Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8242294

JSSE Client does not throw SSLException when an alert occurs during handshaking

    Details

    • Subcomponent:
    • Introduced In Version:
      11
    • Resolved In Build:
      b18
    • Verification:
      Verified

      Backports

        Description

        In 8u the JSSE implementation would have the client-side throw SSLExceptions if an alert condition occurs during handshaking and a read or write operation on the input/output streams occur. In JDK 11 and onward, the new handshaker does not cause an exception to be delivered to the client when a read operation happens after a failed/alerted handshake.

        On JDK 8u, the exception delivered to the client will look like this:

        javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 952bit key used with certificate: <DN OMITTED> Usage was tls server
                at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1533)
                at sun.security.ssl.AppInputStream.read(AppInputStream.java:95)
                at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)
                at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)
                at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)
                at java.io.InputStreamReader.read(InputStreamReader.java:184)
                at java.io.BufferedReader.fill(BufferedReader.java:161)
                at java.io.BufferedReader.readLine(BufferedReader.java:324)
                at java.io.BufferedReader.readLine(BufferedReader.java:389)
                at ServerClientSSLSocket.doClientSide(ServerClientSSLSocket.java:45)
                at ServerClientSSLSocket.main(ServerClientSSLSocket.java:62)
        Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 952bit key used with certificate: <DN OMITTED>. Usage was tls server
                at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
                at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
                at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
                at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
                at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1640)
                at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
                at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
                at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
                at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
                at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
                at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
                at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
                at sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:221)
                at sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:291)
                at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:295)
                at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141)
                at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229)
                at java.io.BufferedWriter.flush(BufferedWriter.java:254)
                at java.io.PrintWriter.flush(PrintWriter.java:320)
                at ServerClientSSLSocket.doClientSide(ServerClientSSLSocket.java:44)
                ... 1 more
        Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 952bit key used with certificate: <DN OMITTED> Usage was tls server
                at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
                at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259)
                at sun.security.validator.Validator.validate(Validator.java:262)
                at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
                at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
                at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
                at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1622)
                ... 16 more
        Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 952bit key used with certificate: <DN OMITTED>. Usage was tls server
                at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
                at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:238)
                at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:146)
                at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:85)
                at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
                at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
                ... 22 more
        Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 952bit key used with certificate:<DN OMITTED> Usage was tls server
                at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:817)
                at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:419)
                at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:167)
                at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:326)
                at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
                ... 27 more

        While on 11 and later, you will see behavior similar to this:

        $ java OPTIONS_OMITTED ServerClientSSLSocket
        doServerSide start
        doServerSide ready
        doClientSide start
        Server sslSocket: /10.100.192.143
        response is null

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jnimeh Jamil Nimeh
                  Reporter:
                  jnimeh Jamil Nimeh
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: