JDK-8144569 : Custom HostnameVerifier breaks SNI connection
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8u65,9
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_7
  • CPU: x86_64
  • Submitted: 2015-12-02
  • Updated: 2015-12-06
  • Resolved: 2015-12-06
Related Reports
Duplicate :  
JDK-8144567 - SNI does not work with HTTPSUrlConnection and a custom HostnameVerifier
Duplicate :  
JDK-8144566 - Custom HostnameVerifier disables SNI extension
Description
FULL PRODUCT VERSION :
java version "1.8.0_65"
Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.65-b01, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]

A DESCRIPTION OF THE PROBLEM :
As already reported in https://bugs.openjdk.java.net/browse/JDK-8072464 using custom HostnameVerifier breaks using secure connection with SNI. In the linked report it may fallback to not using SNI but the issue is with sites relaying on SNI only. 

Some of the sites showing the issue are (CloudFlare CDN):
https://kitematic.com/terms-of-service/
https://roundcube.net/news/2015/11/23/roundcube-webmail-1.2-beta-out-now/

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Attempt to make a connection when using HostnameVerifier to a SNI only site - run attached test case.


ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" javax.net.ssl.SSLException: Received fatal alert: internal_error
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
	at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
	at SSLClient.main(SSLClient.java:14)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import javax.net.ssl.*;
import java.net.URL;

public class SSLClient {
    public static void main(String[] args) throws Exception {
        URL url = new URL("https://roundcube.net/news/2015/11/23/roundcube-webmail-1.2-beta-out-now/");
        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();

        conn.setHostnameVerifier(new HostnameVerifier() {
            public boolean verify(String s, SSLSession sslSession) {
                return true;
            }
        });
        conn.getInputStream();
    }
} 
---------- END SOURCE ----------
Comments
This is same as JDK-8144567, so closing as duplicate. The issue may be tracked through JDK-8144567.
03-12-2015