN=WLS02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_2 200
REGRESSION : Last worked in version 21.0.6
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Download H2SNIClient from <LINK>
2) Update JAVA_HOME paths in H2SNIClient/test.sh
3) Execute 'H2SNIClient/test.sh'
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
"subject" : "CN=WLS02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
ACTUAL -
"subject" : "CN=WLS01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
---------- BEGIN SOURCE ----------
Find test code at the following URL:
<LINK>
---------- END SOURCE ----------
OS: Oracle Linux Server release 8.6
JDK: Java(TM) SE Runtime Environment (build 21.0.6+8-LTS-188)
A DESCRIPTION OF THE PROBLEM :
Problem Description
-------------------
A simple HTTP client (See attached H2SNIClient.java, that uses java.net.http.HttpClient) sends HTTPS requests to a server (Tomcat 9) capable of handling SNI.
The server (Tomcat 9) supports SNI with hostnames wls01 and wls02 configured to use WLS01.jks and WLS02.jks respectively, on port 17703. The client (H2SNIClient.java) can optionally send request using HTTP/1.1 or HTTP/2 protocol, with given SNI host.
In the debug response for the request sent with SNI host 'wls02' (along with -Djavax.net.debug=ssl:handshake JVM arg), we find certificate with 'CN=WLS01' being used in case of JDK-23 and JDK-24. However, in case JDK-21 and JDK-25, we find the certificate 'CN=WLS02' used as expected.
Therefore, this is a regression on JDK-23 and JDK-24.
Test Files
----------
H2SNIClient.zip contains the test project along with the following files
test.sh
- Sends HTTP/1.1 and HTTP/2 SNI requests using various JDKs (by setting JAVA_HOME) and prints the certificate's 'subject'
- Requests are sent to a simple web-app running in Tomcat 9 server.
JGet.jks
- Client keystore that trusts the CA's in WLS01.jks and WLS02.jks
WLS01.jks
- JKS configured for SNI host wls01 (See tomcat config below)
WLS02.jks
- JKS configured for SNI host wls02 (See tomcat config below)
Tomcat conf/server.xml config
-----------------------------
<Service name="Catalina">
...
...
<Connector port="17703" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" keystoreFile="conf/WLS01.jks" keystorePass="welcome1" clientAuth="false"
maxThreads="200">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig hostName="wls01">
<Certificate certificateKeystoreFile="conf/WLS01.jks" certificateKeystorePassword="welcome1" type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="wls02">
<Certificate certificateKeystoreFile="conf/WLS02.jks" certificateKeystorePassword="welcome1" type="RSA"/>
</SSLHostConfig>
</Connector>
</Service>
Output of test.sh
-----------------
HTTP/1.1 JDK-21
-------------------------------------------------------------------------------
"subject" : "CN=WLS02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_1_1 200
HTTP/1.1 JDK-23
-------------------------------------------------------------------------------
"subject" : "CN=WLS01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_1_1 200
HTTP/1.1 JDK-25
-------------------------------------------------------------------------------
"subject" : "CN=WLS02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_1_1 200
HTTP/2 JDK-21
-------------------------------------------------------------------------------
"subject" : "CN=WLS02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_2 200
HTTP/2 JDK-23
-------------------------------------------------------------------------------
"subject" : "CN=WLS01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_2 200
HTTP/2 JDK-25
-------------------------------------------------------------------------------
"subject" : "CN=WLS02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
HTTP_2 200
REGRESSION : Last worked in version 21.0.6
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Download H2SNIClient from <LINK>
2) Update JAVA_HOME paths in H2SNIClient/test.sh
3) Execute 'H2SNIClient/test.sh'
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
"subject" : "CN=WLS02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA02, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
ACTUAL -
"subject" : "CN=WLS01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
"subject" : "CN=CA01, OU=ST, O=Oracle, L=Bangalore, ST=Karnataka, C=IN",
---------- BEGIN SOURCE ----------
Find test code at the following URL:
<LINK>
---------- END SOURCE ----------
- relates to
-
JDK-8346705 SNI not sent with Java 22+ using java.net.http.HttpClient.Builder#sslParameters
-
- Resolved
-