JDK-7127374 : JSSE creates SSLProtocolException on (common) warning: unrecognized_name for SNI
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 7
  • Priority: P4
  • Status: Closed
  • Resolution: Not an Issue
  • OS: windows_7
  • CPU: x86
  • Submitted: 2012-01-05
  • Updated: 2012-08-23
  • Resolved: 2012-01-06
Related Reports
Duplicate :  
Relates :  
Description
(Original description used the acronym ISN, but assuming they meant SNI.  Am replacing with SNI throughout the report. - Brad)


FULL PRODUCT VERSION :
java version "1.7.0_02"
Java(TM) SE Runtime Environment (build 1.7.0_02-b13)
Java HotSpot(TM) 64-Bit Server VM (build 22.0-b10, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Various

A DESCRIPTION OF THE PROBLEM :
The new Feature of Java 7 to send the hostname in the SSL handshake (SNI) has the problem, that it triggers often SSL Handshake Alerts.

This could be regarded as a configuration problem of the server (server does not know which hostnames to serve), however since most Browsers happyly connect to those servers, the JSSE implementation should have a way to ignore this specific warning:

javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
	at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
	at  xxx




Besides ignoring the ClientHandshaker.handshakeAlert(112)  it would also help to turn ISN off for those peers.

REGRESSION.  Last worked in version 6u29

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
This specific stacktrace was created by:

new URL("https://timestamp.geotrust.com/tsa")).openConnection();

(I dont know what name the SSL Server would accept without warning)


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
connection to that server
ACTUAL -
above exception

ERROR MESSAGES/STACK TRACES THAT OCCUR :
javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name

REPRODUCIBILITY :
This bug can be reproduced always.

Comments
EVALUATION From JDK 7, the server name indication will be included in the TLS client messages. The server can ignore the server name indication, or checking for accuracy of the server name indication. If server want to check the server name indication, it maybe deny connection when the server name indication is not the expected server name, fail with an unrecognized_name alert. So it is not a bug of JDK, it is the purpose of server that need to deny the server name indication request, or some miss-configuration in the server side. Please make sure the server configuration is correct, or set the server to accept the server name, "timestamp.geotrust.com". If it is not possible to update the server side, the possible workaround is to disable the server name indication in client side, which can be done by setting system property jsse.enableSNIExtension to false. For the definition of the system property of jsse.enableSNIExtension, please refer to http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization To make sure, please try this: jarsigner -J-Djsse.enableSNIExtension=false -keystore keystore -tsa https://timestamp.geotrust.com/tsa -signedjar dns-signed.jar dsn.jar mykey In general, I would not suggest you disable the SNI extension unless you clearly understand the server structures. As may expose you in the risks that the site is not what you really want to access.
16-06-2012

PUBLIC COMMENTS From JDK 7, the server name indication will be included in the TLS client messages. The server can ignore the server name indication, or checking for accuracy of the server name indication. If server want to check the server name indication, it maybe deny connection when the server name indication is not the expected server name, fail with an unrecognized_name alert. So it is not a bug of JDK, it is the purpose of server that need to deny the server name indication request, or some miss-configuration in the server side. Please make sure the server configuration is correct, or set the server to accept the server name, "timestamp.geotrust.com". If it is not possible to update the server side, the possible workaround is to disable the server name indication in client side, which can be done by setting system property jsse.enableSNIExtension to false. For the definition of the system property of jsse.enableSNIExtension, please refer to http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization To make sure, please try this: jarsigner -J-Djsse.enableSNIExtension=false -keystore keystore -tsa https://timestamp.geotrust.com/tsa -signedjar dns-signed.jar dsn.jar mykey In general, I would not suggest you disable the SNI extension unless you clearly understand the server structures. As may expose you in the risks that the site is not what you really want to access.
05-06-2012

EVALUATION > however since most Browsers happyly connect to those servers, I tried to access the UEL mentioned in the bug description, "https://timestamp.geotrust.com/tsa", with IE and Firefox. Both shows no page found. So what's your mean about "most browsers happyly connection to those servers"? If the server sends an "unrecognized_name" fatal alert, the browser cannot be happy to ignore and continue the SSL connection. > the JSSE implementation should have a way to ignore this specific warning: We have a workaround for this. Please refer to the description of "jsse.enableSNIExtension" system property in JSSE Reference Guide. But I would not suggest you disable the SNI extension unless you clearly understand the server structures. As may expose you in the risks that the site is not what you really want to access. Close it as "not a defect".
23-04-2012

PUBLIC COMMENTS > however since most Browsers happyly connect to those servers, I tried to access the URL mentioned in the bug description, "https://timestamp.geotrust.com/tsa", with IE and Firefox. Both shows no page found. So what's your mean about "most browsers happyly connection to those servers"? If the server sends an "unrecognized_name" fatal alert, the browser cannot be happy to ignore and continue the SSL connection. > the JSSE implementation should have a way to ignore this specific warning: We have a workaround for this. Please refer to the description of "jsse.enableSNIExtension" system property in JSSE Reference Guide. But I would not suggest you disable the SNI extension unless you clearly understand the server structures. As may expose you in the risks that the site is not what you really want to access. Close it as "not a defect".
06-01-2012