Re: Workaround for JDK 14.0.1 and TLS: -Djdk.tls.server.enableSessionTicketExtension=false

[Peter Firmstone]

Thanks Shawn,

I've been testing on JDK 11 and 13 recently, I've just downloaded JDK 14.0.1
I ran the qa suite lookupservice tests with JSSE enabled (Using qa suite 
on JGDMS which is working with JSSE).

Confirmed the tests hang and fail.

Looked at JDK-8242008

Notably:  "SSLSessions obtained after an initial connection may return a 
null value when its getSessionContext() method is called."

Worked around this below by obtaining local certificate for valid session.

Ran tests again.

Confirming tests are now passing...  Will run some more.

Regards,

Peter.

    /**
     * Returns the principal that the server used to authenticate for the
     * specified session.  Returns null if the session is not found or 
if the
     * server did not authenticate itself.
     */
    X509Certificate getServerCertificate(SSLSession session) {
        X509Certificate cert = null;
    synchronized (credentialCache) {
        if (sslSessionContext.getSession(session.getId()) != null) {
        Object val = credentialCache.get(
            Utilities.getKeyAlgorithm(session.getCipherSuite()));
        if (val instanceof X500PrivateCredential) {
            X500PrivateCredential cred = (X500PrivateCredential) val;
            if (!cred.isDestroyed()) {
            cert= cred.getCertificate();
            }
        }
        }
    }
        if (cert == null && session.isValid()){ //Stateless connection.
            Certificate [] certs = session.getLocalCertificates();
            if (certs[0] instanceof X509Certificate) {
                cert = (X509Certificate) certs[0];
            }
        }
        return cert;
    }

On 6/1/2020 5:41 PM, Shawn Ellis wrote:
Hello,

I've seen a TLS problem with JDK 14.0.1 and Apache River 3.0 that I want to share in 
case someone else runs into the same issue. A client will receive a "Contraints 
are not supported” error when attempting to perform a reggie lookup when using TLS. 
The call to ServerAuthManager.getServerCertificate() returns null instead of the 
server certificate because the sslSessionContext doesn't have any session ids.

ServerAuthManager.java:113
if (sslSessionContext.getSession(session.getId()) != null)  {  // 
sslSessionContext.getSession() returns null with JDK 14.0.1
        // returns the server certificate
}

The workaround is to use -Djdk.tls.server.enableSessionTicketExtension=false on the 
server or use JDK 15 according to the OpenJDK bug report: 
https://bugs.openjdk.java.net/browse/JDK-8242008 
<https://bugs.openjdk.java.net/browse/JDK-8242008>