Bug 962568 - SSL DHE cipher suites broken in OpenJDK 7
SSL DHE cipher suites broken in OpenJDK 7
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: java-1.7.0-openjdk (Show other bugs)
6.4
Unspecified Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Andrew John Hughes
BaseOS QE - Apps
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-13 17:40 EDT by Aaron Ogburn
Modified: 2013-07-01 08:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-01 08:22:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test keystore (1.15 KB, application/octet-stream)
2013-05-13 17:43 EDT, Aaron Ogburn
no flags Details
test openssl script (128 bytes, application/x-sh)
2013-05-13 17:43 EDT, Aaron Ogburn
no flags Details

  None (edit)
Description Aaron Ogburn 2013-05-13 17:40:17 EDT
Description of problem:

When performing Diffie-Hellman key agreement for SSL/TLS, the TLS
specification (RFC 5246) says that "Leading bytes of Z that contain all zero
bits are stripped before it is used as the pre_master_secret."

However, com.sun.crypto.provider.DHKeyAgreement.java does not strip leading
zero bytes. This causes approximately 1 out 256 SSL/TLS handshakes with
DH/DHE cipher suites to fail (when the leading byte happens, by chance, to
be zero).


Version-Release number of selected component (if applicable):

java 1.7.0.19. openjdk package version 2.3.9.1.el6_4


How reproducible:

Very


Steps to Reproduce:
1. Start the provided TestServer class:

java -Djavax.net.debug=all -Djavax.net.ssl.keyStore=./test_keystore.jks
-Djavax.net.ssl.keyStorePassword=password TestServer

2.  Test repeated connections through openssl.  Can use attached script:

./openssl_client.sh


You will occassionally see openssl gets a handshake failure.  The ssl logging logs a "SSLHandshakeException: Invalid Padding lengh"

  
Actual results: 

Roughly one out of 256 connections fail.


Expected results:

Every connection succeeds


Additional info:

It seems this commit from March 2012 inadvertently broke this:

http://hg.openjdk.java.net/jdk7u/jdk7u-gate/jdk/rev/e574e475c8a6

The commit was done to fix this bug:

http://bugs.sun.com/view_bug.do?bug_id=7146728
Comment 3 Aaron Ogburn 2013-05-13 17:43:13 EDT
Created attachment 747450 [details]
test keystore
Comment 4 Aaron Ogburn 2013-05-13 17:43:37 EDT
Created attachment 747451 [details]
test openssl script
Comment 5 Pasi Eronen 2013-05-14 07:01:26 EDT
Reported to Oracle (bugs.sun.com) as bug 9001039; bug report available this this email on OpenJDK list:

http://mail.openjdk.java.net/pipermail/security-dev/2013-May/007435.html

A patch and testcase are available in OpenJDK Bugzilla:

https://bugs.openjdk.java.net/show_bug.cgi?id=100316
Comment 7 Pasi Eronen 2013-05-20 05:31:04 EDT
This is now visible with Oracle bug ID 8014618:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8014618
Comment 8 Andrew John Hughes 2013-05-23 06:17:09 EDT
Once this patch is committed upstream, it can be backported to the 7u trees.
Comment 10 Andrew John Hughes 2013-06-11 10:44:36 EDT
Fixed in 2.4.0: http://blog.fuseyism.com/index.php/2013/06/10/icedtea-2-4-0-released/
Comment 11 Andrew John Hughes 2013-06-30 19:01:31 EDT
In 2.3.10: http://blog.fuseyism.com/index.php/2013/06/28/security-icedtea-2-3-10-for-openjdk-7-released/

Need info from jvanek when this is packaged.
Comment 12 jiri vanek 2013-07-01 08:22:05 EDT
6.4 have already recieved 2.3.10. So the issue should be fixed.

Note You need to log in before you can comment on or make changes to this bug.