JDK-4273544 : JSSE: request for function forceV3ClientHello()
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 1.0,1.0.1,unknown,1.0.2,1.4.0
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS:
    generic,linux,windows_nt,windows_2000 generic,linux,windows_nt,windows_2000
  • CPU: generic,x86
  • Submitted: 1999-09-20
  • Updated: 2002-03-20
  • Resolved: 2001-07-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
1.4.0 beta2Fixed
Related Reports
Duplicate :  
JDK-4416068 - Some sites don't like our clientHello message
Duplicate :  
JDK-4424213 - Problem with setting SSLContext.getInstance();
Duplicate :  
JDK-4489098 - JSSE cannot connect to Domino servers on SSL
Duplicate :  
JDK-4470673 - JDK 1.4 Https cannot connect to Lotus Notes web server
Duplicate :  
JDK-4435711 - SSL 3.1 Handshake fails with "bad_record_mac" on OS/390 platform
Description

Name: krT82822			Date: 09/20/99


This request for enhancement relates to the Java Secure Socket
Extension EA release.  When an SSL handshake is begun with
the code:

SSLSocketFactory f = context.getSocketFactory();
SSLSocket connection = null;
try {
  connection = (SSLSocket)f.createSocket(hostname,port);
 } catch(java.net.UnknownHostException unknown) {
      unknown.printStackTrace();
    } catch(java.io.IOException io) {
      io.printStackTrace();
    }

The client by default sends an SSL version 2 hello to the
server.  This is because, according to Jeff Nisewanger <###@###.###>:

"many implementations will want to send an SSL V2 client
hello in order to more cleanly detect and report handshake negotiation failures when connecting to old servers which only support SSL V2.  Sending a V3 ClientHello to a server that only supports SSL V2 can result in a hung connection or a seemingly random IO exception from the client's perspective. Always sending a V2 ClientHello initially makes it possible to detect that failure mode. Since most SSL V3 client implementations will send a V2 ClientHello upon first connection to a server it is normal for even SSL servers and implementations which do
not otherwise implement SSL V2 to support receiving an SSL V2
ClientHello as documented in Appendix E of the SSL V3 specification.
See http://home.netscape.com/eng/ssl3/4-APPN.HTM#E for details."

Although many servers do support v.2 client hellos, according
to the same SSL V3 specification cited above:
"Warning: The ability to send Version 2.0 client hello messages will be phased out with all due haste. Implementors should make every effort to move forward as quickly as possible. Version 3.0 provides better mechanisms for transitioning to newer versions."

For this reason, our SSL server, does NOT support a v.2 client hello.  Upon receiving the v.2 client hello packets, it interprets them incorrectly and terminates the connection.

While I understand that much of the time it might be
desirable to send a v.2 client hello (for the reasons Jeff
wrote above), what I would like is a function such as forceV3ClientHello(), that I can explicity call to force the
client to send an SSL v.3 hello instead of an SSL v.2 hello.

----------

9/20/99 eval1127@eng -- there appear to be some similar bug reports already in our system.  Am filing this as new bug as-is.  Sorry if it's a dupe of an existing bug #.
(Review ID: 95452) 
======================================================================
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: merlin-beta2 FIXED IN: merlin-beta2 INTEGRATED IN: merlin-beta2 VERIFIED IN: hopper
02-09-2004
EVALUATION We should take a look at this, since we can't even connect to www.ibm.com with our reference implementatino as it stands now. ram.marti@Eng 2001-05-10 The reason we can't connet to https://ibm.com is that the webserver supports only SSL v2 which we don't support. So we fail with the error: main, WRITE: SSL v2, contentType = 22, translated length = 16310 Exception in thread "main" javax.net.ssl.SSLException: SSL V2.0 servers are no t supported. To test this RFE I need a webserver that supports only SSL V3 or roll our own for testing purpose. bradford.wetmore@eng 2001-02-28 This is being evaluated for merlin. ram.marti@Eng 2001-06-21 Upon further investigation the error message is incorrect. The problem is that the IBM server does not support TLS but only SSL 3.0. If I force minor version to be 0 (SSL 3.0) then I can connect. THis is also the behaviour shown by Internet Explorer. With IE if I set TLS , then it can't connect. With SSL 3.0 , I can connect. We will provide new APIs to use a specific protocol, SSLv3 or TLSv1. In addition we will provide a way to force SSLv3 Hello or SSLv2 Hello. ram.marti@Eng 2001-06-28
28-06-2001