Hello, good people,
The java 11 implementation of TLS v1.3 was backported into java 8 since
some CPUs and it results sometimes in new handshake failures with
hard-to-updage-firmware devices whose shell life might be still long.
We somehow debugged those failures and some devices bomb because of
TLSv1.2 handshake containing the signature_algorihms_cert and
supported_versions extensions.
I would love to propose for Java 8 the attached patch that would make
the TLSv1.2 handshake to look exactly as it was looking in 8u252. The
TLSv1.3 handshake still contains both extensions as it should. This
could solve the differences of Java 8 behaviour between different update
numbers.
Please, have a look and comment
Cheers
Fridrich
--- openjdk/jdk/src/share/classes/sun/security/ssl/SSLExtension.java 2021-05-21 08:10:00.830159018 +0200
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLExtension.java 2021-05-21 08:11:40.258772361 +0200
@@ -198,7 +198,7 @@
CH_SIGNATURE_ALGORITHMS_CERT (0x0032, "signature_algorithms_cert",
SSLHandshake.CLIENT_HELLO,
- ProtocolVersion.PROTOCOLS_12_13,
+ ProtocolVersion.PROTOCOLS_OF_13,
CertSignAlgsExtension.chNetworkProducer,
CertSignAlgsExtension.chOnLoadConsumer,
null,
@@ -319,7 +319,7 @@
CH_SUPPORTED_VERSIONS (0x002B, "supported_versions",
SSLHandshake.CLIENT_HELLO,
- ProtocolVersion.PROTOCOLS_TO_13,
+ ProtocolVersion.PROTOCOLS_OF_13,
SupportedVersionsExtension.chNetworkProducer,
SupportedVersionsExtension.chOnLoadConsumer,
null,
