Bug ID: JDK-8209982 SSL handshake fails on an (apparently) correct certificate, working in jdk10

JDK-8209982 : SSL handshake fails on an (apparently) correct certificate, working in jdk10

Type: Bug
Component: security-libs
Sub-Component: javax.net.ssl
Affected Version: 11

Priority: P3
Status: Closed
Resolution: Duplicate
OS: linux
CPU: x86_64

Submitted: 2018-08-24
Updated: 2018-08-27
Resolved: 2018-08-27

Related Reports

Duplicate :

JDK-8209965 - The "supported_groups" extension in ServerHellos

Description

ADDITIONAL SYSTEM INFORMATION :
Tested in windows 10 and linux

A DESCRIPTION OF THE PROBLEM :
This handshake fails with message "extension (10) should not be presented in server_hello"

        URL obj = new URL("https://sis.redsys.es/sis/realizarPago");
        HttpURLConnection con = (HttpURLConnection) obj.openConnection();
        con.setRequestMethod("GET");
        int responseCode = con.getResponseCode();

It was working in jdk 10 or previous. This URL also works in any browser.

Tested in Jdk11 EA and latest release candidate (28)

REGRESSION : Last worked in version 10.0.2

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Execute 
        HttpURLConnection con = (HttpURLConnection) new URL("https://sis.redsys.es/sis/realizarPago").openConnection();
        con.setRequestMethod("GET");
        int responseCode = con.getResponseCode();

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
responseCode should be 200, no certificate errors
ACTUAL -
An error is thrown:

extension (10) should not be presented in server_hello
javax.net.ssl.SSLHandshakeException: extension (10) should not be presented in server_hello
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
	at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:71)
	at java.base/sun.security.ssl.ServerHello$ServerHelloMessage.<init>(ServerHello.java:173)
	at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:864)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
	at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527)
	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:329)

---------- BEGIN SOURCE ----------
package com.test;

import java.net.HttpURLConnection;
import java.net.URL;

public class HandshakeFail {

    public static void main(String[] args) throws Exception {
        HttpURLConnection con = (HttpURLConnection) new URL("https://sis.redsys.es/sis/realizarPago").openConnection();
        con.setRequestMethod("GET");
        int responseCode = con.getResponseCode();
    }
}

---------- END SOURCE ----------

FREQUENCY : always

Comments

The test case results : JDK 10.0.2 - Pass JDK 11-ea+28 - Fail Output: javax.net.ssl|ERROR|01|main|2018-08-27 11:28:54.280 IST|TransportContext.java:313|Fatal (UNSUPPORTED_EXTENSION): extension (10) should not be presented in server_hello ( "throwable" : { javax.net.ssl.SSLHandshakeException: extension (10) should not be presented in server_hello at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255) at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:71) at java.base/sun.security.ssl.ServerHello$ServerHelloMessage.<init>(ServerHello.java:173) at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:864) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509) at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:329) at JI9056898.main(JI9056898.java:11)} ) javax.net.ssl|DEBUG|01|main|2018-08-27 11:28:54.371 IST|SSLSocketOutputRecord.java:71|WRITE: TLS13 alert(unsupported_extension), length = 2 javax.net.ssl|DEBUG|01|main|2018-08-27 11:28:54.375 IST|SSLSocketOutputRecord.java:85|Raw write ( 0000: 15 03 03 00 02 02 6E ......n ) javax.net.ssl|DEBUG|01|main|2018-08-27 11:28:54.382 IST|SSLSocketImpl.java:1361|close the underlying socket

27-08-2018

https://stackoverflow.com/questions/52016415/jdk-11-ssl-error-on-valid-certificate-working-in-previous-versions

27-08-2018