United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-4273544 : JSSE: request for function forceV3ClientHello()

Details
Type:
Enhancement
Submit Date:
1999-09-20
Status:
Resolved
Updated Date:
2002-03-20
Project Name:
JDK
Resolved Date:
2001-07-09
Component:
security-libs
OS:
windows_nt,linux,generic,windows_2000
Sub-Component:
javax.net.ssl
CPU:
x86,generic
Priority:
P3
Resolution:
Fixed
Affected Versions:
1.0,1.0.1,unknown,1.0.2,1.4.0
Fixed Versions:
1.4.0 (beta2)

Related Reports
Duplicate:
Duplicate:
Duplicate:
Duplicate:
Duplicate:

Sub Tasks

Description

Name: krT82822			Date: 09/20/99


This request for enhancement relates to the Java Secure Socket
Extension EA release.  When an SSL handshake is begun with
the code:

SSLSocketFactory f = context.getSocketFactory();
SSLSocket connection = null;
try {
  connection = (SSLSocket)f.createSocket(hostname,port);
 } catch(java.net.UnknownHostException unknown) {
      unknown.printStackTrace();
    } catch(java.io.IOException io) {
      io.printStackTrace();
    }

The client by default sends an SSL version 2 hello to the
server.  This is because, according to Jeff Nisewanger <###@###.###>:

"many implementations will want to send an SSL V2 client
hello in order to more cleanly detect and report handshake negotiation failures when connecting to old servers which only support SSL V2.  Sending a V3 ClientHello to a server that only supports SSL V2 can result in a hung connection or a seemingly random IO exception from the client's perspective. Always sending a V2 ClientHello initially makes it possible to detect that failure mode. Since most SSL V3 client implementations will send a V2 ClientHello upon first connection to a server it is normal for even SSL servers and implementations which do
not otherwise implement SSL V2 to support receiving an SSL V2
ClientHello as documented in Appendix E of the SSL V3 specification.
See http://home.netscape.com/eng/ssl3/4-APPN.HTM#E for details."

Although many servers do support v.2 client hellos, according
to the same SSL V3 specification cited above:
"Warning: The ability to send Version 2.0 client hello messages will be phased out with all due haste. Implementors should make every effort to move forward as quickly as possible. Version 3.0 provides better mechanisms for transitioning to newer versions."

For this reason, our SSL server, does NOT support a v.2 client hello.  Upon receiving the v.2 client hello packets, it interprets them incorrectly and terminates the connection.

While I understand that much of the time it might be
desirable to send a v.2 client hello (for the reasons Jeff
wrote above), what I would like is a function such as forceV3ClientHello(), that I can explicity call to force the
client to send an SSL v.3 hello instead of an SSL v.2 hello.

----------

9/20/99 eval1127@eng -- there appear to be some similar bug reports already in our system.  Am filing this as new bug as-is.  Sorry if it's a dupe of an existing bug #.
(Review ID: 95452) 
======================================================================

                                    

Comments
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
merlin-beta2

FIXED IN:
merlin-beta2

INTEGRATED IN:
merlin-beta2

VERIFIED IN:
hopper


                                     
2004-09-02
EVALUATION

We should take a look at this, since we can't even connect to www.ibm.com
with our reference implementatino as it stands now.

ram.marti@Eng 2001-05-10
The reason we can't connet to https://ibm.com is that the webserver supports only SSL v2 which we don't support. So we fail with the error: main, WRITE:  SSL v2, contentType = 22, translated length = 16310
Exception in thread "main" javax.net.ssl.SSLException: SSL V2.0 servers are no
t supported. To test this RFE I need a webserver that supports only SSL V3 or roll our own for testing purpose.

bradford.wetmore@eng 2001-02-28
This is being evaluated for merlin.

ram.marti@Eng 2001-06-21
	Upon further investigation the error message is incorrect. The problem is that the IBM server does not support TLS but only SSL 3.0. If I force minor version to be 0 (SSL 3.0) then I can connect. THis is also the behaviour shown by Internet Explorer. With IE if I set TLS , then it can't connect. With SSL 3.0 , I can connect.

We will provide new APIs to use a specific protocol, SSLv3 or TLSv1. In addition we will provide a way to force SSLv3 Hello or SSLv2 Hello. 

ram.marti@Eng 2001-06-28
                                     
2001-06-28



Hardware and Software, Engineered to Work Together