Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7127374

JSSE creates SSLProtocolException on (common) warning: unrecognized_name for SNI

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P4
    • Resolution: Not an Issue
    • Affects Version/s: 7
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:

      Description

      (Original description used the acronym ISN, but assuming they meant SNI. Am replacing with SNI throughout the report. - Brad)


      FULL PRODUCT VERSION :
      java version "1.7.0_02"
      Java(TM) SE Runtime Environment (build 1.7.0_02-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 22.0-b10, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Various

      A DESCRIPTION OF THE PROBLEM :
      The new Feature of Java 7 to send the hostname in the SSL handshake (SNI) has the problem, that it triggers often SSL Handshake Alerts.

      This could be regarded as a configuration problem of the server (server does not know which hostnames to serve), however since most Browsers happyly connect to those servers, the JSSE implementation should have a way to ignore this specific warning:

      javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
      at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
      at xxx




      Besides ignoring the ClientHandshaker.handshakeAlert(112) it would also help to turn ISN off for those peers.

      REGRESSION. Last worked in version 6u29

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      This specific stacktrace was created by:

      new URL("https://timestamp.geotrust.com/tsa")).openConnection();

      (I dont know what name the SSL Server would accept without warning)


      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      connection to that server
      ACTUAL -
      above exception

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

      REPRODUCIBILITY :
      This bug can be reproduced always.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                xuelei Xue-Lei Fan
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: