Details
-
Bug
-
Resolution: Fixed
-
P3
-
11
-
b24
-
Verified
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8208311 | 12 | Weijun Wang | P3 | Resolved | Fixed | b05 |
| JDK-8208411 | 11.0.2 | Weijun Wang | P3 | Resolved | Fixed | b01 |
| JDK-8209231 | 11.0.1 | Weijun Wang | P3 | Resolved | Fixed | b05 |
| JDK-8256868 | openjdk8u272 | Martin Balao | P3 | Closed | Fixed | b06 |
| JDK-8243729 | 8u261 | Prasadarao Koppula | P3 | Resolved | Fixed | b05 |
| JDK-8247063 | emb-8u261 | Prasadarao Koppula | P3 | Resolved | Fixed | team |
Description
A DESCRIPTION OF THE PROBLEM :
See workaround in https://github.com/square/okhttp/pull/4138, most concerning is having to assume any SSLException is an exception that could mean falling back to other connection specs (ciphers, tls versions etc).
OkHttp has nuanced logic in https://github.com/square/okhttp/blob/7135628c645892faf1a48a8cff464e0ed4ad88cb/okhttp/src/main/java/okhttp3/internal/connection/ConnectionSpecSelector.java#L83-L127 to determine whether to retry with a fallback
REGRESSION : Last worked in version 10.0.1
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run tests for OkHttp on master
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected SSLProtocolException when the handshake fails, however getting more generic SSLException
ACTUAL -
HttpsURLConnection connection = (HttpsURLConnection) server.url("/").url().openConnection();
connection.setSSLSocketFactory(tlsNode.sslSocketFactory());
try {
connection.getInputStream();
fail();
} catch (SSLProtocolException expected) {
// RI response to the FAIL_HANDSHAKE
} catch (SSLHandshakeException expected) {
// Android's response to the FAIL_HANDSHAKE
+ } catch (SSLException expected) {
+ // JDK 1.9 response to the FAIL_HANDSHAKE
+ // javax.net.ssl.SSLException: Unexpected handshake message: client_hello
} catch (SocketException expected) {
// Conscrypt's response to the FAIL_HANDSHAKE
}
CUSTOMER SUBMITTED WORKAROUND :
https://github.com/square/okhttp/pull/4138
FREQUENCY : always
See workaround in https://github.com/square/okhttp/pull/4138, most concerning is having to assume any SSLException is an exception that could mean falling back to other connection specs (ciphers, tls versions etc).
OkHttp has nuanced logic in https://github.com/square/okhttp/blob/7135628c645892faf1a48a8cff464e0ed4ad88cb/okhttp/src/main/java/okhttp3/internal/connection/ConnectionSpecSelector.java#L83-L127 to determine whether to retry with a fallback
REGRESSION : Last worked in version 10.0.1
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run tests for OkHttp on master
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected SSLProtocolException when the handshake fails, however getting more generic SSLException
ACTUAL -
HttpsURLConnection connection = (HttpsURLConnection) server.url("/").url().openConnection();
connection.setSSLSocketFactory(tlsNode.sslSocketFactory());
try {
connection.getInputStream();
fail();
} catch (SSLProtocolException expected) {
// RI response to the FAIL_HANDSHAKE
} catch (SSLHandshakeException expected) {
// Android's response to the FAIL_HANDSHAKE
+ } catch (SSLException expected) {
+ // JDK 1.9 response to the FAIL_HANDSHAKE
+ // javax.net.ssl.SSLException: Unexpected handshake message: client_hello
} catch (SocketException expected) {
// Conscrypt's response to the FAIL_HANDSHAKE
}
CUSTOMER SUBMITTED WORKAROUND :
https://github.com/square/okhttp/pull/4138
FREQUENCY : always
Attachments
Issue Links
- backported by
-
JDK-8208311 SSL Handshake failures are reported with more generic SSLException
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
(1 backported by)