JDK-8235311 : Tag mismatch may alert bad_record_mac
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 11,14
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-12-04
  • Updated: 2021-02-22
  • Resolved: 2019-12-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 8 Other
11.0.8-oracleFixed 13.0.4Fixed 14 b27Fixed 8u261Fixed openjdk8u292Fixed
javax.net.ssl|DEBUG|01|main|2019-12-04 13:12:11.711 CST|SSLSocketOutputRecord.java:72|WRITE: TLS13 alert(handshake_failure), length = 2
javax.net.ssl|DEBUG|01|main|2019-12-04 13:12:11.712 CST|SSLCipher.java:2063|Plaintext before ENCRYPTION (
  0000: 02 28 15 00 00 00 00 00   00 00 00 00 00 00 00 00  .(..............
  0010: 00 00 00                                           ...
javax.net.ssl|DEBUG|01|main|2019-12-04 13:12:11.714 CST|SSLSocketOutputRecord.java:86|Raw write (
  0000: 17 03 03 00 23 E7 C1 17   7A E1 60 D5 F1 FA 55 B4  ....#...z.`...U.
  0010: DD 99 5B 6D CB DB 27 01   EB 73 FC 03 9B C9 10 4E  ..[m..'..s.....N
  0020: 5E 87 62 D8 DB F5 68 7B                            ^.b...h.
javax.net.ssl|DEBUG|01|main|2019-12-04 13:12:11.715 CST|SSLSocketImpl.java:1699|close the underlying socket
javax.net.ssl|DEBUG|01|main|2019-12-04 13:12:11.715 CST|SSLSocketImpl.java:1718|close the SSL connection (initiative)
javax.net.ssl.SSLHandshakeException: Tag mismatch!
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:129)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1460)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1368)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:437)
	at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:878)
	at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:969)
	at java.base/java.io.InputStream.read(InputStream.java:218)
	at SimpleTLS.readIn(SimpleTLS.java:40)
	at SimpleTLS.main(SimpleTLS.java:27)
Caused by: javax.crypto.AEADBadTagException: Tag mismatch!
	at java.base/com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:623)
	at java.base/com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1118)
	at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1055)
	at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:943)
	at java.base/com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:491)
	at java.base/javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:794)
	at java.base/javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
	at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2499)
	at java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1930)
	at java.base/sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:262)
	at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:190)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
	... 8 more

Per RFC8446 section 6.2, the alert would be fatal bad_record_mac rather than handshake_failure.
bad_record_mac:  This alert is returned if a record is received which cannot be deprotected.  Because AEAD algorithms combine decryption and verification, and also to avoid side-channel attacks, this alert is used for all deprotection failures.  This alert should never be observed in communication between proper implementations, except when messages were corrupted in the network.
Fix Request (OpenJDK 8u) Please approve backporting this to OpenJDK 8u. JDK 11 patch applies clean. Oracle backported it to their JDK 8u too. Fix is simple and should be low risk.

Fix request (13u) Requesting backport to 13u for parity with 11u, applies cleanly.

Fix request (11u) -- will label after testing completed. I would like to downport this for parity with 11.0.8-oracle. Applies clean.

URL: https://hg.openjdk.java.net/jdk/jdk/rev/3333517d634e User: xuelei Date: 2019-12-10 15:08:03 +0000

No new regression test, simple fix and TLS fuzzing test confirmed the patch.

The test code requires a specific alert as John pointed out in the description: node.next_sibling = ExpectAlert(AlertLevel.fatal, AlertDescription.bad_record_mac) Here's the issue as observed by the client: AssertionError: Expected alert description "bad_record_mac" does not match received "handshake_failure" BTW, filings of this nature should be 'confidential' and P4.