Does this still not work? If so, we should try to debug this… -- You received this bug notification because you are a member of OpenJDK, which is subscribed to openjdk-8 in Ubuntu. https://bugs.launchpad.net/bugs/1904586
Title: Some SSL Client Certificates failing handshake Status in openjdk-8 package in Ubuntu: New Bug description: What was expected: SSL Client Certificate based connections worked fine with previous release of JRE: 1.8.0_265-8u265-b01-0ubuntu2~18.04-b01 What happened: When attempting to use a client certificate to establish a connection with the latest Java 8 JRE, some connections fail with specific client certificates; however others work. There was no change to SSL related code and previous JAR versions on updated bionic containers started failing after the latest USN-4607-2 fix from 12/Nov/2020. Now the following issue occurs: javax.net.ssl.SSLProtocolException: Received fatal alert: unexpected_message at sun.security.ssl.Alert.createSSLException(Alert.java:129) at sun.security.ssl.Alert.createSSLException(Alert.java:117) at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1146) at sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1116) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:72) at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:815) Previous working version: 1.8.0_265-8u265-b01-0ubuntu2~18.04-b01 Non-working version: 1.8.0_275-8u275-b01-0ubuntu1~18.04-b01 2 client certificates for 2 different API providers are in use; both certificates are RSA 2048bit based; however the working certificate is signed RSA+SHA1; while the non working certificate is RSA+SHA256 - that appears to be the only visual difference. Manual inspection of a packet trace shows no unexpected issues across the handshake, all required ciphers match and TLSv1.2 is in use. 'openssl s_client' with both client certificates works fine to establish the connection; the issue appears to be JDK/JRE based. I'm not sure looking at the diffs of the exact changes related to the first point raised in: https://ubuntu.com/security/notices/USN-4607-2 "USN-4607-1 fixed vulnerabilities and added features in OpenJDK. Unfortunately, that update introduced a regression that could cause TLS connections with client certificate authentication to fail in some situations. This update fixes the problem." It appears there is a potentially a particular corner case of a regression that still remains? Happy to provide additional information as required. # lsb_release -rd Description: Ubuntu 18.04.4 LTS Release: 18.04 # apt-cache policy openjdk-8-jre-headless openjdk-8-jre-headless: Installed: 8u275-b01-0ubuntu1~18.04 Candidate: 8u275-b01-0ubuntu1~18.04 Version table: *** 8u275-b01-0ubuntu1~18.04 500 500 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages 100 /var/lib/dpkg/status 8u162-b12-1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-8/+bug/1904586/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
