Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

TLS 1.3 handshake failure when using OpenJDK 14 java module runtime

Tags:

java

module

ssl

this is my first post. Please be kind. I have searched many sites, but have not had any luck.

I created a simple Java application developed with Java 14.0.2 and JavaFX 14.0.2 that connects using TLS to a host and provides basic certificate and protocol information back to the user. It is a learning as well as testing and troubleshooting tool.

All versions of TLS work up to and including TLS 1.3 when running the application using Intellij or using the OpenJDK 14 GA version of java.exe and specifying the classpath to the application jar.

My problem is that TLS 1.3 does not work when building a module, using JLink from Jigsaw, and use the Java runtime (JRT). TLS 1.0 and 1.2 work fine. TLS 1.3 fails with a handshake failure.

I believe the problem has to do with the supported groups or the signature algorithms sent in the Client Hello only when using the JRT.

When using the GA version of Java and the application jar, the client sends 10 supported groups, the Elliptic Curve Groups (ECDHE) and the Finite Field Groups (DHE). It also sends 16 signature algorithms (which includes the ECDSA algorithms).

When using the JRT, the client sends five supported groups which is only the DHE groups. It also sends 14 signature algorithms (which does not include the ECDSA algorithms).

I am not sure if this is due to a missing require in my module-info or if it is a bug. There is only one module in the project and the module-info is very basic. Building the project there are no errors/warnings and there are no runtime errors other than the javax.net.ssl.SSLHandshakeException.

Here is my module-info.java:

module TlsHostInfo {
    requires java.base;
    requires javafx.controls;
    requires javafx.fxml;

    opens certpackage.view to javafx.fxml;
    exports certpackage;
}

I am hoping I missed something or it is a simple configuration error. Has anyone run into this and do you see what could cause the missing data in the Client Hello?

Wireshark Trace 1:

Wireshark Trace 2:

Wireshark Trace 3:

Wireshark Handshake Failure:

like image 778
Cosmopolis Avatar asked Oct 14 '25 22:10

Cosmopolis

1 Answers

It appears the SunEC provider is required to support TLS 1.3 when building a custom runtime.

Added "requires jdk.crypto.ec" to the "module-info.java".

module TlsHostInfo {
    requires java.base;
    requires javafx.controls;
    requires javafx.fxml;
    **requires jdk.crypto.ec;**

    opens certpackage.view to javafx.fxml;
    exports certpackage;
}
like image 55
Cosmopolis Avatar answered Oct 17 '25 14:10

Cosmopolis

Sign in to Comment

Related questions

requestWindowFeature(Window.FEATURE_NO_TITLE); not working
JPA Query with null object
Logback - How to log the simple name of an exception separately
Stopping/Killing all threads in Java
Get class of EnumSet's Enum
java.lang.IllegalArgumentException: Unable to create call adapter for interface retrofit.Call
Java Record Custom Constructor Selective Parameters

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!