JDK-8207223 : SSL Handshake failures are reported with more generic SSLException
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 11
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2018-07-12
  • Updated: 2020-11-23
  • Resolved: 2018-07-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 8 Other
11 b24Fixed 12Fixed 8u261Fixed openjdk8u272Fixed
Description
A DESCRIPTION OF THE PROBLEM :
See workaround in https://github.com/square/okhttp/pull/4138, most concerning is having to assume any SSLException is an exception that could mean falling back to other connection specs (ciphers, tls versions etc).

OkHttp has nuanced logic in https://github.com/square/okhttp/blob/7135628c645892faf1a48a8cff464e0ed4ad88cb/okhttp/src/main/java/okhttp3/internal/connection/ConnectionSpecSelector.java#L83-L127 to determine whether to retry with a fallback

REGRESSION : Last worked in version 10.0.1

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run tests for OkHttp on master

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected SSLProtocolException when the handshake fails, however getting more generic SSLException
ACTUAL -

     HttpsURLConnection connection = (HttpsURLConnection) server.url("/").url().openConnection();
     connection.setSSLSocketFactory(tlsNode.sslSocketFactory());
     try {
       connection.getInputStream();
       fail();
     } catch (SSLProtocolException expected) {
       // RI response to the FAIL_HANDSHAKE
     } catch (SSLHandshakeException expected) {
       // Android's response to the FAIL_HANDSHAKE
+    } catch (SSLException expected) {
+      // JDK 1.9 response to the FAIL_HANDSHAKE
+      // javax.net.ssl.SSLException: Unexpected handshake message: client_hello
     } catch (SocketException expected) {
       // Conscrypt's response to the FAIL_HANDSHAKE
     }

CUSTOMER SUBMITTED WORKAROUND :
https://github.com/square/okhttp/pull/4138

FREQUENCY : always
Comments
FYI: The bug reporter included the exact stack trace of the thrown exception at https://github.com/square/okhttp/pull/4138#issuecomment-406555286.
20-07-2018
I will make further evaluation, but I'm not sure if we can have a fix or not. The class of the thrown exception and the exception messages are not reliable as it is a kind of implementation detail, which could be changed without notice in a new release or update.
16-07-2018