Work around a JDK 11 TLS 1.3 bug.
JDK 11 shipped with a TLS 1.3 implementation enabled by default.
Unfortunately, that implementation does not work and fails to send the
SNI extension on resumption. See
https://bugs.openjdk.java.net/browse/JDK-8211806.
This means servers which enable TLS 1.3 will see JDK 11 clients work on
the first connection and then fail on all subsequent connections. Add
SSL_set_jdk11_workaround which configures a workaround to fingerprint
JDK 11 and disable TLS 1.3 with the faulty clients.
JDK 11 also implemented the downgrade signal, which means that
connections that trigger the workaround also must not send the downgrade
signal. Unfortunately, the downgrade signal's security properties are
sensitive to the existence of any unmarked TLS 1.2 ServerHello paths. To
salvage this, pick a new random downgrade marker for this scenario and
modify the client to treat it as an alias of the standard one.
Per the link above, JDK 11.0.2 will fix this bug. Hopefully the
workaround can be retired sometime after it is released.
Change-Id: I0627609a8cadf7cc214073eb7f1e880acdf613ef
Reviewed-on: https://boringssl-review.googlesource.com/c/33284
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index cecf78f..17c5592 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3792,6 +3792,14 @@
// mechanism would have aborted |ssl|'s handshake and zero otherwise.
OPENSSL_EXPORT int SSL_is_tls13_downgrade(const SSL *ssl);
+// SSL_set_jdk11_workaround configures whether to workaround a bug in JDK 11's
+// TLS 1.3 implementation. Prior to 11.0.2, JDK 11 fails to send SNI in
+// connections which offer a TLS 1.3 session. Enabling this workaround will
+// disable TLS 1.3 on such clients.
+//
+// See also https://bugs.openjdk.java.net/browse/JDK-8211806.
+OPENSSL_EXPORT void SSL_set_jdk11_workaround(SSL *ssl, int enable);
+
// Deprecated functions.
diff --git a/ssl/handshake.cc b/ssl/handshake.cc
index b1da056..058a793 100644
--- a/ssl/handshake.cc
+++ b/ssl/handshake.cc
@@ -147,7 +147,8 @@
pending_private_key_op(false),
grease_seeded(false),
handback(false),
- cert_compression_negotiated(false) {
+ cert_compression_negotiated(false),
+ apply_jdk11_workaround(false) {
assert(ssl);
}
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index a41eb62..c1d54bd 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -612,10 +612,14 @@
static_assert(
sizeof(kTLS12DowngradeRandom) == sizeof(kTLS13DowngradeRandom),
"downgrade signals have different size");
+ static_assert(
+ sizeof(kJDK11DowngradeRandom) == sizeof(kTLS13DowngradeRandom),
+ "downgrade signals have different size");
auto suffix =
MakeConstSpan(ssl->s3->server_random, sizeof(ssl->s3->server_random))
.subspan(SSL3_RANDOM_SIZE - sizeof(kTLS13DowngradeRandom));
- if (suffix == kTLS12DowngradeRandom || suffix == kTLS13DowngradeRandom) {
+ if (suffix == kTLS12DowngradeRandom || suffix == kTLS13DowngradeRandom ||
+ suffix == kJDK11DowngradeRandom) {
ssl->s3->tls13_downgrade = true;
if (!hs->config->ignore_tls13_downgrade) {
OPENSSL_PUT_ERROR(SSL, SSL_R_TLS13_DOWNGRADE);
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index c546088..c4f3b75 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc
@@ -401,6 +401,109 @@
return ssl_hs_ok;
}
+// is_probably_jdk11_with_tls13 returns whether |client_hello| was probably sent
+// from a JDK 11 client (11.0.1 or earlier) with both TLS 1.3 and a prior
+// version enabled.
+static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) {
+ // JDK 11 ClientHellos contain a number of unusual properties which should
+ // limit false positives.
+
+ // JDK 11 does not support ChaCha20-Poly1305. This is unusual: many modern
+ // clients implement ChaCha20-Poly1305.
+ if (ssl_client_cipher_list_contains_cipher(
+ client_hello, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
+ return false;
+ }
+
+ // JDK 11 always sends extensions in a particular order.
