JDK-8030936 : Java Client interop with IIS fails after enabling client-side TLS 1.2 by default
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8
  • Priority: P2
  • Status: Closed
  • Resolution: Not an Issue
  • OS: generic
  • CPU: generic
  • Submitted: 2013-12-20
  • Updated: 2016-11-03
  • Resolved: 2013-12-25
Related Reports
Relates :  
JDK-7093640 - Enable client-side TLS 1.2 by default
Relates :  
JDK-8169228 - Interop issue between Java/Opera clients + Microsoft Schannel (IIS) server
Description
Client : Java
Server : Windows Server 2008 / IIS Version 7

The java client first tries hello with TLSv1.2, server asks for lower protocol TLSv1. The java client fallback to TLSv1 happens fine but doesn't succeed.

The java client fails with following exception -
exception: java.net.SocketException: Connection reset
Comments
What was the answer to Xuelei's question of 2014-01-09? Do later IIS releases have this problem?
27-01-2014
test the workaround, it's not work, step is following: 1, test the affect case to reproduce this issue 2. change java code add "System.setProperty("com.sun.net.ssl.rsaPreMasterSecretFix", "true");", 3. compile and run the code again, failed with same reason. Thanks
24-01-2014
One more possible workaround: --------------------------------------------- Setting system property, "com.sun.net.ssl.rsaPreMasterSecretFix" to "true".
14-01-2014
Is IIS 7 the latest update in the testing environment? If it was, we may need add a known issue to release notes. BTW, what's the behavior of the latest IIS releases(7.5, 8.0 or 8.5)?
10-01-2014
This attached file is a log to show the RSA PreMasterSecret issue during TLS renegotiation. In renegotiation, if the version number in RSA PreMasterSecret is set to TLS v1.2, although the client hello is TLS v1, IIS is able to accept the handshaking. Comparing with another attached log, In renegotiation, if the version number in RSA PreMasterSecret is set to TLS v1.0, although the client hello is TLS v1, IIS denies the handshaking.
25-12-2013
IIS has an interoperability bug on RSA PreMasterSecret in TLS session renegotiation. IETF TLS mail list talked about the issue on April 2012 [1]. Not sure whether Microsoft made update or not. Workarounds ------------------- 1. Using cipher suite that does not require RSA premaster secret. For example, ECC certificate, DHE and ECDHE cipher suites. 2. Using TLS v1 for old IIS server. [1] http://www.ietf.org/mail-archive/web/tls/current/msg08670.html
25-12-2013
See JDK-6976121 about the cause.
21-12-2013
Regression: Yes The client connection works with build 120 and earlier but fails with build 121. This is JDK 8 only regression since CCC and JDK-7093640 enhancement applies to 8 only. This issue is reproducible always. Use following code snippet for client - URL url = new URL(SERVER_URL); URLConnection con = url.openConnection(); ((HttpsURLConnection) con) .setHostnameVerifier(new TrueHostnameVerifier()); BufferedReader in = new BufferedReader(new InputStreamReader(con .getInputStream())); String inputLine; PrintWriter outFile = new PrintWriter(new BufferedWriter( new FileWriter(outFile))); while ((inputLine = in.readLine()) != null) outFile.println(inputLine); outFile.close(); in.close();
20-12-2013