openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #14114
[Bug 1904586] Re: Some SSL Client Certificates failing handshake
Also affects 20.04 focal:
# lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04
# apt-cache policy openjdk-8-jre-headless
openjdk-8-jre-headless:
Installed: 8u275-b01-0ubuntu1~20.04
Candidate: 8u275-b01-0ubuntu1~20.04
Version table:
*** 8u275-b01-0ubuntu1~20.04 500
500 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages
500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages
100 /var/lib/dpkg/status
8u252-b09-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-8 in Ubuntu.
https://bugs.launchpad.net/bugs/1904586
Title:
Some SSL Client Certificates failing handshake
Status in openjdk-8 package in Ubuntu:
New
Bug description:
What was expected:
SSL Client Certificate based connections worked fine with previous release of JRE: 1.8.0_265-8u265-b01-0ubuntu2~18.04-b01
What happened:
When attempting to use a client certificate to establish a connection with the latest Java 8 JRE, some connections fail with specific client certificates; however others work. There was no change to SSL related code and previous JAR versions on updated bionic containers started failing after the latest USN-4607-2 fix from 12/Nov/2020.
Now the following issue occurs:
javax.net.ssl.SSLProtocolException: Received fatal alert: unexpected_message
at sun.security.ssl.Alert.createSSLException(Alert.java:129)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1146)
at sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1116)
at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:72)
at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:815)
Previous working version: 1.8.0_265-8u265-b01-0ubuntu2~18.04-b01
Non-working version: 1.8.0_275-8u275-b01-0ubuntu1~18.04-b01
2 client certificates for 2 different API providers are in use; both
certificates are RSA 2048bit based; however the working certificate is
signed RSA+SHA1; while the non working certificate is RSA+SHA256 -
that appears to be the only visual difference.
Manual inspection of a packet trace shows no unexpected issues across the handshake, all required ciphers match and TLSv1.2 is in use. 'openssl s_client' with both client certificates works fine to establish the connection; the issue appears to be JDK/JRE based.
I'm not sure looking at the diffs of the exact changes related to the first point raised in:
https://ubuntu.com/security/notices/USN-4607-2
"USN-4607-1 fixed vulnerabilities and added features in OpenJDK.
Unfortunately, that update introduced a regression that could cause TLS
connections with client certificate authentication to fail in some
situations. This update fixes the problem."
It appears there is a potentially a particular corner case of a
regression that still remains?
Happy to provide additional information as required.
# lsb_release -rd
Description: Ubuntu 18.04.4 LTS
Release: 18.04
# apt-cache policy openjdk-8-jre-headless
openjdk-8-jre-headless:
Installed: 8u275-b01-0ubuntu1~18.04
Candidate: 8u275-b01-0ubuntu1~18.04
Version table:
*** 8u275-b01-0ubuntu1~18.04 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
100 /var/lib/dpkg/status
8u162-b12-1 500
500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-8/+bug/1904586/+subscriptions
References