+ constexpr uint16_t kMaxFragmentLength = 0x0001;
+ constexpr uint16_t kStatusRequestV2 = 0x0011;
+ static CONSTEXPR_ARRAY struct {
+ uint16_t id;
+ bool required;
+ } kJavaExtensions[] = {
+ {TLSEXT_TYPE_server_name, false},
+ {kMaxFragmentLength, false},
+ {TLSEXT_TYPE_status_request, false},
+ {TLSEXT_TYPE_supported_groups, true},
+ {TLSEXT_TYPE_ec_point_formats, false},
+ {TLSEXT_TYPE_signature_algorithms, true},
+ // Java always sends signature_algorithms_cert.
+ {TLSEXT_TYPE_signature_algorithms_cert, true},
+ {TLSEXT_TYPE_application_layer_protocol_negotiation, false},
+ {kStatusRequestV2, false},
+ {TLSEXT_TYPE_extended_master_secret, false},
+ {TLSEXT_TYPE_supported_versions, true},
+ {TLSEXT_TYPE_cookie, false},
+ {TLSEXT_TYPE_psk_key_exchange_modes, true},
+ {TLSEXT_TYPE_key_share, true},
+ {TLSEXT_TYPE_renegotiate, false},
+ {TLSEXT_TYPE_pre_shared_key, false},
+ };
+ Span<const uint8_t> sigalgs, sigalgs_cert;
+ bool has_status_request = false, has_status_request_v2 = false;
+ CBS extensions, supported_groups;
+ CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
+ for (const auto &java_extension : kJavaExtensions) {
+ CBS copy = extensions;
+ uint16_t id;
+ if (CBS_get_u16(©, &id) && id == java_extension.id) {
+ // The next extension is the one we expected.
+ extensions = copy;
+ CBS body;
+ if (!CBS_get_u16_length_prefixed(&extensions, &body)) {
+ return false;
+ }
+ switch (id) {
+ case TLSEXT_TYPE_status_request:
+ has_status_request = true;
+ break;
+ case kStatusRequestV2:
+ has_status_request_v2 = true;
+ break;
+ case TLSEXT_TYPE_signature_algorithms:
+ sigalgs = body;
+ break;
+ case TLSEXT_TYPE_signature_algorithms_cert:
+ sigalgs_cert = body;
+ break;
+ case TLSEXT_TYPE_supported_groups:
+ supported_groups = body;
+ break;
+ }
+ } else if (java_extension.required) {
+ return false;
+ }
+ }
+ if (CBS_len(&extensions) != 0) {
+ return false;
+ }
+
+ // JDK 11 never advertises X25519. It is not offered by default, and
+ // -Djdk.tls.namedGroups=x25519 does not work. This is unusual: many modern
+ // clients implement X25519.
+ while (CBS_len(&supported_groups) > 0) {
+ uint16_t group;
+ if (!CBS_get_u16(&supported_groups, &group) ||
+ group == SSL_CURVE_X25519) {
+ return false;
+ }
+ }
+
+ if (// JDK 11 always sends the same contents in signature_algorithms and
+ // signature_algorithms_cert. This is unusual: signature_algorithms_cert,
+ // if omitted, is treated as if it were signature_algorithms.
+ sigalgs != sigalgs_cert ||
+ // When TLS 1.2 or below is enabled, JDK 11 sends status_request_v2 iff it
+ // sends status_request. This is unusual: status_request_v2 is not widely
+ // implemented.
+ has_status_request != has_status_request_v2) {
+ return false;
+ }
+
+ return true;
+}
+
static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
@@ -446,6 +549,11 @@
return ssl_hs_error;
}
+ if (hs->config->jdk11_workaround &&
+ is_probably_jdk11_with_tls13(&client_hello)) {
+ hs->apply_jdk11_workaround = true;
+ }
+
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!negotiate_version(hs, &alert, &client_hello)) {
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
@@ -674,6 +782,12 @@
return ssl_hs_ok;
}
+static void copy_suffix(Span<uint8_t> out, Span<const uint8_t> in) {
+ out = out.subspan(out.size() - in.size());
+ assert(out.size() == in.size());
+ OPENSSL_memcpy(out.data(), in.data(), in.size());
+}
+
static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
@@ -705,13 +819,18 @@
// Implement the TLS 1.3 anti-downgrade feature.
if (ssl_supports_version(hs, TLS1_3_VERSION)) {
if (ssl_protocol_version(ssl) == TLS1_2_VERSION) {
- OPENSSL_memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE -
- sizeof(kTLS13DowngradeRandom),
- kTLS13DowngradeRandom, sizeof(kTLS13DowngradeRandom));
+ if (hs->apply_jdk11_workaround) {
+ // JDK 11 implements the TLS 1.3 downgrade signal, so we cannot send it
+ // here. However, the signal is only effective if all TLS 1.2
+ // ServerHellos produced by the server are marked. Thus we send a
+ // different non-standard signal for the time being, until JDK 11.0.2 is
+ // released and clients have updated.
