JDK-8149914 : Client certificate authentication issues with TLS 1.2 and separate keystore
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 7u95
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • Submitted: 2016-02-16
  • Updated: 2016-07-08
  • Resolved: 2016-07-08
Related Reports
Duplicate :  
JDK-4963723 - Implement SHA-224
Description
This bug is closely related to JDK-8062032. The only difference is that a
separate keystore is being used rather than the browswer keystore.
Client side authentication fails. The first algorithm is being selected even
though it is not supported: SHA224withRSA
With Java 8 this coincidentally works as the first algorithm IS supported.
But the bug is also present in 8 and presumable 9.
Comments
closing. Porting JDK-4963723 to JDK 7 Updates will resolve this issue.
08-07-2016
There was an issue with the first test binary I supplied. It seems that the signature algorithm identifiers are coded into the RFC. See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 The JDK should match the values in the RFC for interoperability purposes. This fix may not now be necessary though. There is another enhancement in the JDK 7u pipeline (JDK-4963723) that's very close to completion. It directly impacts on this issue. Since JDK-4963723 introduces SHA-224 support in JDK 7u, SHA224withRSA will become a supported signature algorithm. As a result, I don't think it's feasible to remove SHA224withRSA from the supported list (as was the purpose of this fix approach) As a result, I propose that we hold for a few more days until we get SHA-224 support delivered into the JDK 7u code line. The submitter's app should work fine with such a fix.
26-05-2016
SHA224withRSA and SHA224withECDSA removed as supported CertificateRequest signature algorithms in test binary supplied to submitter. However, they now experience a different issue (after progressing further) The Server (IBM JDK) appears to send the Oracle JDK (client end point) a fatal alert message. Client's change cipher spec message appears to be rejected. Investigating further. ��� @ . ��� @ ===== ��� @ *** CertificateVerify ��� @ Signature Algorithm SHA256withRSA ��� @ main, WRITE: TLSv1.2 Handshake, length = 264 ��� @ main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 ��� @ *** Finished ��� @ verify_data: { 251, 135, 33, 255, 116, 58, 3, 201, 152, 98, 54, 148 } ��� @ *** ��� @ main, WRITE: TLSv1.2 Handshake, length = 80 ��� @ main, READ: TLSv1.2 Alert, length = 2 ��� @ main, RECV TLSv1.2 ALERT: fatal, handshake_failure ��� @ ====
04-03-2016
JDK log output === .... *** CertificateRequest Cert Types: RSA, DSS, ECDSA Supported Signature Algorithms: SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA Cert Authorities: .... ==== Exception from MQ logs : 15:36:58.647.00 0001 CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=server_name.net/144.xx.xx.xx:xxx (server_name.net),4=SSLSocket.startHandshake,5=default] [com.ibm.mq.jmqi.JmqiException] at: 15:36:58.647.00 0001 com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1191) 15:36:58.647.00 0001 com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:724) 15:36:58.647.00 0001 com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:400) .... 15:36:58.647.00 0001 Cause: 15:36:58.647.00 0001 Error signing certificate verify [javax.net.ssl.SSLHandshakeException] at: 15:36:58.647.00 0001 sun.security.ssl.Alerts.getSSLException(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.Handshaker.fatalSE(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) .... 15:36:58.647.00 0001 Cause: 15:36:58.647.00 0001 SHA224withRSA Signature not available [java.security.NoSuchAlgorithmException] at: 15:36:58.647.00 0001 java.security.Signature.getInstance(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.JsseJce.getSignature(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.Handshaker.processLoop(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.Handshaker.process_record(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) 15:36:58.647.00 0001 sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) 15:36:58.647.00 0001 com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1160) 15:36:58.647.00 0001 com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1155)
24-02-2016