JDK-8215711 : Missing key_share extension for (EC)DHE key exchange should alert missing_extension
- Type: Bug
- Component: security-libs
- Sub-Component: javax.net.ssl
- Affected Version: 11,12
- Priority: P3
- Status: Resolved
- Resolution: Fixed
- Submitted: 2018-12-20
- Updated: 2020-06-09
- Resolved: 2020-04-06
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 11 | JDK 13 | JDK 14 | JDK 15 | JDK 8 |
|---|---|---|---|---|
| 11.0.8-oracleFixed | 13.0.4Fixed | 14.0.2Fixed | 15 b18Fixed  |
8u261Fixed |
Description
If ClientHello has no key_share extension for (EC)DHE key exchange, JSSE server alerts internal_error, for example,
javax.net.ssl|DEBUG|01|main|2018-12-20 20:43:03.059 CST|ClientHello.java:806|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
"session id" : "3E C3 93 BB D5 2B AC A2 36 00 AB D1 41 C1 C4 3B 4B 1A 32 91 79 92 9E 43 3D 2C F6 89 65 5F 04 28",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"supported_groups (10)": {
"versions": [secp256r1]
},
"signature_algorithms (13)": {
"signature schemes": [rsa_pss_rsae_sha256, rsa_pss_pss_sha256]
},
"signature_algorithms_cert (50)": {
"signature schemes": [rsa_pkcs1_sha512, rsa_pkcs1_sha384, rsa_pkcs1_sha256, rsa_sha224, rsa_pkcs1_sha1, rsa_md5, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512]
}
]
}
)
... ...
javax.net.ssl|DEBUG|01|main|2018-12-20 20:43:03.088 CST|ServerHello.java:580|Produced ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "86 03 CD FB 91 24 39 FC 8E FE 35 07 FF C3 E0 42 FB 3C B4 B9 99 C4 6D A5 19 AF F4 C7 C2 C2 D3 17",
"session id" : "3E C3 93 BB D5 2B AC A2 36 00 AB D1 41 C1 C4 3B 4B 1A 32 91 79 92 9E 43 3D 2C F6 89 65 5F 04 28",
"cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
}
]
}
)
... ...
javax.net.ssl|ERROR|01|main|2018-12-20 20:43:03.093 CST|TransportContext.java:313|Fatal (INTERNAL_ERROR): Not negotiated key shares (
"throwable" : {
javax.net.ssl.SSLException: Not negotiated key shares
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
at java.base/sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:595)
at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1224)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1160)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:849)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:810)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:425)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:799)
at java.base/java.io.InputStream.read(InputStream.java:213)
at SimpleJSSEServer.readIn(SimpleJSSEServer.java:37)
at SimpleJSSEServer.main(SimpleJSSEServer.java:24)}
)
But RFC 8446 section 9.2 states:
- If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted.
Servers receiving a ClientHello which does not conform to these requirements MUST abort the handshake with a "missing_extension" alert.
So, the server should alert missing_extension immediately, but not send ServerHello and then alert internal_error.
Comments
|