+ copy_suffix(ssl->s3->server_random, kJDK11DowngradeRandom);
+ } else {
+ copy_suffix(ssl->s3->server_random, kTLS13DowngradeRandom);
+ }
} else {
- OPENSSL_memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE -
- sizeof(kTLS12DowngradeRandom),
- kTLS12DowngradeRandom, sizeof(kTLS12DowngradeRandom));
+ copy_suffix(ssl->s3->server_random, kTLS12DowngradeRandom);
}
}
diff --git a/ssl/internal.h b/ssl/internal.h
index fa86bda..f8a2ea7 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1040,6 +1040,7 @@
extern const uint8_t kHelloRetryRequest[SSL3_RANDOM_SIZE];
extern const uint8_t kTLS12DowngradeRandom[8];
extern const uint8_t kTLS13DowngradeRandom[8];
+extern const uint8_t kJDK11DowngradeRandom[8];
// ssl_max_handshake_message_len returns the maximum number of bytes permitted
// in a handshake message for |ssl|.
@@ -1596,6 +1597,10 @@
// cert_compression_negotiated is true iff |cert_compression_alg_id| is valid.
bool cert_compression_negotiated : 1;
+ // apply_jdk11_workaround is true if the peer is probably a JDK 11 client
+ // which implemented TLS 1.3 incorrectly.
+ bool apply_jdk11_workaround : 1;
+
// client_version is the value sent or received in the ClientHello version.
uint16_t client_version = 0;
@@ -2489,7 +2494,11 @@
// ignore_tls13_downgrade is whether the connection should continue when the
// server random signals a downgrade.
- bool ignore_tls13_downgrade:1;
+ bool ignore_tls13_downgrade : 1;
+
+ // jdk11_workaround is whether to disable TLS 1.3 for JDK 11 clients, as a
+ // workaround for https://bugs.openjdk.java.net/browse/JDK-8211806.
+ bool jdk11_workaround : 1;
};
// From RFC 8446, used in determining PSK modes.
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 01d64ed..b9c823d 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -711,7 +711,8 @@
retain_only_sha256_of_client_certs(false),
handoff(false),
shed_handshake_config(false),
- ignore_tls13_downgrade(false) {
+ ignore_tls13_downgrade(false),
+ jdk11_workaround(false) {
assert(ssl);
}
@@ -2775,6 +2776,13 @@
ssl->config->shed_handshake_config = !!enable;
}
+void SSL_set_jdk11_workaround(SSL *ssl, int enable) {
+ if (!ssl->config) {
+ return;
+ }
+ ssl->config->jdk11_workaround = !!enable;
+}
+
int SSL_clear(SSL *ssl) {
if (!ssl->config) {
return 0; // SSL_clear may not be used after shedding config.
diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc
index 7df7fe7..8616967 100644
--- a/ssl/ssl_versions.cc
+++ b/ssl/ssl_versions.cc
@@ -340,6 +340,18 @@
continue;
}
+ // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails
+ // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such
+ // clients. We apply this logic here rather than |ssl_supports_version| so
+ // the downgrade signal continues to query the true capabilities. (The
+ // workaround is a limitation of the peer's capabilities rather than our
+ // own.)
+ //
+ // See https://bugs.openjdk.java.net/browse/JDK-8211806.
