JDK-4919790 : Errors in alert ssl message does not reflect the actual certificate status
- Type: Bug
- Component: security-libs
- Sub-Component: javax.net.ssl
- Affected Version: 1.4.2,6,8,11
- Priority: P4
- Status: Closed
- Resolution: Fixed
- OS: solaris_8,windows_xp
- CPU: x86,sparc
- Submitted: 2003-09-09
- Updated: 2025-04-08
- Resolved: 2019-02-14
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 11 | JDK 13 | JDK 8 | Other |
|---|---|---|---|
11.0.7-oracleFixed  |
13 b09Fixed |
8u261Fixed |
openjdk8u272Fixed |
Description
Name: gm110360 Date: 09/09/2003
FULL PRODUCT VERSION :
java version "1.4.2_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_01-b06)
Java HotSpot(TM) Client VM (build 1.4.2_01-b06, mixed mod
FULL OS VERSION :
SunOS sun2 5.8 Generic sun4u sparc SUNW,Ultra-5_10
A DESCRIPTION OF THE PROBLEM :
for ssl Server Socket ,
when incoming a ssl client connection with an expiry certificate ,
it generates the right exception (java.security.cert.CertificateExpiredException) but the server sends an alert with value = certificate_unknown .
The right value is certificate_expired
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
create an ssl server that requests the certificate for the client.
open a connection with the client with a expiry certificate.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
the server has to send an alert with value = certificate_expired
ACTUAL -
the server sends an alert with value = certificate_unknown
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
create a key MYKEYSERVER in a keystore call MYKEYSTORESERVER :
create a key MYKEYSERVER in a keystore call MYKEYSTORECLIENT :
keytool -keystore MYKEYSTORESERVER -alias MYKEYSERVER -keypasswd 123456 -genkey -keyalg RSA
keytool -keystore MYKEYSTORECLIENT -alias MYKEYCLIENT -keypasswd 123456 -genkey -keyalg RSA
creating a class for ssl server :
try {
int port = 443;
ServerSocketFactory ssocketFactory =SSLServerSocketFactory.getDefault();
ServerSocket ssocket = ssocketFactory.createServerSocket(port);
ssocket.setNeedClientAuth(true);
Socket socket = ssocket.accept();
InputStream in = socket.getInputStream();
OutputStream out = socket.getOutputStream();
byte br[] = new br[10];
out.read(br);
in.close();
out.close();
} catch(IOException e) {
}
java -Djavax.net.ssl.keyStore=MYKEYSTORESERVER
-Djavax.net.ssl.keyStorePassword=123456 MYKEYSERVER
-Djavax.net.ssl.trustStore=MYKEYSTORECLIENT
-Djavax.net.ssl.trustStorePassword=123456
creating a client
try {
int port = 443;
String hostname = "hostname";
SocketFactory socketFactory = SSLSocketFactory.getDefault();
Socket socket = socketFactory.createSocket(hostname, port);
InputStream in = socket.getInputStream();
OutputStream out = socket.getOutputStream();
socket.startHandshake() ;
out.write("hello".getBytes())
in.close();
out.close();
} catch(IOException e) {
}
java -Djavax.net.ssl.keyStore=MYKEYSTORECLIENT
-Djavax.net.ssl.keyStorePassword=123456 MYKEYCLIENT
-Djavax.net.ssl.trustStore=MYKEYSTORESERVER
-Djavax.net.ssl.trustStorePassword=123456
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
not found :(
(Incident Review ID: 201562)
======================================================================
Comments
|