Bug ID: JDK-4416068 Some sites don't like our clientHello message

Type: Bug
Component: security-libs
Sub-Component: javax.net.ssl
Affected Version: unknown,1.0.2

Priority: P3
Status: Closed
Resolution: Duplicate
OS: generic,windows_2000
CPU: generic,x86

Submitted: 2001-02-16
Updated: 2001-06-28
Resolved: 2001-06-28

We send what appears to be a V 2 client hello, and the site
loe.lacaixa.es doesn't like it, and closes it's connection
immediately.  Should at least examine it to see why.

If you configure Netscape to use SSL version 2 it works.
If you use Netscape SSL version 3 it works.  But ours it doesn't like.

Brad


From the java-security alias:


Hello,

I'm working with the global version of JSSE 1.0.2 and trying to use the
following code to get a page from a secure server:

import java.net.*;
import java.io.*;

class Test {
    public static void main(String argv[])
        throws java.io.IOException
    {
        String pageLocation = "https://loe.lacaixa.es";
        java.security.Security.addProvider(
                new com.sun.net.ssl.internal.ssl.Provider());  
        java.lang.System.setProperty("java.protocol.handler.pkgs",
                        "com.sun.net.ssl.internal.www.protocol"); 
        URL url = new URL(pageLocation);
        HttpURLConnection connection = (HttpURLConnection)
url.openConnection();
        connection.connect();
        BufferedReader in = new
BufferedReader(new                                                                       
InputStreamReader(connection.getInputStream()));
        String inputLine;
        while ((inputLine = in.readLine()) != null) {
            System.out.println(inputLine);
        }
        in.close();
    } // end main()
}


The problem is that I get the error message:

Exception in thread "main" java.net.SocketException: Socket closed


But if instead of trying to connect to https://loe.lacaixa.es, I try to
connect to https://www.verisign.com (for example), it works. And I can
use my browser to navigate https://loe.lacaixa.es, without any problem.

I would like to know where's the problem here. Is there something wrong
in my code or is this a bug in the JSSE reference implementation
provided by Sun? Is there any workaround to this problem?

Thanks in advance.

Xavi


Name: krC82822			Date: 05/03/2001


java version "1.2.2"
Classic VM (build JDK-1.2.2_006, native threads, symcjit)

Run the URLReader class to connect to the website https://loe.lacaixa.es which
only expects SSLv3 message. With the system property -Djavax.net.debug=all on,
I got the following info:

[write] MD5 and SHA1 hashes:  len = 59
0000: 01 00 00 37 03 01 3A F0   C3 04 05 3B 7B B0 9E E2  ...7..:....;....
0010: 23 96 7D 32 19 4A 2E BD   A9 8A 5C 60 82 AF B3 15  #..2.J....\`....
0020: 3C BB 4E E2 94 5E 00 00   10 00 05 00 04 00 09 00  <.N..^..........
0030: 0A 00 12 00 13 00 03 00   11 01 00                 ...........
main, WRITE:  SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes:  len = 77
0000: 01 03 01 00 24 00 00 00   20 00 00 05 00 00 04 01  ....$... .......
0010: 00 80 00 00 09 06 00 40   00 00 0A 07 00 C0 00 00  .......@........
0020: 12 00 00 13 00 00 03 02   00 80 00 00 11 3A F0 C3  .............:..
0030: 04 05 3B 7B B0 9E E2 23   96 7D 32 19 4A 2E BD A9  ..;....#..2.J...
0040: 8A 5C 60 82 AF B3 15 3C   BB 4E E2 94 5E           .\`....<.N..^
main, WRITE:  SSL v2, contentType = 22, translated length = 16310
Exception in thread "main" java.net.SocketException: Socket closed
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120
198])
        at java.io.OutputStream.write(OutputStream.java, Compiled Code)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V
1.2-120198])
        at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([Da
shoPro-V1.2-120198])
        at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer(
[DashoPro-V1.2-120198])
        at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1
.2-120198])
        at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoP
ro-V1.2-120198])
        at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([Dasho
Pro-V1.2-120198])
        at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
1.2-120198])
        at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
1.2-120198])
        at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connec
t([DashoPro-V1.2-120198])
        at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInp
utStream([DashoPro-V1.2-120198])
        at URLReader.main(URLReader.java, Compiled Code)

Here is the code for URLReader:
public class URLReader {
    public static void main(String[] args) throws Exception {
      SSLContext ctx = SSLContext.getInstance("SSLv3"); // Same thing happens
for SSL or TLS
      
      KeyStore ks = KeyStore.getInstance("JKS");
      ks.load(new FileInputStream
("c:/jdk1.2.2/jre/lib/security/cacerts"), "changeit".toCharArray());
      
      TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
      tmf.init(ks);
      ctx.init(null, tmf.getTrustManagers(), null);
      SSLSocketFactory sf = ctx.getSocketFactory();

	URL url = new URL(args[0]); // "https://loe.lacaixa.es/");
      HttpsURLConnection con = (HttpsURLConnection)url.openConnection();
      con.setSSLSocketFactory(sf);
      BufferedReader in = new BufferedReader(
			  new InputStreamReader(con.getInputStream()));
      String inputLine;
      while ((inputLine = in.readLine()) != null)
        System.out.println(inputLine);
    
      in.close();
    }
}
(Review ID: 123671)
======================================================================

EVALUATION The site is running iTP Secure Web Server. This is a Web Server from the Tandem group of Compaq. Our client seem to run fine with other web servers. Also forcing our client to just send v3 greetings does not help. We get the same error. Need to look into it more to see why our client hello is rejected. ram.marti@Eng 2001-05-07 It looks like the SSL server can handle only SSL version 3.0 client hello requests and rejects version 3.1 hello request. The Netscape browser sends 3.0 requese and succeeds. If I force our client to send 3.0 Client Hello request instead of 3.1 we succeed in connecting to https://loe.lacaixa.es/. ram.marti@Eng 2001-05-07 Please See RFE 4273544 : JSSE Request for function forceV3ClientHello. We are implementing a new set of SSLSocket APIs (setEnabledProtocols, getEnabledProtocols and getSupportedProtocols) to enable a specific protocol on the socket. With these APIs, you can specify the SSLv3 tobe used , instead of TLSv1. I have verified that the site mentioned in the report can be reached using the new APIs to set SSLv3 to be used. I am closing this as a duplicate of the RFE 4273544.

02-09-2004