+ if (versions[i] == TLS1_3_VERSION && hs->apply_jdk11_workaround) {
+ continue;
+ }
+
CBS copy = *peer_versions;
while (CBS_len(©) != 0) {
uint16_t version;
diff --git a/ssl/test/runner/chacha20_poly1305_test.go b/ssl/test/runner/chacha20_poly1305_test.go
index 38c4b70..b59bb02 100644
--- a/ssl/test/runner/chacha20_poly1305_test.go
+++ b/ssl/test/runner/chacha20_poly1305_test.go
@@ -16,7 +16,6 @@
import (
"bytes"
- "encoding/hex"
"testing"
)
@@ -80,14 +79,6 @@
}
}
-func decodeHexOrPanic(in string) []byte {
- out, err := hex.DecodeString(in)
- if err != nil {
- panic(err)
- }
- return out
-}
-
var chaCha20Poly1305TestVectors = []struct {
key, input, nonce, ad, output string
}{
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 702814d..73b8889 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -1626,6 +1626,25 @@
// SendCertUncompressedLength, if not zero, sets the uncompressed length that
// will be sent in the compressed certificate message.
SendCertUncompressedLength uint32
+
+ // SendClientHelloWithFixes, if not nil, sends the specified byte string
+ // instead of the ClientHello. This string is incorporated into the
+ // transcript as if it were the real ClientHello, but the handshake will
+ // otherwise behave as if this was not sent in terms of what ciphers it
+ // will accept, etc.
+ //
+ // The input is modified to match key share entries. DefaultCurves must
+ // be configured to match. The random and session ID fields are
+ // extracted from the ClientHello.
+ SendClientHelloWithFixes []byte
+
+ // SendJDK11DowngradeRandom, if true, causes the server to send the JDK
+ // 11 downgrade signal.
+ SendJDK11DowngradeRandom bool
+
+ // ExpectJDK11DowngradeRandom is whether the client should expect the
+ // server to send the JDK 11 downgrade signal.
+ ExpectJDK11DowngradeRandom bool
}
func (c *Config) serverInit() {
@@ -2067,6 +2086,9 @@
// See RFC 8446, section 4.1.3.
downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01}
downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00}
+
+ // This is a non-standard randomly-generated value.
+ downgradeJDK11 = []byte{0xed, 0xbf, 0xb4, 0xa8, 0xc2, 0x47, 0x10, 0xff}
)
func containsGREASE(values []uint16) bool {
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 4dfa469..d25bbab 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -49,6 +49,29 @@
panic("Unknown ClientHello version.")
}
+func fixClientHellos(hello *clientHelloMsg, in []byte) ([]byte, error) {
+ ret := append([]byte{}, in...)
+ newHello := new(clientHelloMsg)
+ if !newHello.unmarshal(ret) {
+ return nil, errors.New("tls: invalid ClientHello")
+ }
+
+ hello.random = newHello.random
+ hello.sessionId = newHello.sessionId
+
+ // Replace |ret|'s key shares with those of |hello|.
+ bb := newByteBuilder()
+ hello.marshalKeyShares(bb)
+ keyShares := bb.finish()
+ if len(keyShares) != len(newHello.keySharesRaw) {
+ return nil, errors.New("tls: ClientHello key share lengths did not match. Reconfigure DefaultCurves.")
+ }
+ // |newHello.keySharesRaw| aliases |ret|.
+ copy(newHello.keySharesRaw, keyShares)
+
+ return ret, nil
+}
+
func (c *Conn) clientHandshake() error {
if c.config == nil {
c.config = defaultConfig()
@@ -405,7 +428,14 @@
}
generatePSKBinders(version, hello, pskCipherSuite, session.masterSecret, []byte{}, []byte{}, c.config)
}
- helloBytes = hello.marshal()
+ if c.config.Bugs.SendClientHelloWithFixes != nil {
+ helloBytes, err = fixClientHellos(hello, c.config.Bugs.SendClientHelloWithFixes)
+ if err != nil {
+ return err
+ }
+ } else {
+ helloBytes = hello.marshal()
+ }
if c.config.Bugs.PartialClientFinishedWithClientHello {
// Include one byte of Finished. We can compute it
@@ -604,21 +634,30 @@
_, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false)
// Check for downgrade signals in the server random, per RFC 8446, section 4.1.3.
