Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8215711

Missing key_share extension for (EC)DHE key exchange should alert missing_extension

    Details

      Backports

        Description

        If ClientHello has no key_share extension for (EC)DHE key exchange, JSSE server alerts internal_error, for example,
        javax.net.ssl|DEBUG|01|main|2018-12-20 20:43:03.059 CST|ClientHello.java:806|Consuming ClientHello handshake message (
        "ClientHello": {
          "client version" : "TLSv1.2",
          "random" : "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
          "session id" : "3E C3 93 BB D5 2B AC A2 36 00 AB D1 41 C1 C4 3B 4B 1A 32 91 79 92 9E 43 3D 2C F6 89 65 5F 04 28",
          "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
          "compression methods" : "00",
          "extensions" : [
            "supported_versions (43)": {
              "versions": [TLSv1.3, TLSv1.2]
            },
            "supported_groups (10)": {
              "versions": [secp256r1]
            },
            "signature_algorithms (13)": {
              "signature schemes": [rsa_pss_rsae_sha256, rsa_pss_pss_sha256]
            },
            "signature_algorithms_cert (50)": {
              "signature schemes": [rsa_pkcs1_sha512, rsa_pkcs1_sha384, rsa_pkcs1_sha256, rsa_sha224, rsa_pkcs1_sha1, rsa_md5, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512]
            }
          ]
        }
        )
        ... ...
        javax.net.ssl|DEBUG|01|main|2018-12-20 20:43:03.088 CST|ServerHello.java:580|Produced ServerHello handshake message (
        "ServerHello": {
          "server version" : "TLSv1.2",
          "random" : "86 03 CD FB 91 24 39 FC 8E FE 35 07 FF C3 E0 42 FB 3C B4 B9 99 C4 6D A5 19 AF F4 C7 C2 C2 D3 17",
          "session id" : "3E C3 93 BB D5 2B AC A2 36 00 AB D1 41 C1 C4 3B 4B 1A 32 91 79 92 9E 43 3D 2C F6 89 65 5F 04 28",
          "cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)",
          "compression methods" : "00",
          "extensions" : [
            "supported_versions (43)": {
              "selected version": [TLSv1.3]
            }
          ]
        }
        )
        ... ...
        javax.net.ssl|ERROR|01|main|2018-12-20 20:43:03.093 CST|TransportContext.java:313|Fatal (INTERNAL_ERROR): Not negotiated key shares (
        "throwable" : {
          javax.net.ssl.SSLException: Not negotiated key shares
           at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
           at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
           at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
           at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
           at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
           at java.base/sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:595)
           at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
           at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1224)
           at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1160)
           at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:849)
           at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:810)
           at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
           at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448)
           at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:425)
           at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
           at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
           at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
           at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
           at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
           at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716)
           at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:799)
           at java.base/java.io.InputStream.read(InputStream.java:213)
           at SimpleJSSEServer.readIn(SimpleJSSEServer.java:37)
           at SimpleJSSEServer.main(SimpleJSSEServer.java:24)}

        )

        But RFC 8446 section 9.2 states:
        - If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted.
        Servers receiving a ClientHello which does not conform to these requirements MUST abort the handshake with a "missing_extension" alert.

        So, the server should alert missing_extension immediately, but not send ServerHello and then alert internal_error.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  xuelei Xue-Lei Fan
                  Reporter:
                  jjiang John Jiang
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: