Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JDK-8260925: HttpsURLConnection does not work with other JSSE provider. #2583

Closed
wants to merge 8 commits into from

Conversation

vyommani
Copy link
Contributor

@vyommani vyommani commented Feb 16, 2021

HttpsURLConnection, works with SunJSSE provider but does not work with other JSSE provider. In case of SunJSSE , HttpsURLConnection set the host name as follows

s = (SSLSocket)serverSocket;
if (s instanceof SSLSocketImpl) {
((SSLSocketImpl)s).setHost(host);
}

But in case of other providers(BouncyCastleProvider ) host will not get set and "java.security.cert.CertificateException: No subject alternative name found matching IP address" exception will be thrown.


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

  • JDK-8260925: HttpsURLConnection does not work with other JSSE provider.

Reviewers

Download

$ git fetch https://git.openjdk.java.net/jdk pull/2583/head:pull/2583
$ git checkout pull/2583

@bridgekeeper bridgekeeper bot added the oca Needs verification of OCA signatory status label Feb 16, 2021
@bridgekeeper
Copy link

bridgekeeper bot commented Feb 16, 2021

Hi @vyommani, welcome to this OpenJDK project and thanks for contributing!

We do not recognize you as Contributor and need to ensure you have signed the Oracle Contributor Agreement (OCA). If you have not signed the OCA, please follow the instructions. Please fill in your GitHub username in the "Username" field of the application. Once you have signed the OCA, please let us know by writing /signed in a comment in this pull request.

If you already are an OpenJDK Author, Committer or Reviewer, please click here to open a new issue so that we can record that fact. Please use "Add GitHub user vyommani" as summary for the issue.

If you are contributing this work on behalf of your employer and your employer has signed the OCA, please let us know by writing /covered in a comment in this pull request.

@openjdk
Copy link

openjdk bot commented Feb 16, 2021

@vyommani The following label will be automatically applied to this pull request:

  • net

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the net net-dev@openjdk.org label Feb 16, 2021
@bridgekeeper bridgekeeper bot removed the oca Needs verification of OCA signatory status label Mar 1, 2021
@vyommani vyommani marked this pull request as draft March 2, 2021 04:42
@vyommani vyommani marked this pull request as ready for review March 2, 2021 05:46
@openjdk openjdk bot added the rfr Pull request is ready for review label Mar 2, 2021
@mlbridge
Copy link

mlbridge bot commented Mar 2, 2021

Webrevs

@@ -565,6 +566,7 @@ public void afterConnect() throws IOException, UnknownHostException {
// will do the spoof checks in SSLSocket.
SSLParameters paramaters = s.getSSLParameters();
paramaters.setEndpointIdentificationAlgorithm("HTTPS");
paramaters.setServerNames(Collections.singletonList(new SNIHostName(host)));
Copy link
Member

@dfuch dfuch Mar 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if the SSL Layer has already an SNIHostName configured? Is there a risk that this will introduce regressions in such cases?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be i am not sure, we may need this code change to review by security expert. I am setting "SNIHostName" only if "isDefaultHostnameVerifier" is true(If the HNV is the default from HttpsURLConnection) so there should not be problem.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you try to run the httpclient tests? They make use of the httpserver - so they can also serve to test it - somewhat.
More generally - please run jdk_net/tier2 tests.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I know this is only tier1 - so none of the network tests have been run.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ran tier1 & tier2 tests locally on my linux vm, it was clear. Can you please do let me know how to run it on OpenJDK build system.

@XueleiFan
Copy link
Member

HttpsURLConnection, works with SunJSSE provider but does not work with other JSSE provider. In case of SunJSSE , HttpsURLConnection set the host name as follows

s = (SSLSocket)serverSocket;
if (s instanceof SSLSocketImpl) {
((SSLSocketImpl)s).setHost(host);
}

Did you copy the code/lines above from src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java? This is the file you updated in the pull request. If I read the updated file right, the line numbers are from 455 to 458. If the socket is an instance of SSLSocketImpl, the host is set here.

But in case of other providers(BouncyCastleProvider ) host will not get set and "java.security.cert.CertificateException: No subject alternative name found matching IP address" exception will be thrown.

@vyommani
Copy link
Contributor Author

vyommani commented Mar 3, 2021

HttpsURLConnection, works with SunJSSE provider but does not work with other JSSE provider. In case of SunJSSE , HttpsURLConnection set the host name as follows
s = (SSLSocket)serverSocket;
if (s instanceof SSLSocketImpl) {
((SSLSocketImpl)s).setHost(host);
}

Did you copy the code/lines above from src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java? This is the file you updated in the pull request. If I read the updated file right, the line numbers are from 455 to 458. If the socket is an instance of SSLSocketImpl, the host is set here.