+ gotDowngrade := serverHello.random[len(serverHello.random)-8:]
if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom {
if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
- if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
+ if bytes.Equal(gotDowngrade, downgradeTLS13) {
c.sendAlert(alertProtocolVersion)
return errors.New("tls: downgrade from TLS 1.3 detected")
}
}
if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 {
- if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) {
+ if bytes.Equal(gotDowngrade, downgradeTLS12) {
c.sendAlert(alertProtocolVersion)
return errors.New("tls: downgrade from TLS 1.2 detected")
}
}
}
+ if bytes.Equal(gotDowngrade, downgradeJDK11) != c.config.Bugs.ExpectJDK11DowngradeRandom {
+ c.sendAlert(alertProtocolVersion)
+ if c.config.Bugs.ExpectJDK11DowngradeRandom {
+ return errors.New("tls: server did not send a JDK 11 downgrade signal")
+ }
+ return errors.New("tls: server sent an unexpected JDK 11 downgrade signal")
+ }
+
suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite)
if suite == nil {
c.sendAlert(alertHandshakeFailure)
diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index edc5a92..e0867a5 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@@ -266,6 +266,7 @@
supportedPoints []uint8
hasKeyShares bool
keyShares []keyShareEntry
+ keySharesRaw []byte
trailingKeyShareData bool
pskIdentities []pskIdentity
pskKEModes []byte
@@ -352,6 +353,18 @@
eqUint16s(m.compressedCertAlgs, m1.compressedCertAlgs)
}
+func (m *clientHelloMsg) marshalKeyShares(bb *byteBuilder) {
+ keyShares := bb.addU16LengthPrefixed()
+ for _, keyShare := range m.keyShares {
+ keyShares.addU16(uint16(keyShare.group))
+ keyExchange := keyShares.addU16LengthPrefixed()
+ keyExchange.addBytes(keyShare.keyExchange)
+ }
+ if m.trailingKeyShareData {
+ keyShares.addU8(0)
+ }
+}
+
func (m *clientHelloMsg) marshal() []byte {
if m.raw != nil {
return m.raw
@@ -456,17 +469,7 @@
if m.hasKeyShares {
extensions.addU16(extensionKeyShare)
keyShareList := extensions.addU16LengthPrefixed()
-
- keyShares := keyShareList.addU16LengthPrefixed()
- for _, keyShare := range m.keyShares {
- keyShares.addU16(uint16(keyShare.group))
- keyExchange := keyShares.addU16LengthPrefixed()
- keyExchange.addBytes(keyShare.keyExchange)
- }
-
- if m.trailingKeyShareData {
- keyShares.addU8(0)
- }
+ m.marshalKeyShares(keyShareList)
}
if len(m.pskKEModes) > 0 {
extensions.addU16(extensionPSKKeyExchangeModes)
@@ -763,11 +766,12 @@
m.sessionTicket = []byte(body)
case extensionKeyShare:
// https://tools.ietf.org/html/rfc8446#section-4.2.8
+ m.hasKeyShares = true
+ m.keySharesRaw = body
var keyShares byteReader
if !body.readU16LengthPrefixed(&keyShares) || len(body) != 0 {
return false
}
- m.hasKeyShares = true
for len(keyShares) > 0 {
var entry keyShareEntry
var group uint16
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 4950a4f..6a75242 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -1182,6 +1182,9 @@
copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS12)
}
}
+ if config.Bugs.SendJDK11DowngradeRandom {
+ copy(hs.hello.random[len(hs.hello.random)-8:], downgradeJDK11)
+ }
if len(hs.clientHello.sessionId) == 0 && c.config.Bugs.ExpectClientHelloSessionID {
return false, errors.New("tls: expected non-empty session ID from client")
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index ab46557..fadc890 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -305,6 +305,14 @@
return ret
}
+func decodeHexOrPanic(in string) []byte {
+ ret, err := hex.DecodeString(in)
+ if err != nil {
+ panic(err)
+ }
+ return ret
+}
+
type testType int
const (
@@ -14628,6 +14636,162 @@
}
}
+func addJDK11WorkaroundTests() {
+ // Test the client treats the JDK 11 downgrade random like the usual one.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "Client-RejectJDK11DowngradeRandom",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ SendJDK11DowngradeRandom: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":TLS13_DOWNGRADE:",
+ expectedLocalError: "remote error: illegal parameter",
+ })
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "Client-AcceptJDK11DowngradeRandom",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ SendJDK11DowngradeRandom: true,
+ },
+ },
+ flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
+ })
+
+ var clientHelloTests = []struct {
+ clientHello []byte
+ isJDK11 bool
+ }{
+ {
+ // A default JDK 11 ClientHello.
+ decodeHexOrPanic("010001a9030336a379aa355a22a064b4402760efae1c73977b0b4c975efc7654c35677723dde201fe3f8a2bca60418a68f72463ea19f3c241e7cbfceb347e451a62bd2417d8981005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000106000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d000201010033004700450017004104721f007464cb08a0f36e093ad178eb78d6968df20077b2dd882694a85dc4c9884caf5092db41f16cc3f8d41f59426992fa5e32cfb9ad08deee752cdd95b1a6b5"),
+ true,
+ },
+ {
+ // The above with supported_versions and
+ // psk_key_exchange_modes in the wrong order.
+ decodeHexOrPanic("010001a9030336a379aa355a22a064b4402760efae1c73977b0b4c975efc7654c35677723dde201fe3f8a2bca60418a68f72463ea19f3c241e7cbfceb347e451a62bd2417d8981005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000106000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002d00020101002b00090803040303030203010033004700450017004104721f007464cb08a0f36e093ad178eb78d6968df20077b2dd882694a85dc4c9884caf5092db41f16cc3f8d41f59426992fa5e32cfb9ad08deee752cdd95b1a6b5"),
+ false,
+ },
+ {
+ // The above with a padding extension added at the end.
+ decodeHexOrPanic("010001b4030336a379aa355a22a064b4402760efae1c73977b0b4c975efc7654c35677723dde201fe3f8a2bca60418a68f72463ea19f3c241e7cbfceb347e451a62bd2417d8981005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000111000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d000201010033004700450017004104721f007464cb08a0f36e093ad178eb78d6968df20077b2dd882694a85dc4c9884caf5092db41f16cc3f8d41f59426992fa5e32cfb9ad08deee752cdd95b1a6b50015000770616464696e67"),
+ false,
+ },
+ {
+ // A JDK 11 ClientHello offering a TLS 1.3 PSK.
+ decodeHexOrPanic("0100024c0303a8d71b20f060545a398226e807d21371a7a02b7ca2f96f476c2dea7e5860c5a400005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff010001c9000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d000201010033004700450017004104aaec585ea9e121b24710a23560571322b2cf8ab8cd14e5762ef0486d8a6d0ecd721d8f2abda2eb8ed5ab7195505660450f49bba94bbf0c3f0070a531d9a1be4f002900cb00a600a0e6f7586d9a2bf64a54c1adf55a2f76657047e8e88e26629e2e7b9d630941e06fd87792770f6834e159a70b252157a9b4b082183f24629c8ff5049088b07ce37c49de8cf752a2ed7a545aff63bdc7a1b18e1bc201f23f159ee75d4987a04e00f840824f764691ab83a20e3032646e793065874cdb46138a52f50ed71406f399f96f9309eba4e5b1966148c22a63dc4aa1364269dd41dd5cc0e848d07af0095622c52cfcfc00212009cc315259e2328d65ad17a3de7c182c7874140a9356fecdd4614657806cd659"),
+ true,
+ },
+ {
+ // A JDK 11 ClientHello offering a TLS 1.2 session.
+ decodeHexOrPanic("010001a903038cdec49f4836d064a75046c93f22d0b9c2cf4900917332e6f0e1f41d692d3146201a3e99047492285ec65ab4e0eeee59f8f9d1eb7687398887bcd7b81353e93923005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000106000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d0002010100330047004500170041041c83c42fcd8fc06265b9f6e4f076f7e7ee17ace915c587845c0e1bc8cd177f904befeb611b682cae4702509a5f5d0c7162a282b8152d843169b91136e7c6f3e7"),
+ true,
+ },
+ {
+ // A JDK 11 ClientHello with EMS disabled.
+ decodeHexOrPanic("010001a50303323a857c324a9ef57d6e2544d129073830385cb1dc75ea79f6a2ec8ae09d2e7320f85fdd081678874c67ebab235e6d6a81d947f690bc0af9be4d39854ed67d9ef9005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000102000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b040105010601040203030301030202030201020200110009000702000400000000002b0009080304030303020301002d0002010100330047004500170041049c904c4850b495d75522f955d79e9cabea065c90279d6037a101a4c4ee712afc93ad0df5d12d287d53e458c7075d9a3ce3969c939bb62222bda779cecf54a603"),
+ true,
+ },
+ {
+ // A JDK 11 ClientHello with OCSP stapling disabled.
+ decodeHexOrPanic("0100019303038a50481dc85ee4f6581670821c50f2b3d34ac3251dc6e9b751bfd2521ab47ab02069a963c5486034c37ae0577ddb4c2db28cab592380ef8e4599d1305148712112005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff010000f0000000080006000003736e69000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b040105010601040203030301030202030201020200170000002b0009080304030303020301002d00020101003300470045001700410438a97824f842c549e3c339322d8b2dbaa85d10bd7bca9c969376cb0c60b1e929eb4d13db38dcb0082ad8c637b24f55466a9acbb0b63634c1f431ec8342cf720d"),
+ true,
+ },
+ {
+ // A JDK 11 ClientHello configured with a smaller set of
+ // ciphers.
+ decodeHexOrPanic("0100015603036f5706bbdf1dcae671cd9be043603f5ed20f8fc195b426504cafb4f353edb0012007aabd35e588bc2504a72eda42cbbf89d69cfc0a6a1d77db0d757606f1f4811800061301c02bc02f01000107000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b00050403040303002d000201010033004700450017004104d283f3d5a90259b61d43ea1511211f568ce5d18457326b717e1f9d6b7d1476f2b51cdc3c798d3bdfba5095edff0ffd0540f6bc0c324bd9744f3b3f24317496e3ff01000100"),
+ true,
+ },
+ {
+ // The above with TLS_CHACHA20_POLY1305_SHA256 added,
+ // which JDK 11 does not support.
+ decodeHexOrPanic("0100015803036f5706bbdf1dcae671cd9be043603f5ed20f8fc195b426504cafb4f353edb0012007aabd35e588bc2504a72eda42cbbf89d69cfc0a6a1d77db0d757606f1f48118000813011303c02bc02f01000107000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b00050403040303002d000201010033004700450017004104d283f3d5a90259b61d43ea1511211f568ce5d18457326b717e1f9d6b7d1476f2b51cdc3c798d3bdfba5095edff0ffd0540f6bc0c324bd9744f3b3f24317496e3ff01000100"),
+ false,
+ },
+ {
+ // The above with X25519 added, which JDK 11 does not
+ // support.
+ decodeHexOrPanic("0100015803036f5706bbdf1dcae671cd9be043603f5ed20f8fc195b426504cafb4f353edb0012007aabd35e588bc2504a72eda42cbbf89d69cfc0a6a1d77db0d757606f1f4811800061301c02bc02f01000109000000080006000003736e69000500050100000000000a00220020001d0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b00050403040303002d000201010033004700450017004104d283f3d5a90259b61d43ea1511211f568ce5d18457326b717e1f9d6b7d1476f2b51cdc3c798d3bdfba5095edff0ffd0540f6bc0c324bd9744f3b3f24317496e3ff01000100"),
+ false,
+ },
+ {
+ // A JDK 11 ClientHello with ALPN protocols configured.
+ decodeHexOrPanic("010001bb0303c0e0ea707b00c5311eb09cabd58626692cebfaefaef7265637e4550811dae16220da86d6eea04e214e873675223f08a6926bcf79f16d866280bdbab85e9e09c3ff005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000118000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020010000e000c02683208687474702f312e310011000900070200040000000000170000002b0009080304030303020301002d00020101003300470045001700410416def07c1d66ddde5fc9dcc328c8e77022d321c590c0d30cb41d515b38dca34540819a216c6c053bd47b9068f4f6b960f03647de4e36e8b7ffeea78f7252e3d9"),
+ true,
+ },
+ }
+ for i, t := range clientHelloTests {
+ expectedVersion := uint16(VersionTLS13)
+ if t.isJDK11 {
+ expectedVersion = VersionTLS12
+ }
+
+ // In each of these tests, we set DefaultCurves to P-256 to
+ // match the test inputs. SendClientHelloWithFixes requires the
+ // key_shares extension to match in type.
