JDK-4614560 : REGRESSION: Applet not loaded with JRE1.4-b3, Client Authentication required
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 1.4.0
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_2000
  • CPU: x86
  • Submitted: 2001-12-17
  • Updated: 2002-11-08
  • Resolved: 2002-11-08
Related Reports
Duplicate :  
Description

Name: gm110360			Date: 12/17/2001


Java Plug-in 1.4.0-beta3 Java HotSpot(TM) Client VM

Symptom:

Applets cannot be loaded with JRE1.4.0-beta3 when Client Authentication is
required by webserver.
And finally ClassNotFoundException occurs.
The same system has been working fine with Java Plug-in 1.3.1_01.

This problem occurs only when I am writing the following line in apache's
httpd.conf to specify Client Authentication.
  SSLVerifyClient require

and doesn't reproduce by the following. In this case, No Client Authentication
and the applet is loaded normally and works.
  SSLVerifyClient none


Environment:

Server:
LASER5 Linux 7.1
Apache/1.3.22
mod_ssl/2.8.5
OpenSSL/0.9.6b

Client:
Windows2000
Internet Explorer 6.0
Netscape 6.2
JRE_1.4.0-beta3


Reproducing:

1)prepare SSL enabled webserver which provides an applet-showing html.
2)configure webserver to require client certificate for authentication.
3)import client certificate to browser.
4)show any applets.


                                    
Applet console output:

java.net.SocketException: Software caused connection abort: JVM_recv in socket
input stream read
	at java.net.SocketInputStream.socketRead0(Native Method)
	at java.net.SocketInputStream.read(SocketInputStream.java:119)
	at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(DashoA6275)
	at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec
(DashoA6275)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.g(DashoA6275)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage
(DashoA6275)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
	at java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
	at java.io.BufferedInputStream.read1(BufferedInputStream.java:225)
	at java.io.BufferedInputStream.read(BufferedInputStream.java:280)
	at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:722)
	at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:685)
	at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:693)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream
(HttpURLConnection.java:558)
	at sun.net.www.protocol.http.HttpURLConnection.getHeaderField
(HttpURLConnection.java:1092)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField
(DashoA6275)
	at sun.net.www.protocol.https.PluginHttpsURLConnection.checkCookieHeader
(PluginHttpsURLConnection.java:341)
	at sun.net.www.protocol.https.PluginHttpsURLConnection.getInputStream
(PluginHttpsURLConnection.java:299)
	at sun.plugin.net.protocol.http.HttpUtils.followRedirects
(HttpUtils.java:41)
	at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:341)
	at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:112)
	at sun.plugin.cache.JarCache.get(JarCache.java:170)
	at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect
(CachedJarURLConnection.java:73)
	at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile
(CachedJarURLConnection.java:58)
	at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:501)
	at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:462)
	at sun.misc.URLClassPath$2.run(URLClassPath.java:258)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.misc.URLClassPath.getLoader(URLClassPath.java:247)
	at sun.misc.URLClassPath.getLoader(URLClassPath.java:224)
	at sun.misc.URLClassPath.getResource(URLClassPath.java:137)
	at java.net.URLClassLoader$1.run(URLClassLoader.java:193)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(URLClassLoader.java:189)
	at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:134)
	at sun.plugin.security.PluginClassLoader.findClass
(PluginClassLoader.java:191)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:309)
	at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:114)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:265)
	at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:470)
	at sun.applet.AppletPanel.createApplet(AppletPanel.java:551)
	at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1610)
	at sun.applet.AppletPanel.runLoader(AppletPanel.java:480)
	at sun.applet.AppletPanel.run(AppletPanel.java:293)
	at java.lang.Thread.run(Thread.java:539)
java.lang.ClassNotFoundException: SwingSet2Applet
	at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:153)
	at sun.plugin.security.PluginClassLoader.findClass
(PluginClassLoader.java:191)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:309)
	at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:114)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:265)
	at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:475)
	at sun.applet.AppletPanel.createApplet(AppletPanel.java:551)
	at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1610)
	at sun.applet.AppletPanel.runLoader(AppletPanel.java:480)
	at sun.applet.AppletPanel.run(AppletPanel.java:293)
	at java.lang.Thread.run(Thread.java:539)
Caused by: java.net.SocketException: Software caused connection abort: JVM_recv
in socket input stream read
	at java.net.SocketInputStream.socketRead0(Native Method)
	at java.net.SocketInputStream.read(SocketInputStream.java:119)
	at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(DashoA6275)
	at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec
(DashoA6275)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.g(DashoA6275)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage
(DashoA6275)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
	at java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
	at java.io.BufferedInputStream.read1(BufferedInputStream.java:225)
	at java.io.BufferedInputStream.read(BufferedInputStream.java:280)
	at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:722)
	at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:685)
	at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:693)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream
(HttpURLConnection.java:558)
	at sun.net.www.protocol.http.HttpURLConnection.getHeaderField
(HttpURLConnection.java:1120)
	at sun.net.www.protocol.http.HttpURLConnection.getResponseCode
(HttpURLConnection.java:1134)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode
(DashoA6275)
	at sun.applet.AppletClassLoader.getBytes(AppletClassLoader.java:224)
	at sun.applet.AppletClassLoader.access$100(AppletClassLoader.java:42)
	at sun.applet.AppletClassLoader$1.run(AppletClassLoader.java:143)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:140)
	... 10 more

Release Regression From : merlin-beta3
The above release value was the last known release where this 
bug was knwon to work. Since then there has been a regression.

(Review ID: 136708) 
======================================================================

Comments
WORK AROUND Name: gm110360 Date: 12/17/2001 None ======================================================================
02-09-2004

EVALUATION From trace stack, it seems SSL failed during hand-shaking phase, so SSL team probably the best candidate to look at it. ###@###.### 2001-12-18 This bug was misfiled into an old category for JSSE. I've filed servicedesk #2117969 to either close or remove this category so this doesn't happen again. I'm sorry for the delay. I wish we had known about this earlier. ============= My initial take on it is that the Apache web server isn't properly closing the connection when the received client certificate (possibly null) is received. If JSSE doesn't have a suitable certificate, it can only send a "null" cert message in hopes that the server will accept that. However, if the server doesn't like the answer it gets and closes down incorrectly, then there's really not much we can do. Something that would *REALLY* help me is to get a copy of the JSSE debug output, that will give us a much clearer picture of what's going on. Please have them rerun the application's client side with the system property set: javax.net.debug=all Alternatively, if this server is available on the Internet, I can remotely access it. If there is any additional followup questions I have to the above, I can investigate those directly. I'll see if I can get an Apache server with https going here, but it may take a bit. If the server did really shutdown incorrectly, then the socket exception is the proper thing to be receiving. As for a "workaround", the best you can do from the JSSE perspective is to have a suitable keystore entry in the client's keymanager database. Thank you. ###@###.### 2002-06-03 It was just pointed out that plugin doesn't have client authentication working 1.4.x yet, which may explain the underlying cause for this bug. What was confusing is the submitter claimed it was working in merlin-beta3, which is why I thought it might have been something we had done. I've asked Dennis Gu (who is working on client auth in plugin) to evaluate if this is a duplicate. ###@###.### 2002-11-07 ###@###.### 2002-11-08 This is exactly the same bug as #4681247, same submitter, which we already fixed in Mantis. I will close it as duplicate, for more detail info, see bug 4681247. Dennis Gu
08-11-2002