But in case of other providers(BouncyCastleProvider ) host will not get set and "java.security.cert.CertificateException: No subject alternative name found matching IP address" exception will be thrown.

thanks for pointing me out. yes you are right in case of SSLSocketImpl host will set twice. I will do the changes and update the PR.

@vyommani
Copy link
Contributor Author

vyommani commented Mar 3, 2021

update the PR and incorporated the review comment suggested by Xuelei.

@dfuch
Copy link
Member

dfuch commented Mar 3, 2021

Vyom, can you provide, or point to a test that exercises the code paths that have been changed? And also some new test that would fail before the fix and pass after?

best regards,

-- daniel

@openjdk openjdk bot removed the rfr Pull request is ready for review label Mar 3, 2021
@vyommani
Copy link
Contributor Author

vyommani commented Mar 3, 2021

Vyom, can you provide, or point to a test that exercises the code paths that have been changed? And also some new test that would fail before the fix and pass after?

best regards,

-- daniel

Hi Daniel,

there are multiple test in "test/jdk/sun/net/www/protocol/https/HttpsURLConnection" which exercises the code paths that have been changed. To be more specific if you change the JSSE provider for example to "BouncyCastle" then these test will fail because host will not set for other(BC) JSSE provider.

In JDK-8260925, i put the detail instruction how to reproduce this issue. Please do let me know if you need any additional information.
Vyom

@openjdk openjdk bot added the rfr Pull request is ready for review label Mar 4, 2021
@vyommani
Copy link
Contributor Author

vyommani commented Mar 4, 2021

updated the PR

Copy link
Member

@XueleiFan XueleiFan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I have no more comment.

@openjdk
Copy link

openjdk bot commented Mar 4, 2021

@vyommani This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8260925: HttpsURLConnection does not work  with other JSSE provider.

Reviewed-by: xuelei

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 213 new commits pushed to the master branch:

  • 84c93d5: 8257137: Revise smov and umov in aarch64 assembler
  • d93fa0d: 8253940: com/sun/jdi/JdwpAttachTest.java failed with "RuntimeException: ERROR: LingeredApp.startApp was able to attach"
  • 104a262: 8224775: test/jdk/com/sun/jdi/JdwpListenTest.java failed to attach
  • 2848938: 8262927: Explicitly state fields examined for BigDecimal.hashCode
  • b397472: 8262915: java.awt.color.ColorSpace.getName() is not thread-safe
  • 268d9b7: 8261447: MethodInvocationCounters frequently run into overflow
  • 75aa154: 8259267: Refactor LoaderLeak shell test as java test.
  • a118185: 8261862: Expand discussion of rationale for BigDecimal equals/compareTo semantics
  • 2d2ef08: 8262885: Shenandoah: FullGC prologue does not need to save/restore heap has_forwarded_object flag
  • 1d2c1e6: 8248314: Parallel: Parallelize parallel full gc Adjust Roots phase
  • ... and 203 more: https://git.openjdk.java.net/jdk/compare/34ae7aeb64db90dcb4d2f3d4acb16c714a32824f...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Mar 4, 2021
@kusrinivasan
Copy link
Member

Shouldn't there be a regression test for this ? If not, IIRC the bug needs to be tagged with noreg-hard or noreg-other ?

@vyommani
Copy link
Contributor Author

vyommani commented Mar 5, 2021

/integrate

@openjdk openjdk bot closed this Mar 5, 2021
@openjdk openjdk bot added integrated Pull request has been integrated and removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Mar 5, 2021
@openjdk
Copy link

openjdk bot commented Mar 5, 2021

@vyommani Since your change was applied there have been 233 commits pushed to the master branch:

  • dbef0ec: 6323374: (coll) Optimize Collections.unmodifiable* and synchronized*
  • ee09bad: 8262300: jpackage app-launcher fails on linux when using JDK11 based runtime
  • 351889f: 8262508: Vector API's ergonomics is incorrect
  • 718d4d4: 8262989: Vectorize VectorShuffle checkIndexes, wrapIndexes and laneIsValid methods
  • c8b23e2: 8262064: Make compiler/ciReplay tests ignore lambdas in compilation replay
  • 02fbcb5: 8261532: Archived superinterface class cannot be accessed
  • 109af7b: 8261518: jpackage looks for main module in current dir when there is no module-path
  • e61a3ba: 8239386: handle ContendedPaddingWidth in vm_version_aarch64
  • f56c918: 8262837: handle split_USE correctly
  • bd1a806: 8263040: fix for JDK-8262122 fails validate-source
  • ... and 223 more: https://git.openjdk.java.net/jdk/compare/34ae7aeb64db90dcb4d2f3d4acb16c714a32824f...master

Your commit was automatically rebased without conflicts.

Pushed as commit 80182f9.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

@vyommani vyommani deleted the JDK-8260925 branch March 5, 2021 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated net net-dev@openjdk.org
4 participants