Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8072464

Custom HostnameVerifier disables SNI support on client in Java 8

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Cannot Reproduce
    • Affects Version/s: 8u31
    • Fix Version/s: 9
    • Component/s: security-libs
    • Labels:

      Description

      FULL PRODUCT VERSION :
      java version "1.8.0_31"
      Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows [Version 6.1.7601]

      A DESCRIPTION OF THE PROBLEM :
      Usage of HttpsURLConnection.setHostnameVerifier(...) disables sending server_name extension in ClientHello when performing SSL handshake procedure. As a result SNI don't work.

      REGRESSION. Last worked in version 7u75

      ADDITIONAL REGRESSION INFORMATION:
      java version "1.7.0_75"
      Java(TM) SE Runtime Environment (build 1.7.0_75-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 24.75-b04, mixed mode)

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1) enable SSL debug (-Djavax.net.debug=ssl,handshake)
      2) run this code:
              URL url = new URL("https://google.com");
              HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
              conn.setHostnameVerifier(new HostnameVerifier() {
                  public boolean verify(String s, SSLSession sslSession) {
                      return true;
                  }
              });
              conn.getInputStream();
      3) look at extensions on SSL handshake - ClientHello (there is no server_name extension here)
      4) comment conn.setHostnameVerifier and run again (you will see server_name extension)

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      *** ClientHello, TLSv1.2
      RandomCookie: GMT: 1405276996 bytes = { 204, 183, 159, 43, 188, 48, 16, 2, 71, 223, 180, 142, 92, 232, 7, 190, 211, 247, 15, 11, 156, 0, 205, 30, 79, 111, 15, 4 }
      Session ID: {}
      Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
      Compression Methods: { 0 }
      Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
      Extension ec_point_formats, formats: [uncompressed]
      Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
      Extension server_name, server_name: [type=host_name (0), value=google.com]
      ***
      ACTUAL -
      *** ClientHello, TLSv1.2
      RandomCookie: GMT: 1405276870 bytes = { 127, 59, 137, 97, 89, 100, 122, 84, 197, 184, 244, 118, 19, 24, 67, 139, 139, 181, 122, 141, 37, 217, 122, 134, 113, 61, 14, 213 }
      Session ID: {}
      Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
      Compression Methods: { 0 }
      Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
      Extension ec_point_formats, formats: [uncompressed]
      Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
      ***

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import javax.net.ssl.*;
      import java.net.URL;

      public class SSLClient {
          public static void main(String[] args) throws Exception {
              URL url = new URL("https://google.com");
              HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();

              conn.setHostnameVerifier(new HostnameVerifier() {
                  public boolean verify(String s, SSLSession sslSession) {
                      return true;
                  }
              });
              conn.getInputStream();
          }
      }

      ---------- END SOURCE ----------

        Issue Links

          Activity

          Hide
          jibiche Jibing Chen (Inactive) added a comment -
          Close "Cannot Reproduce" issues
          Show
          jibiche Jibing Chen (Inactive) added a comment - Close "Cannot Reproduce" issues
          Hide
          wetmore Bradford Wetmore added a comment -
          I could not duplicate this problem. Marking incomplete.

          import java.io.*;
          import java.net.*;
          import javax.net.ssl.*;

          public class TestIt {
              public static void main(String[] args) throws Exception {
                  System.setProperty("https.proxyHost", "ourproxy");
                  System.setProperty("https.proxyPort", "80");
                  System.setProperty("javax.net.debug", "all");

                  URL url = new URL("https://google.com");
                  HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
                  conn.setHostnameVerifier(new HostnameVerifier() {
                      public boolean verify(String s, SSLSession sslSession) {
                          return true;
                      }
                  });
                  conn.getInputStream();
              }
          }

          % /java/re/jdk/8u31/latest/binaries/solaris-sparcv9/bin/java TestIt | grep server_name
          Extension server_name, server_name: [type=host_name (0), value=google.com] // Client side
          Extension server_name, server_name: // Server side
          Extension server_name, server_name: [type=host_name (0), value=www.google.com] // Client side
          Extension server_name, server_name: // Server side

          Same on Windows:

          >d:/java/bootdirs/jdk1.8.0_31/bin/java TestIt | grep server_name
          Extension server_name, server_name: [type=host_name (0), value=google.com]
          Extension server_name, server_name:
          Extension server_name, server_name: [type=host_name (0), value=www.google.com]
          Extension server_name, server_name:

          Show
          wetmore Bradford Wetmore added a comment - I could not duplicate this problem. Marking incomplete. import java.io.*; import java.net.*; import javax.net.ssl.*; public class TestIt {     public static void main(String[] args) throws Exception {         System.setProperty("https.proxyHost", "ourproxy");         System.setProperty("https.proxyPort", "80");         System.setProperty("javax.net.debug", "all");         URL url = new URL(" https://google.com ");         HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();         conn.setHostnameVerifier(new HostnameVerifier() {             public boolean verify(String s, SSLSession sslSession) {                 return true;             }         });         conn.getInputStream();     } } % /java/re/jdk/8u31/latest/binaries/solaris-sparcv9/bin/java TestIt | grep server_name Extension server_name, server_name: [type=host_name (0), value=google.com] // Client side Extension server_name, server_name: // Server side Extension server_name, server_name: [type=host_name (0), value= www.google.com ] // Client side Extension server_name, server_name: // Server side Same on Windows: >d:/java/bootdirs/jdk1.8.0_31/bin/java TestIt | grep server_name Extension server_name, server_name: [type=host_name (0), value=google.com] Extension server_name, server_name: Extension server_name, server_name: [type=host_name (0), value= www.google.com ] Extension server_name, server_name:
          Hide
          idergali Ilya Dergalin (Inactive) added a comment -
          In what release/build was the regression introduced?
          Show
          idergali Ilya Dergalin (Inactive) added a comment - In what release/build was the regression introduced?
          Hide
          michaelm Michael McMahon added a comment -
          Looks like a JSSE issue
          Show
          michaelm Michael McMahon added a comment - Looks like a JSSE issue

            People

            • Assignee:
              wetmore Bradford Wetmore
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: