Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8244932

javax.net.ssl.SSLHandshakeException when client authentication is enabled

    XMLWordPrintable

    Details

      Description

      ADDITIONAL SYSTEM INFORMATION :
      The issue occurs on Oracle JDK 11+, as TLS 1.3 is not yet supported by previous version of Oracle JDK (I tested 11.0.6, 11.0.7, and 14.0.1) on Windows 10.

      A DESCRIPTION OF THE PROBLEM :
      When client authentication is enabled, the issue reported in JDK-8236039 arises. This can be tested by running the Go application attached to JDK-8236039 with switch "-A NEEDVFY", and connect to it with a JSSE client with TLS1.3 and client authentication configured.

      The issue happened on Oracle JDK. I tested it with Zulu JDK without any issue.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1) Run the Go application attached to JDK-8236039 with switch "-A NEEDVFY".
      2) Create a JSSE client with client authentication properly configured:

      SSLContext sslContext = SSLContextBuilder
                      .create()
                      .loadKeyMaterial(keyStore, keyStoreIntegrityKey, entryConfidentialityKey)
                      .loadTrustMaterial(trustStore, trustStoreIntegrityKey)
                      .build();

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      I expected the JSSE client to handshake properly with the server.
      ACTUAL -
      I received the following exception:

      Exception in thread "main" javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:270)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:261)
      at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:89)
      at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestMessage.<init>(CertificateRequest.java:818)
      at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestConsumer.consume(CertificateRequest.java:922)
      at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:451)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:428)
      at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:184)
      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
      at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
      at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
              ......

      ---------- BEGIN SOURCE ----------
      import javax.net.ssl.*;
      import java.io.File;
      import java.security.KeyStore;
      import java.security.SecureRandom;

      public class SSLSocketClient {

          public static void main(String[] args) throws Exception {
              File trustStore = new File("trustStore.p12");
              File keyStore = new File("keyStore.p12");
              char[] password = "123".toCharArray();

              KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
              KeyStore ks = KeyStore.getInstance(keyStore, password);
              kmf.init(ks, password);

              TrustManagerFactory tmf = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
              KeyStore ts = KeyStore.getInstance(trustStore, password);
              tmf.init(ts);

              SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
              sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());

              SSLSocketFactory factory = sslContext.getSocketFactory();
              SSLSocket socket = (SSLSocket) factory.createSocket("localhost", 443);
              socket.startHandshake();
          }
      }
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      I used Zulu JDK to compile my program, and it worked OK.

      FREQUENCY : always


        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jnimeh Jamil Nimeh
              Reporter:
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: