[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #6 from Mark Thomas --- Fixed in: - 11.0.x for 11.0.0-M14 onwards - 10.1.x for 10.1.16 onwards - 9.0.x for 9.0.83 onwards - 8.5.x for 8.5.96 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 --- Comment #5 from Mark Thomas --- Many thanks for the clear, reproducible test case. I am able to reproduce this. I haven't confirmed the analysis but it looks right. I'm looking at potential fixes now. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 --- Comment #4 from Stephen Higgs --- Reproducer Steps This reproducer creates an artificially large ClientHello that causes Tomcat to respond with an SSL alert on TLS 1.3 session resumption. In this test case, a certificate extension with a very long string value is added to the server's certificate. Wireshark analysis shows the ClientHello preshared key identity can become very large with a large certificate. Mutual authentication also increases the size of the identity. In the following test, the first openssl call will succeed while the second one will fail. STEP 1 - generate a large certificate - $ cat openssl.cnf [req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = NA ST = NA L = NA O = NA OU = NA CN = localhost [req_ext] subjectAltName = @alternate_names [alternate_names] DNS.1 = localhost DNS.2 = *.localhost [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical,CA:true subjectAltName = @alternate_names keyUsage = digitalSignature, keyEncipherment 2.999 = ASN1:UTF8String:LONGSTRING $ sed "s/LONGSTRING/$(printf '%.0sx' {0..16000})/g" ./openssl.cnf > openssl-long.cnf $ cat create-cert.sh #!/bin/bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 7 -nodes -config ./openssl-long.cnf -extensions v3_ca openssl pkcs12 -inkey key.pem -in cert.pem -export -out keystore.p12 -password pass:changeit -name my keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype PKCS12 -deststoretype jks -deststorepass changeit -srcstorepass changeit $ ./create-cert.sh Step 2 - install cert and start Tomcat -- $ grep --after-context 8 " $ cp $CERT_DIR/keystore.jks conf/keystore.jks $ bin/catalina.sh run Step 3 - test - $ cat test.sh #!/bin/bash echo -en "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" | openssl s_client -connect localhost:8443 -sess_out session -tls1_3 -quiet -CAfile=cert.pem echo -en "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" | openssl s_client -connect localhost:8443 -sess_in session -tls1_3 -quiet -CAfile=cert.pem $ ./test.sh ... 003E54FCFD7E:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1586:SSL alert number 80 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 --- Comment #3 from Aaron Ogburn --- Credit and thanks to Francisco Ferrari and Martin Balao from the OpenJDK engineering team for their analysis leading to this report. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 --- Comment #2 from Aaron Ogburn --- Source code references pertaining to the above: [1] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L147 [2] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L248 [3] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java#L112 [4] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L322 [5] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L460 [6] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L462 [7] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L468 [8] - https://github.com/apache/tomcat/blob/10.1.9/java/org/apache/tomcat/util/net/SecureNioChannel.java#L478 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67938] Tomcat mishandles large client hello messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=67938 --- Comment #1 from Aaron Ogburn --- A backport (https://bugs.openjdk.org/browse/JDK-8318950) is being pursued to reduce the message size from a client in such a case on OpenJDK 17. But a Tomcat level fix may still be required in the end for a large message in some other scenario. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org