Re: Workaround for JDK 14.0.1 and TLS: -Djdk.tls.server.enableSessionTicketExtension=false
Just confirming I've found failing tests, still working on it
On 6/1/2020 10:12 PM, Peter Firmstone wrote:
Thanks Shawn,
I've been testing on JDK 11 and 13 recently, I've just downloaded JDK
14.0.1
I ran the qa suite lookupservice tests with JSSE enabled (Using qa
suite on JGDMS which is working with JSSE).
Confirmed the tests hang and fail.
Looked at JDK-8242008
Notably: "SSLSessions obtained after an initial connection may return
a null value when its getSessionContext() method is called."
Worked around this below by obtaining local certificate for valid
session.
Ran tests again.
Confirming tests are now passing... Will run some more.
Regards,
Peter.
/**
* Returns the principal that the server used to authenticate for the
* specified session. Returns null if the session is not found or
if the
* server did not authenticate itself.
*/
X509Certificate getServerCertificate(SSLSession session) {
X509Certificate cert = null;
synchronized (credentialCache) {
if (sslSessionContext.getSession(session.getId()) != null) {
Object val = credentialCache.get(
Utilities.getKeyAlgorithm(session.getCipherSuite()));
if (val instanceof X500PrivateCredential) {
X500PrivateCredential cred = (X500PrivateCredential) val;
if (!cred.isDestroyed()) {
cert= cred.getCertificate();
}
}
}
}
if (cert == null && session.isValid()){ //Stateless connection.
Certificate [] certs = session.getLocalCertificates();
if (certs[0] instanceof X509Certificate) {
cert = (X509Certificate) certs[0];
}
}
return cert;
}
On 6/1/2020 5:41 PM, Shawn Ellis wrote:
Hello,
I've seen a TLS problem with JDK 14.0.1 and Apache River 3.0 that I
want to share in case someone else runs into the same issue. A client
will receive a "Contraints are not supported” error when attempting
to perform a reggie lookup when using TLS. The call to
ServerAuthManager.getServerCertificate() returns null instead of the
server certificate because the sslSessionContext doesn't have any
session ids.
ServerAuthManager.java:113
if (sslSessionContext.getSession(session.getId()) != null) { //
sslSessionContext.getSession() returns null with JDK 14.0.1
// returns the server certificate
}
The workaround is to use
-Djdk.tls.server.enableSessionTicketExtension=false on the server or
use JDK 15 according to the OpenJDK bug report:
https://bugs.openjdk.java.net/browse/JDK-8242008
Re: Workaround for JDK 14.0.1 and TLS: -Djdk.tls.server.enableSessionTicketExtension=false
Thanks Shawn,
I've been testing on JDK 11 and 13 recently, I've just downloaded JDK 14.0.1
I ran the qa suite lookupservice tests with JSSE enabled (Using qa suite
on JGDMS which is working with JSSE).
Confirmed the tests hang and fail.
Looked at JDK-8242008
Notably: "SSLSessions obtained after an initial connection may return a
null value when its getSessionContext() method is called."
Worked around this below by obtaining local certificate for valid session.
Ran tests again.
Confirming tests are now passing... Will run some more.
Regards,
Peter.
/**
* Returns the principal that the server used to authenticate for the
* specified session. Returns null if the session is not found or
if the
* server did not authenticate itself.
*/
X509Certificate getServerCertificate(SSLSession session) {
X509Certificate cert = null;
synchronized (credentialCache) {
if (sslSessionContext.getSession(session.getId()) != null) {
Object val = credentialCache.get(
Utilities.getKeyAlgorithm(session.getCipherSuite()));
if (val instanceof X500PrivateCredential) {
X500PrivateCredential cred = (X500PrivateCredential) val;
if (!cred.isDestroyed()) {
cert= cred.getCertificate();
}
}
}
}
if (cert == null && session.isValid()){ //Stateless connection.
Certificate [] certs = session.getLocalCertificates();
if (certs[0] instanceof X509Certificate) {
cert = (X509Certificate) certs[0];
}
}
return cert;
}
On 6/1/2020 5:41 PM, Shawn Ellis wrote:
Hello,
I've seen a TLS problem with JDK 14.0.1 and Apache River 3.0 that I want to share in
case someone else runs into the same issue. A client will receive a "Contraints
are not supported” error when attempting to perform a reggie lookup when using TLS.
The call to ServerAuthManager.getServerCertificate() returns null instead of the
server certificate because the sslSessionContext doesn't have any session ids.
ServerAuthManager.java:113
if (sslSessionContext.getSession(session.getId()) != null) { //
sslSessionContext.getSession() returns null with JDK 14.0.1
// returns the server certificate
}
The workaround is to use -Djdk.tls.server.enableSessionTicketExtension=false on the
server or use JDK 15 according to the OpenJDK bug report:
https://bugs.openjdk.java.net/browse/JDK-8242008
Workaround for JDK 14.0.1 and TLS: -Djdk.tls.server.enableSessionTicketExtension=false
Hello,
I've seen a TLS problem with JDK 14.0.1 and Apache River 3.0 that I want to
share in case someone else runs into the same issue. A client will receive a
"Contraints are not supported” error when attempting to perform a reggie lookup
when using TLS. The call to ServerAuthManager.getServerCertificate() returns
null instead of the server certificate because the sslSessionContext doesn't
have any session ids.
ServerAuthManager.java:113
if (sslSessionContext.getSession(session.getId()) != null) { //
sslSessionContext.getSession() returns null with JDK 14.0.1
// returns the server certificate
}
The workaround is to use -Djdk.tls.server.enableSessionTicketExtension=false on
the server or use JDK 15 according to the OpenJDK bug report:
https://bugs.openjdk.java.net/browse/JDK-8242008
