Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8144569

Custom HostnameVerifier breaks SNI connection

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P4
    • Resolution: Duplicate
    • Affects Version/s: 8u65, 9
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:

      Description

      FULL PRODUCT VERSION :
      java version "1.8.0_65"
      Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
      Java HotSpot(TM) 64-Bit Server VM (build 25.65-b01, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows [Version 6.1.7601]

      A DESCRIPTION OF THE PROBLEM :
      As already reported in https://bugs.openjdk.java.net/browse/JDK-8072464 using custom HostnameVerifier breaks using secure connection with SNI. In the linked report it may fallback to not using SNI but the issue is with sites relaying on SNI only.

      Some of the sites showing the issue are (CloudFlare CDN):
      https://kitematic.com/terms-of-service/
      https://roundcube.net/news/2015/11/23/roundcube-webmail-1.2-beta-out-now/

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Attempt to make a connection when using HostnameVerifier to a SNI only site - run attached test case.


      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      Exception in thread "main" javax.net.ssl.SSLException: Received fatal alert: internal_error
      at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
      at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
      at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
      at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
      at SSLClient.main(SSLClient.java:14)

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import javax.net.ssl.*;
      import java.net.URL;

      public class SSLClient {
          public static void main(String[] args) throws Exception {
              URL url = new URL("https://roundcube.net/news/2015/11/23/roundcube-webmail-1.2-beta-out-now/");
              HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();

              conn.setHostnameVerifier(new HostnameVerifier() {
                  public boolean verify(String s, SSLSession sslSession) {
                      return true;
                  }
              });
              conn.getInputStream();
          }
      }
      ---------- END SOURCE ----------

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                xuelei Xue-Lei Fan
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: