Some SSL Client Certificates failing handshake
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openjdk-8 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
What was expected:
SSL Client Certificate based connections worked fine with previous release of JRE: 1.8.0_265-
What happened:
When attempting to use a client certificate to establish a connection with the latest Java 8 JRE, some connections fail with specific client certificates; however others work. There was no change to SSL related code and previous JAR versions on updated bionic containers started failing after the latest USN-4607-2 fix from 12/Nov/2020.
Now the following issue occurs:
javax.net.
at sun.security.
at sun.security.
at sun.security.
at sun.security.
at sun.security.
at sun.security.
at sun.security.
at sun.security.
at sun.security.
at sun.security.
Previous working version: 1.8.0_265-
Non-working version: 1.8.0_275-
2 client certificates for 2 different API providers are in use; both certificates are RSA 2048bit based; however the working certificate is signed RSA+SHA1; while the non working certificate is RSA+SHA256 - that appears to be the only visual difference.
Manual inspection of a packet trace shows no unexpected issues across the handshake, all required ciphers match and TLSv1.2 is in use. 'openssl s_client' with both client certificates works fine to establish the connection; the issue appears to be JDK/JRE based.
I'm not sure looking at the diffs of the exact changes related to the first point raised in:
https:/
"USN-4607-1 fixed vulnerabilities and added features in OpenJDK.
Unfortunately, that update introduced a regression that could cause TLS
connections with client certificate authentication to fail in some
situations. This update fixes the problem."
It appears there is a potentially a particular corner case of a regression that still remains?
Happy to provide additional information as required.
# lsb_release -rd
Description: Ubuntu 18.04.4 LTS
Release: 18.04
# apt-cache policy openjdk-
openjdk-
Installed: 8u275-b01-
Candidate: 8u275-b01-
Version table:
*** 8u275-b01-
500 http://
500 http://
100 /var/lib/
8u162-b12-1 500
500 http://
Also affects 20.04 focal:
# lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04
# apt-cache policy openjdk- 8-jre-headless 8-jre-headless: 0ubuntu1~ 20.04 0ubuntu1~ 20.04 0ubuntu1~ 20.04 500 archive. ubuntu. com/ubuntu focal-updates/ universe amd64 Packages security. ubuntu. com/ubuntu focal-security/ universe amd64 Packages dpkg/status b09-1ubuntu1 500 archive. ubuntu. com/ubuntu focal/universe amd64 Packages
openjdk-
Installed: 8u275-b01-
Candidate: 8u275-b01-
Version table:
*** 8u275-b01-
500 http://
500 http://
100 /var/lib/
8u252-
500 http://