Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two instance use TLSv1.3 #650

Closed
readonlynetwork opened this issue Mar 28, 2019 · 4 comments
Closed

Two instance use TLSv1.3 #650

readonlynetwork opened this issue Mar 28, 2019 · 4 comments

Comments

@readonlynetwork
Copy link

I use OpenJDK 1.8 and Conscrypt 2.0.0, Embedding Jetty HttpClient & HttpServer
Two SslContextFactory with Conscrypt TLSv1.3

  • No error if I not use Conscrypt at the Client or at the Server OR I disable TLSv1.3 at the client or at the server.
  • Same error if i not set scf.setIncludeProtocols(new String[] {"TLSv1.2", "TLSv1.3"}); at client (default settings).

More detail: jetty/jetty.project#3500

java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: java.lang.IllegalArgumentException: TLSv1.3
	at org.eclipse.jetty.client.util.FutureResponseListener.getResult(FutureResponseListener.java:118)
	at org.eclipse.jetty.client.util.FutureResponseListener.get(FutureResponseListener.java:101)
	at org.eclipse.jetty.client.HttpRequest.send(HttpRequest.java:683)
	at com.readonlynetwork.prepare.SelfSignedCert.main(SelfSignedCert.java:270)
Caused by: javax.net.ssl.SSLHandshakeException: java.lang.IllegalArgumentException: TLSv1.3
	at org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:361)
	at org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1158)
	at org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1113)
	at org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:861)
	at org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:733)
	at org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:698)
	at org.conscrypt.Java8EngineWrapper.unwrap(Java8EngineWrapper.java:236)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:578)
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:128)
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:73)
	at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:133)
	at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:155)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:427)
	at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:321)
	at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:132)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: java.lang.IllegalArgumentException: TLSv1.3
	at org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1661)
	at org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
	at org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:531)
	at org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1119)
	at org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1103)
	... 23 more
Caused by: java.lang.IllegalArgumentException: TLSv1.3
	at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:258)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
	at org.conscrypt.Java7PlatformUtil.checkServerTrusted(Java7PlatformUtil.java:78)
	at org.conscrypt.Platform.checkServerTrusted(Platform.java:303)
	at org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1653)
	... 27 more
@flooey
Copy link
Contributor

flooey commented Mar 28, 2019

The trust manager bundled with OpenJDK < 11 doesn't work with TLS 1.3. If you want to use TLS 1.3 with Conscrypt on one of those versions, you need to use Conscrypt's trust manager (or another one that supports TLS 1.3). Conscrypt provides the trust manager by default starting in 2.0, but you need to ensure Conscrypt is a higher-priority provider than the built in one to ensure it gets used.

@flooey flooey closed this as completed Mar 28, 2019
@readonlynetwork
Copy link
Author

I tried this at Main first line:
Security.insertProviderAt(Conscrypt.newProvider(), 0);

And I got the same error.

@readonlynetwork
Copy link
Author

readonlynetwork commented Mar 28, 2019
edited
Loading

Ok, my fault, I try again: Security.insertProviderAt(Conscrypt.newProvider(), 1);
But got (randomly) 3 error:

java.util.concurrent.ExecutionException: javax.net.ssl.SSLException: SSL_write
	at org.eclipse.jetty.client.util.FutureResponseListener.getResult(FutureResponseListener.java:118)
	at org.eclipse.jetty.client.util.FutureResponseListener.get(FutureResponseListener.java:101)
	at org.eclipse.jetty.client.HttpRequest.send(HttpRequest.java:683)
	at com.readonlynetwork.prepare.SelfSignedCert.main(SelfSignedCert.java:274)
Caused by: javax.net.ssl.SSLException: SSL_write
	at org.conscrypt.ConscryptEngine.newSslExceptionWithMessage(ConscryptEngine.java:1376)
	at org.conscrypt.ConscryptEngine.wrap(ConscryptEngine.java:1551)
	at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:509)
	at org.conscrypt.Java8EngineWrapper.wrap(Java8EngineWrapper.java:56)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:884)
	at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:393)
	at org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:349)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.lambda$fill$1(SslConnection.java:670)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
	at java.lang.Thread.run(Thread.java:748)

OR

java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: No subjectAltNames on the certificate match
	at org.eclipse.jetty.client.util.FutureResponseListener.getResult(FutureResponseListener.java:118)
	at org.eclipse.jetty.client.util.FutureResponseListener.get(FutureResponseListener.java:101)
	at org.eclipse.jetty.client.HttpRequest.send(HttpRequest.java:683)
	at com.readonlynetwork.prepare.SelfSignedCert.main(SelfSignedCert.java:272)
Caused by: javax.net.ssl.SSLHandshakeException: No subjectAltNames on the certificate match
	at org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:361)
	at org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1158)
	at org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1113)
	at org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:861)
	at org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:733)
	at org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:698)
	at org.conscrypt.Java8EngineWrapper.unwrap(Java8EngineWrapper.java:236)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:578)
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:128)
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:73)
	at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:133)
	at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:155)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:427)
	at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:321)
	at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:132)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No subjectAltNames on the certificate match
	at org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:406)
	at org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:354)
	at org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:367)
	at org.conscrypt.Java7PlatformUtil.checkServerTrusted(Java7PlatformUtil.java:78)
	at org.conscrypt.Platform.checkServerTrusted(Platform.java:303)
	at org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1653)
	at org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
	at org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:531)
	at org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1119)
	at org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1103)
	... 23 more

OR

Fail: java.io.IOException: Broken pipe
java.util.concurrent.ExecutionException: java.io.IOException: Broken pipe
	at org.eclipse.jetty.client.util.FutureResponseListener.getResult(FutureResponseListener.java:118)
	at org.eclipse.jetty.client.util.FutureResponseListener.get(FutureResponseListener.java:101)
	at org.eclipse.jetty.client.HttpRequest.send(HttpRequest.java:683)
	at com.readonlynetwork.prepare.SelfSignedCert.main(SelfSignedCert.java:272)
Caused by: java.io.IOException: Broken pipe
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:924)
	at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:393)
	at org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:349)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.lambda$fill$1(SslConnection.java:670)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
	at java.lang.Thread.run(Thread.java:748)

Maybe it not a Conscrypt error.

@readonlynetwork readonlynetwork mentioned this issue Apr 3, 2019
Closed
@rickgong
Copy link

I tried this at Main first line:
Security.insertProviderAt(Conscrypt.newProvider(), 0);

And I got the same error.

Security.insertProviderAt(Conscrypt.newProvider(), 1);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flooey @rickgong @readonlynetwork