← Back to team overview

openjdk team mailing list archive

[Bug 1904586] Re: Some SSL Client Certificates failing handshake

 

Also affects 20.04 focal:

# lsb_release -rd
Description:	Ubuntu 20.04.1 LTS
Release:	20.04

# apt-cache policy openjdk-8-jre-headless
openjdk-8-jre-headless:
  Installed: 8u275-b01-0ubuntu1~20.04
  Candidate: 8u275-b01-0ubuntu1~20.04
  Version table:
 *** 8u275-b01-0ubuntu1~20.04 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     8u252-b09-1ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-8 in Ubuntu.
https://bugs.launchpad.net/bugs/1904586

Title:
  Some SSL Client Certificates failing handshake

Status in openjdk-8 package in Ubuntu:
  New

Bug description:
  What was expected: 
  SSL Client Certificate based connections worked fine with previous release of JRE: 1.8.0_265-8u265-b01-0ubuntu2~18.04-b01

  
  What happened:
  When attempting to use a client certificate to establish a connection with the latest Java 8 JRE, some connections fail with specific client certificates; however others work. There was no change to SSL related code and previous JAR versions on updated bionic containers started failing after the latest USN-4607-2 fix from 12/Nov/2020.

  Now the following issue occurs: 
  javax.net.ssl.SSLProtocolException: Received fatal alert: unexpected_message
  at sun.security.ssl.Alert.createSSLException(Alert.java:129)
  at sun.security.ssl.Alert.createSSLException(Alert.java:117)
  at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
  at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
  at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
  at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
  at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1146)
  at sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1116)
  at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:72)
  at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:815)

  Previous working version: 1.8.0_265-8u265-b01-0ubuntu2~18.04-b01
  Non-working version: 1.8.0_275-8u275-b01-0ubuntu1~18.04-b01

  2 client certificates for 2 different API providers are in use; both
  certificates are RSA 2048bit based; however the working certificate is
  signed RSA+SHA1; while the non working certificate is RSA+SHA256 -
  that appears to be the only visual difference.

  Manual inspection of a packet trace shows no unexpected issues across the handshake, all required ciphers match and TLSv1.2 is in use. 'openssl s_client' with both client certificates works fine to establish the connection; the issue appears to be JDK/JRE based.
   
  I'm not sure looking at the diffs of the exact changes related to the first point raised in: 
  https://ubuntu.com/security/notices/USN-4607-2

  "USN-4607-1 fixed vulnerabilities and added features in OpenJDK.
  Unfortunately, that update introduced a regression that could cause TLS
  connections with client certificate authentication to fail in some
  situations. This update fixes the problem."

  It appears there is a potentially a particular corner case of a
  regression that still remains?

  Happy to provide additional information as required.

  # lsb_release -rd
  Description:	Ubuntu 18.04.4 LTS
  Release:	18.04

  # apt-cache policy openjdk-8-jre-headless
  openjdk-8-jre-headless:
    Installed: 8u275-b01-0ubuntu1~18.04
    Candidate: 8u275-b01-0ubuntu1~18.04
    Version table:
   *** 8u275-b01-0ubuntu1~18.04 500
          500 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
          500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
          100 /var/lib/dpkg/status
       8u162-b12-1 500
          500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-8/+bug/1904586/+subscriptions


References