issues@javamail.java.net

[Bug 4296] New: SSL Re-Negotiation Problem with checkserveridentity=true

From: <bugzilla-daemon_at_kenai.com>
Date: Mon, 6 Jun 2011 08:58:20 +0000 (GMT)

http://kenai.com/bugzilla/show_bug.cgi?id=4296

           Summary: SSL Re-Negotiation Problem with
                    checkserveridentity=true
           Product: javamail
           Version: 1.4.5
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: imap
        AssignedTo: shannon_at_kenai.com
        ReportedBy: abeisig_at_kenai.com
                CC: issues_at_javamail.kenai.com


When I enable the checkserveridentity flag, my IMAP client application fails to
connect to the server. The server is dovecot (openssl-based) and the error I
get in the server logs is this:

TLS: SSL_read() failed: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected
record

The problem is apparently that "checkserveridentity" causes a SSL
renegotiation. I don't know if the client is allowed to start a renegotiation
at this point, but I think it's not necessary at all.

Have a look at SocketFetcher.java:

        boolean idCheck = PropUtil.getBooleanProperty(props,
                prefix + ".ssl.checkserveridentity", false);
        if (idCheck)
        checkServerIdentity(host, (SSLSocket)socket);
        if (ssf instanceof MailSSLSocketFactory) {
        MailSSLSocketFactory msf = (MailSSLSocketFactory)ssf;
        if (!msf.isServerTrusted(host, (SSLSocket)socket)) {
            try {
            socket.close();
            } finally {
            throw new IOException("Server is not trusted: " + host);
            }
        }
        }
        configureSSLSocket(socket, props, prefix);

As you can see, the call to checkServerIdentity happens before the call to
configureSSLSocket. The SSL handshake is supposed to happen during
configureSSLSocket, but my debugging shows that the first handshake actually
happens during checkServerIdentity. I think this is because checkServerIdentity
tries to access the peer's certificates, which is obviously only possible after
SSL has been initiated. So what happens is a first handshake (with default
settings) during checkServerIdentity, and then a second (renegotiating)
handshake immediately afterwards in configureSSLSocket.

Moving the call to configureSSLSocket in front of the call to
checkServerIdentity removes the (redundant?) renegotiation and fixes the
problems connecting to dovecot for me. 

-- 
Configure bugmail: http://kenai.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.