Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

When TLS uses pre-shared keys the Handshake has no peer certs

See original GitHub issue

Java 11’s TLS stack automatically supports pre-shared keys when attempting a repeat TLS connection to a server.

Unfortunately these TLS handshakes don’t have peer certificates and SSLSession.getPeerCertificates() throws.

Without the peer certificates other things break including certificate pinning.

java.util.NoSuchElementException
	at java.base/java.util.ArrayDeque.removeFirst(ArrayDeque.java:363)
	at okhttp3.internal.tls.BasicCertificateChainCleaner.clean(BasicCertificateChainCleaner.java:58)
	at okhttp3.CertificatePinner.check(CertificatePinner.java:166)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:358)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)

This is reproduced by CallTest.matchingPinnedCertificate() on Java 11.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
monkey-mascommented, Jun 19, 2019

OpenJDK 11.0.3 works fine. It seems like another related bug was resolved in OpenJDK 11.0.3. TLS 1.3 resumed session does not retain peer certificate chain OpenJDK 11.0.3 Release note

@swankjesse We’ll probably close this issue?

1reaction
pol12vacommented, Jun 9, 2019

@swankjesse We’ve faced strange exception after updating to 3.14.2 version and migrating to Java 11 from time to time requests fail with the exception:

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname graph.facebook.com not verified (no certificates)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:353) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[okhttp-3.14.2.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[okhttp-3.14.2.jar:?]
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221) ~[okhttp-3.14.2.jar:?]
	at okhttp3.RealCall.execute(RealCall.java:81) ~[okhttp-3.14.2.jar:?]

As I see in OkHostnameVerifier.verify() session.getPeerCertificates() returns null. works fine with java 8 and version 3.12.1 could those issues be connected?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Taking a Closer Look at the SSL/TLS Handshake
The “Finished” message is then sent to indicate that the handshake is complete on the client side. The Finished message is encrypted, and...
Read more >
How does TLS work? - Manning Publications
The key exchange is the most important part of the TLS handshake! Without it, there's obviously no symmetric key being negotiated.
Read more >
The Transport Layer Security (TLS) Protocol Version 1.3
Once the handshake is complete, the peers use the established keys to protect the application-layer traffic. A failure of the handshake or other...
Read more >
Transport Layer Security (TLS) Protocol ... - Oracle Help Center
pre_shared_key : A pre-shared key (PSK) is a shared secret that was previously shared between the two parties using some secure channel before...
Read more >
RFC 9190 - EAP-TLS 1.3: Using the Extensible Authentication ...
Pre-Shared Key (PSK) authentication SHALL NOT be used except for resumption. The full handshake in EAP-TLS with TLS 1.3 always provides forward secrecy...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Upgrade OkHttp 3 to Kotlin and call it OkHttp 4

Next page

Provide a JUnit 5 extension for MockWebServer