Thanks for the test!
Xuelei
On 8/26/2018 6:19 AM, Jaikiran Pai wrote:
I have now applied the patch to the JDK11 repo on top of:
hg sum
parent: 51151:1ddf9a99e4ad tip
Added tag jdk-11+28 for changeset 76072a077ee1
branch: default
and built the new images and run the testsuite against this version. The
tests passed without any issues. Ran the sample code from my original
mail, against this patched JDK 11 version and that too passed.
-Jaikiran
On 25/08/18 9:58 PM, Jaikiran Pai wrote:
Hi Xuelei,
I had the JDK 12 repo checked out already with the latest code as of today:
hg sum
parent: 51538:a716460217ed
8209911: More blob types in hs_err printout
branch: default
I applied the patch you had attached in this thread against this and
built it afresh.
With this new image, I was able to run the Apache Ant testsuite (the one
which was originally and still fails with JDK 11 RC build) without any
issues. I even ran the sample program that I had listed in this thread
against this patched 12.x build and that too went fine. I verified that
the patch has indeed taken effect by enabling javax.net.debug logging
and I do indeed see the new log:
javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:57.860
IST|PreSharedKeyExtension.java:606|No session to resume.
javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:57.860
IST|SSLExtensions.java:250|Ignore, context unavailable extension:
pre_shared_key
javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:57.864
IST|ClientHello.java:633|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
....
}
)
....
javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:57.865
IST|SSLSocketOutputRecord.java:241|WRITE: TLS13 handshake, length = 446
javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:58.664
IST|SSLSocketInputRecord.java:213|READ: TLSv1.2 handshake, length = 99
javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:58.664
IST|SSLSocketInputRecord.java:249|READ: TLSv1.2 handshake, length = 99
javax.net.ssl|WARNING|01|main|2018-08-25 21:20:58.665
IST|SSLExtensions.java:79|Buggy supported_groups in ServerHello
javax.net.ssl|DEBUG|01|main|2018-08-25 21:20:58.667
IST|ServerHello.java:862|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "4C 62 53 A1 56 4D 82 EE 3A 44 E3 25 0D 2F BD
CB 02 EE FD 3B 8E 4E D1 2B 52 5F AD 5B 0B B5 BC 98",
"session id" : "A9 BC 19 7D 36 84 25 F8 6B 77 3F 1D 93 5E B4
52 DE AE 41 90 67 2B F2 80 BB 85 3B BE 36 A1 F3 1C",
"cipher suite" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
},
"server_name (0)": {
<empty extension_data field>
},
"ec_point_formats (11)": {
"formats": [uncompressed]
}
]
}
)
As for trying this against the JDK 11 repo, I have initiated a clone,
but it's going to take a while (as expected). I don't expect it to
finish soon, so I'm going to let it clone overnight and I will apply
this patch against that repo too and run this same testsuite against it.
I don't expect it to fail but I just want to make sure there aren't any
surprises. I will send out a note once that's done tomorrow.
I'll anyway be running some more extensive testsuites, over the next few
days, with this patched version and see how it goes.
Thank you very much for the quick response and the patch.
-Jaikiran
On 25/08/18 8:18 PM, Xuelei Fan wrote:
Hi Jaikiran,
Thank you very much for the help!
JDK 12 repo (JDK repo):
http://hg.openjdk.java.net/jdk/jdk
JDK 11 repo:
http://hg.openjdk.java.net/jdk/jdk11
The patch should work for both repositories.
Thanks,
Xuelei
On 8/25/2018 7:44 AM, Jaikiran Pai wrote:
Hi Xuelei,
I can definitely build JDK 12 (jdk repo) from source and apply your
attached patch and give it a try. As for JDK 11, I haven't been
following the version control discussions/process, does it have a
separate repo now? Or is it some branch within jdk repo itself? Either
way, once I know the right repo location, I can (and in fact prefer)
building that repo with this patch to give it a try.
-Jaikiran
On 25/08/18 8:10 PM, Xuelei Fan wrote:
Hi Jaikiran,
Could you build JDK 11 or JDK 12 from source code? I had a patch to
tolerate the extension in ServerHello handshake message. Please let
me know if it works or not.
If there are any other JDK 11 TLS problems with Apache Ant project,
I'd like to know as well.
Thanks,
Xuelei
On 8/25/2018 7:04 AM, Jaikiran Pai wrote:
Hi Xuelei,
On 25/08/18 7:20 PM, Xuelei Fan wrote:
Sending "supported_groups" in ServerHello does not comply to the
extension specification.
Agreed. However, given that both the client and server are using
TLSv1.2
and this seems to be "working" before the newer TLSv1.3 changes,
even in
recent JDK versions, is there a way the implementation could
workaround
this so as to allow JDK 11 to communicate with such servers?
Is it possible the HTTPS server fix this problem?
I don't have access or control over that server, so don't really know
how it's configured or whether it can be fixed. It's a pretty
frequently
used Maven repository hosted by the JBoss (Red Hat middleware) project
team. I suspect, it's not just limited to this server and could be a
common issue with some other servers too.
I filed a bug in OpenJDK for the tracking:
https://bugs.openjdk.java.net/browse/JDK-8209965
Thank you.
-Jaikiran
Thanks,
Xuelei
On 8/25/2018 5:03 AM, Jaikiran Pai wrote:
As noted in that exception message, it appears that the server is
sending a "supported_groups" extension in its ServerHello message
(TLSv1.2). Reading about it, this seems to be a common issue with
certain servers and certain SSL implementations have added support
to be
lenient with such servers
https://github.com/openssl/openssl/pull/4463/files
-Jaikiran
On 25/08/18 11:58 AM, Jaikiran Pai wrote:
While testing the recently released RC of JDK11 against the Apache
Ant
project, I happened to run into an odd error. I have now been
able to
reproduce this using the following, pretty trivial code:
import java.net.URL;
import java.io.InputStream;
public class Fetch {
public static void main(final String[] args) throws
Exception {
final URL targetURL = new
URL("https://repository.jboss.org/nexus/content/groups/public/javax/media/jai-core/1.1.3/jai-core-1.1.3.pom";);
try (final InputStream is =
targetURL.openConnection().getInputStream()) {
is.read();
}
System.out.println("Done");
}
}
All it does is opens a (HTTPS) connection against an endpoint to
read
some content. This code works fine in Java 8 and even Java 10. I'm
pretty sure this was working fine even in Java 11 early access
builds,
but I don't have any such build/binary at hand to be certain.
However, using the latest (OpenJDK) RC of Java 11 (both on Mac
OS and
Linux) downloaded from[1]:
openjdk version "11" 2018-09-25
OpenJDK Runtime Environment 18.9 (build 11+28)
OpenJDK 64-Bit Server VM 18.9 (build 11+28, mixed mode)
it fails with:
Exception in thread "main" javax.net.ssl.SSLHandshakeException:
extension (10) should not be presented in server_hello
at
java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at
java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
at
java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:71)
at
java.base/sun.security.ssl.ServerHello$ServerHelloMessage.<init>(ServerHello.java:173)
at
java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:864)
at
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at
java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at
java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at
java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
at
java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at
java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at
java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at
java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
at
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
at
java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
at Fetch.main(Fetch.java:7)
[1] http://jdk.java.net/11/
-Jaikiran
