[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #6 from Mark Thomas --- Fixed in: - 11.0.x for 11.0.0-M14 onwards - 10.1.x for 10.1.16 onwards - 9.0.x for 9.0.83 onwards - 8.5.x for 8.5.96 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 --- Comment #5 from Mark Thomas --- Many thanks for the clear, reproducible test case. I am able to reproduce this. I haven't confirmed the analysis but it looks right. I'm looking at potential fixes now. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938
--- Comment #4 from Stephen Higgs ---
Reproducer Steps
This reproducer creates an artificially large ClientHello that causes Tomcat to
respond with an SSL alert on TLS 1.3 session resumption. In this test case, a
certificate extension with a very long string value is added to the server's
certificate. Wireshark analysis shows the ClientHello preshared key identity
can become very large with a large certificate. Mutual authentication also
increases the size of the identity.
In the following test, the first openssl call will succeed while the second one
will fail.
STEP 1 - generate a large certificate
-
$ cat openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = NA
ST = NA
L = NA
O = NA
OU = NA
CN = localhost
[req_ext]
subjectAltName = @alternate_names
[alternate_names]
DNS.1 = localhost
DNS.2 = *.localhost
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
subjectAltName = @alternate_names
keyUsage = digitalSignature, keyEncipherment
2.999 = ASN1:UTF8String:LONGSTRING
$ sed "s/LONGSTRING/$(printf '%.0sx' {0..16000})/g" ./openssl.cnf >
openssl-long.cnf
$ cat create-cert.sh
#!/bin/bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days
7 -nodes -config ./openssl-long.cnf -extensions v3_ca
openssl pkcs12 -inkey key.pem -in cert.pem -export -out keystore.p12 -password
pass:changeit -name my
keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks
-srcstoretype PKCS12 -deststoretype jks -deststorepass changeit -srcstorepass
changeit
$ ./create-cert.sh
Step 2 - install cert and start Tomcat
--
$ grep --after-context 8 "
$ cp $CERT_DIR/keystore.jks conf/keystore.jks
$ bin/catalina.sh run
Step 3 - test
-
$ cat test.sh
#!/bin/bash
echo -en "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" |
openssl s_client -connect localhost:8443 -sess_out session -tls1_3 -quiet
-CAfile=cert.pem
echo -en "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" |
openssl s_client -connect localhost:8443 -sess_in session -tls1_3 -quiet
-CAfile=cert.pem
$ ./test.sh
...
003E54FCFD7E:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert
internal error:ssl/record/rec_layer_s3.c:1586:SSL alert number 80
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 --- Comment #3 from Aaron Ogburn --- Credit and thanks to Francisco Ferrari and Martin Balao from the OpenJDK engineering team for their analysis leading to this report. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 --- Comment #2 from Aaron Ogburn --- Source code references pertaining to the above: [1] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L147 [2] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L248 [3] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java#L112 [4] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L322 [5] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L460 [6] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L462 [7] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L468 [8] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L478 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 --- Comment #1 from Aaron Ogburn --- A backport (https://bugs.openjdk.org/browse/JDK-8318950) is being pursued to reduce the message size from a client in such a case on OpenJDK 17. But a Tomcat level fix may still be required in the end for a large message in some other scenario. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
