Bug 40774 - Does SSL works at all in classpath version 0.98
Summary: Does SSL works at all in classpath version 0.98
Status: UNCONFIRMED
Alias: None
Product: classpath
Classification: Unclassified
Component: crypto (show other bugs)
Version: 0.98
: P3 normal
Target Milestone: ---
Assignee: Casey Marshall
URL:
Keywords:
: 50453 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-07-16 16:31 UTC by Audrius Meškauskas
Modified: 2014-01-06 02:30 UTC (History)
5 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Audrius Meškauskas 2009-07-16 16:31:07 UTC
i am not able to run my web application on HTTPS port (secure port through
SSL) although it run fine on normal HTTP port.

Environment used to run web application is as-
	GNU Classpath ver 0.98
	JamVm ver 1.53
	Jetty 1.6.8 
	Linux Debian based
	IE and mozilla browser
	keystore- type GKR 
	Crypto and SSL implementation-	in GNU Classpath ver 0.98

Basically i got multiple issues while trying to run application on HTTPS
ports, some of them i was able to resolve after debugging GNU classpath
source code. Problems faced by me are described below-

Problem # 1 
----------------------
-Server socket listening on HTTPS port (8443 in our case) not responding to
requests coming from browser.

After analysis, i have found that SSL server socket has been listening on
HTTPS port 8443 and accepting initial request coming from browser for
connection and creating SSL client socket in response. but after this there
is no response from SSL client socket created earlier. It seem that no input
stream is open to the client socket to read data coming from browser.


I think above issue is coming due to some bug in the SSLSocketImpl class
under gnu.javax.net.ssl.provider package. In constructor of this class,a new
Socket is created (i do not know why??) which is stored in underlyingSocket
variable of SSLSocketImpl class. All requests of read and write is then
delegated to member variable underlyingSocket. I think after copying new
socket reference to underlyingSocket variable, this socket(underlyingSocket)
is not connected to same native socket which is created in response of
initial request from browser therefore SSL client socket is not responding
to the browser request.

I have fixed this issue by not setting underlyingSocket variable to new
Socket and adding check for null at all places where underlyingSocket is
refereed. I have diverted all calls on underlyingSocket to super class of
SSLSocketImpl.

Please confirm whether is this a bug in the SSLSocketImpl class or have i
done something  wrong?

Problem # 2
-----------------------
SSL handshake starts working but IllegalArgumentException exception is
coming from setLength API in Record class under gnu.javax.net.ssl.provider
package.


i think length check (between 0 and 16384 (214)) on SSL record is not
correct. As per SSL RFC, length of final SSL record after encryption and
compression may exceed by 2048 bytes. 

I have fixed this issue by changing maximum length to 17408.

Please confirm is this the bug in the Record class?

Problem # 3
------------------------
In decrypt API of InputSecurityParameters  class under
gnu.javax.net.ssl.provider package, sometimes length calculated for padding
in case of block cipher is more then size of SSL record/fragment resulting
in  IllegalArgumentException.

I have seen this issue only with Internet explorer browser. At line # 173 in
this class, IllegalArgumentException comes on calling positing API of
ByteBuffer due to passing negative index. 

	
				else if (record.version().compareTo(ProtocolVersion.TLS_1) >= 0)
						  {
							// In TLSv1 and later, the padding must be `padlen' copies of the
							// value `padlen'.
							byte[] pad = new byte[padlen];
							
							//IllegalArgumentException comes at below line
							((ByteBuffer) fragment.duplicate().position(record.length() - padlen
- 1)).get(pad);
							
							
							for (int i = 0; i < pad.length; i++)
							  if ((pad[i] & 0xFF) != padlen)
								badPadding = true;
							if (Debug.DEBUG)
							  logger.logv(Component.SSL_RECORD_LAYER, "TLSv1.x padding\n{0}",
										  new ByteArray(pad));
					  }
					  
					  
To resolve this issue, time being i have put safe check of positive index
before the line where exception is coming.




Now even after resolving all above mentioned issues, sometimes bad
certificate or not valid signature error is coming on browser on opening
pages using HTTPS.

I have to provide HTTPS support and now i am really stuck. please guide me
in resolving SSL related issues.
Comment 1 Martin Winter 2011-01-20 13:19:08 UTC
I see the very same behaviour with Jamvm 1.5.4, classpath 0.98 and the simpleframework web server on an embedded Linux (ARM) platform, so I can affirm that there is a bug and that can be reproduced.

Here is my code snippet to create the SSL server:

try {
	SSLContext ssl = SSLContext.getInstance("SSLv3");
	KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
	InputStream keystream = ClassLoader.getSystemResourceAsStream(keystore);
					
	if (keystream == null) {
		throw new FileNotFoundException("Keystore not found: " + keystore);
	}
					
	ks.load(keystream, "password".toCharArray());
	KeyManagerFactory kmf = KeyManagerFactory
		.getInstance(KeyManagerFactory.getDefaultAlgorithm());
	kmf.init(ks, "passwd".toCharArray());
	ssl.init(kmf.getKeyManagers(), null, null);

	SocketAddress address = new InetSocketAddress("localhost", 443);
	Connection connection = new SocketConnection(container);
	connection.connect(address, ssl);
} catch (Exception e) {
	log.warn("Cannot create SSL server", e);
}
Comment 2 Andrew John Hughes 2012-10-15 10:45:42 UTC
*** Bug 50453 has been marked as a duplicate of this bug. ***