JDK-8217709 : TLS 1.3 server always answer Hello Retry Request (on chrome)
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 11.0.2
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_10
  • CPU: x86_64
  • Submitted: 2019-01-24
  • Updated: 2019-01-25
  • Resolved: 2019-01-24
Related Reports
Duplicate :  
java 11.0.2    windows 10     ;   Chrome 71 request to a Server using TLS 1.3 

with java 11 and the new TLS 1.3 protocol any request to a server using TLS 1.3 with a recent chrome browser ends up in a "Hello Retry Request " answer from Java Server running latest java 11 jdk instead of replying with the speedy normal reply you can have in TLS 1.3

any small java server running TLS 1.3 new feature from java 11

should make a normal TLS 1.3 handshake , this is not the cas
Hello Retry Request , making all complicated and long

FREQUENCY : always

From submitter: here is a sample test code I use a .jks to hold the server certificate converted from a let's encrypt certificate javax.net.debug=all shows a SHA256withRSA signature algorithm maybe TLS1.3 does not allow SHA256withRSA ? I created the jks file with those lines : openssl pkcs12 -export -name myservercert -in /etc/letsencrypt/live/mydomain.fr/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.fr/privkey.pem -out keystore.p12 keytool -importkeystore -destkeystore mydomain.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert and NOW the sample CODE : import java.io.BufferedReader; import java.io.FileInputStream; import java.io.InputStream; import java.io.InputStreamReader; import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.security.KeyStore; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import java.net.*; import java.util.StringTokenizer; public class HTTPSServer { private int port = 443; private boolean isServerDone = false; private static final String[] protocols = new String[] {"TLSv1.3"}; // private static final String[] cipher_suites = new String[] {"TLS_AES_128_GCM_SHA256"}; public static void main(String[] args){ HTTPSServer server = new HTTPSServer(); server.run(); } HTTPSServer(){ } HTTPSServer(int port){ this.port = port; } private SSLContext createSSLContext(){ try{ KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(new FileInputStream("/home/mydomain.jks"),"mypassword".toCharArray()); // Create key manager KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509"); keyManagerFactory.init(keyStore, "mypassword".toCharArray()); KeyManager[] km = keyManagerFactory.getKeyManagers(); // Create trust manager TrustManagerFactory trustManagerFactory =TrustManagerFactory.getInstance("SunX509"); trustManagerFactory.init(keyStore); TrustManager[] tm = trustManagerFactory.getTrustManagers(); // Initialize SSLContext SSLContext sslContext = SSLContext.getInstance("TLSv1.3"); sslContext.init(km, tm, null); return sslContext; } catch (Exception ex){ ex.printStackTrace(); } return null; } // Start to run the server public void run(){ SSLContext sslContext = this.createSSLContext(); try{ // Create server socket factory SSLServerSocketFactory sslServerSocketFactory = sslContext.getServerSocketFactory(); // Create server socket InetAddress addr = InetAddress.getByName(""); //example IP SSLServerSocket sslServerSocket = (SSLServerSocket)sslServerSocketFactory.createServerSocket(this.port,1000,addr); sslServerSocket.setEnabledProtocols(protocols); //sslServerSocket.setEnabledCipherSuites(cipher_suites); System.out.println("SSL server started"); while(!isServerDone){ SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); // Start the server thread new ServerThread(sslSocket).start(); } } catch (Exception ex){ ex.printStackTrace(); } } // Thread handling the socket from client static class ServerThread extends Thread { private SSLSocket sslSocket = null; SSLSession sslSession; ServerThread(SSLSocket sslSocket){ this.sslSocket = sslSocket; } public void run(){ sslSocket.setEnabledCipherSuites(sslSocket.getSupportedCipherSuites()); try{ // Start handshake sslSocket.startHandshake(); // Get session after the connection is established sslSession = sslSocket.getSession(); // Start handling application content InputStream inputStream = sslSocket.getInputStream(); OutputStream outputStream = sslSocket.getOutputStream(); BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream)); PrintWriter printWriter = new PrintWriter(new OutputStreamWriter(outputStream)); while(true) { String line = null; String s=""; boolean oncontinue=true; while((line = bufferedReader.readLine()) != null) { if(line!=null) { System.out.println("Input : "+line); s+=line; if(line.trim().isEmpty()) { break; } } } StringTokenizer st = new StringTokenizer(s); st.nextToken(); String incoma = st.nextToken(); // Write data printWriter.print("HTTP/1.1 200 OK\r\nContent-Length: "+incoma.length()+"\r\nContent-Type: text/html\r\nCache-Control: no-cache, no-store\r\n\r\n"+incoma); printWriter.flush(); } //sslSocket.close(); } catch (Exception ex) { //log("ERRURR "+sslSession.getPeerHost()+ " : "+sslSession.getPeerPort(),ANSI_RED); ex.printStackTrace(); } } } }

I think you meant to say JDK-8171279 will fix the problem.

JDK does not support Chrome prefer key share algorithm (GREASE and x25519), so response with a Hello Retry Request to change the key share algorithm. JDK-8217709 will fix the problem.

To submitter: Can you please provide the complete log file on server side by running it with ���Djavax.net.debug=all option ? If possible also provide the server code that you are using along with the test certificates to help us reproduce the issue at our end. Is the issue reproducible with JDK 12-ea and JDK 13-ea as well ? You can download them from : http://jdk.java.net/12/ http://jdk.java.net/13/