JDK-8239595 : ssl context version is not respected
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 12
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2020-02-14
  • Updated: 2020-04-18
  • Resolved: 2020-04-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 15
15 b19Fixed
Related Reports
Relates :  
JDK-8239594 - jdk.tls.client.protocols is not respected
Description
ADDITIONAL SYSTEM INFORMATION :
Tested in OpenJDK 13 and also 11.0.6+10.

A DESCRIPTION OF THE PROBLEM :
According to https://www.java.com/en/configure_crypto.html setting an SSL context of a specific version makes this version the upper limit to be used.
But this is not the case.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start JShell and execute:

System.setProperty("javax.net.debug", "ssl:handshake:verbose")
javax.net.ssl.SSLContext sslContext = javax.net.ssl.SSLContext.getInstance("TLSv1.2")
sslContext.init(null, null, null)
java.net.http.HttpClient.newBuilder().sslContext(sslContext).build().send(java.net.http.HttpRequest.newBuilder(new java.net.URI("https://tls1.3speaking.url")).GET().build(), java.net.http.HttpResponse.BodyHandlers.ofString()).body()


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
TLS1.2 being used
ACTUAL -
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.229 CET|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
...
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2]
    },
...
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.245 CET|ServerHello.java:871|Consuming ServerHello handshake message (
"ServerHello": {
...
    "supported_versions (43)": {
      "selected version": [TLSv1.3]
...
javax.net.ssl|DEBUG|1A|HttpClient-6-Worker-0|2020-02-14 14:24:03.245 CET|ServerHello.java:967|Negotiated protocol version: TLSv1.3


CUSTOMER SUBMITTED WORKAROUND :
Disable TLS1.3 completely in the runtime using jdk.tls.disabledAlgorithms in conf/security/java.security mentioned on the same page.

Or using SSLParameters like mentioned on the same page:

javax.net.ssl.SSLParameters sslParameters = new javax.net.ssl.SSLParameters()
sslParameters.setProtocols(new String[] {"TLSv1.2"})
...
.sslParameters(sslParameters)

FREQUENCY : always
Comments
URL: https://hg.openjdk.java.net/jdk/jdk/rev/4a39a7ad717f User: pconcannon Date: 2020-04-10 09:06:21 +0000
10-04-2020
Looks like HttpClientImpl.getDefaultParams() is using the supported protocols, rather than the default ssl context protocols for its configuration. Assign to httpclient for further evaluation.
28-02-2020
Observation summary: JDK 13.0.2: Fail; Connecting with https://www.google.com; Negotiated protocol version: TLSv1.3 JDK 12ea b11: Fail; Connecting with https://www.google.com; Negotiated protocol version: TLSv1.3 JDK 12ea b10: Pass; Connecting with https://www.google.com; Negotiated protocol version: TLSv1.2 JDK 11.0.7: Pass; Connecting with https://www.google.com; Negotiated protocol version: TLSv1.2
21-02-2020