+
+ // With the workaround enabled, we should negotiate TLS 1.2 on
+ // JDK 11 ClientHellos.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: fmt.Sprintf("Server-JDK11-%d", i),
+ config: Config{
+ MaxVersion: VersionTLS13,
+ DefaultCurves: []CurveID{CurveP256},
+ Bugs: ProtocolBugs{
+ SendClientHelloWithFixes: t.clientHello,
+ ExpectJDK11DowngradeRandom: t.isJDK11,
+ },
+ },
+ expectedVersion: expectedVersion,
+ flags: []string{"-jdk11-workaround"},
+ })
+
+ // With the workaround disabled, we always negotiate TLS 1.3.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: fmt.Sprintf("Server-JDK11-NoWorkaround-%d", i),
+ config: Config{
+ MaxVersion: VersionTLS13,
+ DefaultCurves: []CurveID{CurveP256},
+ Bugs: ProtocolBugs{
+ SendClientHelloWithFixes: t.clientHello,
+ ExpectJDK11DowngradeRandom: false,
+ },
+ },
+ expectedVersion: VersionTLS13,
+ })
+
+ // If the server does not support TLS 1.3, the workaround should
+ // be a no-op. In particular, it should not send the downgrade
+ // signal.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: fmt.Sprintf("Server-JDK11-TLS12-%d", i),
+ config: Config{
+ MaxVersion: VersionTLS13,
+ DefaultCurves: []CurveID{CurveP256},
+ Bugs: ProtocolBugs{
+ SendClientHelloWithFixes: t.clientHello,
+ ExpectJDK11DowngradeRandom: false,
+ },
+ },
+ expectedVersion: VersionTLS12,
+ flags: []string{
+ "-jdk11-workaround",
+ "-max-version", strconv.Itoa(VersionTLS12),
+ },
+ })
+ }
+}
+
func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
defer wg.Done()
@@ -14761,6 +14925,7 @@
addExtraHandshakeTests()
addOmitExtensionsTests()
addCertCompressionTests()
+ addJDK11WorkaroundTests()
testCases = append(testCases, convertToSplitHandshakeTests(testCases)...)
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 52e6cf7..7447d5a 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -146,6 +146,7 @@
{ "-is-handshaker-supported", &TestConfig::is_handshaker_supported },
{ "-handshaker-resume", &TestConfig::handshaker_resume },
{ "-reverify-on-resume", &TestConfig::reverify_on_resume },
+ { "-jdk11-workaround", &TestConfig::jdk11_workaround },
};
const Flag<std::string> kStringFlags[] = {
@@ -1624,6 +1625,9 @@
return nullptr;
}
}
+ if (jdk11_workaround) {
+ SSL_set_jdk11_workaround(ssl.get(), 1);
+ }
if (session != NULL) {
if (!is_server) {
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
index b65ca42..bffe911 100644
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h
@@ -169,6 +169,7 @@
bool is_handshaker_supported = false;
bool handshaker_resume = false;
std::string handshaker_path;
+ bool jdk11_workaround = false;
int argc;
char **argv;
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc
index 299fc14..6baeaf7 100644
--- a/ssl/tls13_both.cc
+++ b/ssl/tls13_both.cc
@@ -43,12 +43,15 @@
0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
};
+// See RFC 8446, section 4.1.3.
const uint8_t kTLS12DowngradeRandom[8] = {0x44, 0x4f, 0x57, 0x4e,
0x47, 0x52, 0x44, 0x00};
-
const uint8_t kTLS13DowngradeRandom[8] = {0x44, 0x4f, 0x57, 0x4e,
0x47, 0x52, 0x44, 0x01};
+// This is a non-standard randomly-generated value.
+const uint8_t kJDK11DowngradeRandom[8] = {0xed, 0xbf, 0xb4, 0xa8,
+ 0xc2, 0x47, 0x10, 0xff};
bool tls13_get_cert_verify_signature_input(
SSL_HANDSHAKE *hs, Array<uint8_t> *out,
diff --git a/tool/server.cc b/tool/server.cc
index c4b23bf..a655db5 100644
--- a/tool/server.cc
+++ b/tool/server.cc
@@ -85,6 +85,10 @@
"The server will require a client certificate.",
},
{
+ "-jdk11-workaround", kBooleanArgument,
+ "Enable the JDK 11 workaround",
+ },
+ {
"", kOptionalArgument, "",
},
};
@@ -365,6 +369,10 @@
bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
SSL_set_bio(ssl.get(), bio, bio);
+ if (args_map.count("-jdk11-workaround") != 0) {
+ SSL_set_jdk11_workaround(ssl.get(), 1);
+ }
+
int ret = SSL_accept(ssl.get());
if (ret != 1) {
int ssl_err = SSL_get_error(ssl.get(), ret);
