jetty-alpn incompatible with OpenJDK 8u251

[DanielThomas]

The readme for this project appears to be mistaken - 8u251 does not backport the ALPN APIs, instead it's broken by the removal of SSLSessionImpl.nullSession:

Caused by: java.lang.NoSuchFieldError: nullSession
	at sun.security.ssl.ClientHandshaker.getKickstartMessage(ClientHandshaker.java:1350)
	at sun.security.ssl.Handshaker.kickstart(Handshaker.java:1074)
	at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1479)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1346)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
	at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:142)

See:

• http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/comparison/f54e9b7c1036/src/share/classes/sun/security/ssl/SSLSessionImpl.java
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2781

This line:

jetty-alpn/alpn-boot/src/main/java/sun/security/ssl/ClientHandshaker.java

Line 1350 in 279b4ae

SessionId sessionId = SSLSessionImpl.nullSession.getSessionId();

Needs to be changed to:

        SessionId sessionId = new SessionId(new byte[0]);

[sbordet]

@DanielThomas unfortunately there is no source code available for 8u251.
We assume it's the same as 8u252, but we don't really know what Oracle ships.

I don't think there is much we can do; guessing what the changes should be is not a viable way, so I guess we can only recommend to not use 8u251, but 8u252 instead.

[DanielThomas]

The sources are readily available. They're bundled in the JDK in src.zip. It's definitely not the same as 8u252, it has the ALPN backport, 8u251 does not.

[sbordet]

@DanielThomas there are no sources in src.zip for sun.security.ssl.* classes.

[DanielThomas]

Certainly is in the Zulu distribution:

/Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home $ unzip -l src.zip | grep sun.security.ssl
     8529  04-07-2020 00:49   sun/security/ssl/Alerts.java
     6059  04-07-2020 00:49   sun/security/ssl/ALPNExtension.java
     4952  09-19-2018 10:02   sun/security/ssl/AppInputStream.java
     5413  09-19-2018 10:02   sun/security/ssl/AppOutputStream.java
     5824  09-19-2018 10:02   sun/security/ssl/Authenticator.java
    18181  09-19-2018 10:02   sun/security/ssl/BaseSSLSocketImpl.java
     5080  09-19-2018 10:02   sun/security/ssl/ByteBufferInputStream.java
    40283  09-19-2018 10:02   sun/security/ssl/CipherBox.java
    83282  04-07-2020 00:49   sun/security/ssl/CipherSuite.java
     5750  09-19-2018 10:02   sun/security/ssl/CipherSuiteList.java
    75957  04-07-2020 00:49   sun/security/ssl/ClientHandshaker.java
     6779  09-19-2018 10:02   sun/security/ssl/Debug.java
     3437  09-19-2018 10:02   sun/security/ssl/DHClientKeyExchange.java
    25857  03-02-2020 03:31   sun/security/ssl/DHCrypt.java
     2729  09-19-2018 10:02   sun/security/ssl/ECDHClientKeyExchange.java
     5800  09-19-2018 10:02   sun/security/ssl/ECDHCrypt.java
    14518  03-02-2020 03:31   sun/security/ssl/EllipticCurvesExtension.java
     3483  09-19-2018 10:02   sun/security/ssl/EllipticPointFormatsExtension.java
     7608  09-19-2018 10:02   sun/security/ssl/EngineArgs.java
    14947  09-19-2018 10:02   sun/security/ssl/EngineInputRecord.java
    11453  09-19-2018 10:02   sun/security/ssl/EngineOutputRecord.java
     7751  09-19-2018 10:02   sun/security/ssl/EngineWriter.java
     3958  09-19-2018 10:02   sun/security/ssl/EphemeralKeyManager.java
     2443  04-07-2020 00:19   sun/security/ssl/ExtendedMasterSecretExtension.java
     4395  04-07-2020 00:49   sun/security/ssl/ExtensionType.java
    14555  09-19-2018 10:02   sun/security/ssl/HandshakeHash.java
     6748  09-19-2018 10:02   sun/security/ssl/HandshakeInStream.java
    71091  04-07-2020 00:49   sun/security/ssl/HandshakeMessage.java
     7346  09-19-2018 10:02   sun/security/ssl/HandshakeOutStream.java
    58810  04-07-2020 00:49   sun/security/ssl/Handshaker.java
    33905  10-03-2018 12:35   sun/security/ssl/HandshakeStateManager.java
     1635  09-19-2018 10:02   sun/security/ssl/HelloExtension.java
     5794  04-07-2020 00:49   sun/security/ssl/HelloExtensions.java
    30620  09-19-2018 10:02   sun/security/ssl/InputRecord.java
    15554  09-19-2018 10:02   sun/security/ssl/JsseJce.java
     5249  09-19-2018 10:02   sun/security/ssl/KerberosClientKeyExchange.java
     4897  09-19-2018 10:02   sun/security/ssl/KeyManagerFactoryImpl.java
    18219  09-19-2018 10:02   sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java
    10672  09-19-2018 10:02   sun/security/ssl/krb5/KerberosPreMasterSecret.java
     4081  09-19-2018 10:02   sun/security/ssl/krb5/Krb5ProxyImpl.java
     4578  09-19-2018 10:02   sun/security/ssl/Krb5Helper.java
     2724  09-19-2018 10:02   sun/security/ssl/Krb5Proxy.java
     5242  09-19-2018 10:02   sun/security/ssl/MAC.java
    21353  09-19-2018 10:02   sun/security/ssl/OutputRecord.java
     5261  09-19-2018 10:02   sun/security/ssl/ProtocolList.java
     6762  09-19-2018 10:02   sun/security/ssl/ProtocolVersion.java
     2952  09-19-2018 10:02   sun/security/ssl/RandomCookie.java
     5391  09-19-2018 10:02   sun/security/ssl/Record.java
     4188  09-19-2018 10:02   sun/security/ssl/RenegotiationInfoExtension.java
    10679  09-19-2018 10:02   sun/security/ssl/RSAClientKeyExchange.java
     7263  04-07-2020 00:49   sun/security/ssl/RSASignature.java
    85665  04-07-2020 00:49   sun/security/ssl/ServerHandshaker.java
    10921  09-19-2018 10:02   sun/security/ssl/ServerNameExtension.java
     4324  07-10-2019 10:59   sun/security/ssl/SessionId.java
     4751  09-19-2018 10:02   sun/security/ssl/SignatureAlgorithmsExtension.java
    18714  03-02-2020 03:31   sun/security/ssl/SignatureAndHashAlgorithm.java
     9494  09-19-2018 10:02   sun/security/ssl/SSLAlgorithmConstraints.java
     8625  06-28-2019 07:16   sun/security/ssl/SSLAlgorithmDecomposer.java
    54791  07-10-2019 10:59   sun/security/ssl/SSLContextImpl.java
    78305  04-07-2020 00:49   sun/security/ssl/SSLEngineImpl.java
     4212  09-19-2018 10:02   sun/security/ssl/SSLServerSocketFactoryImpl.java
    12533  04-07-2020 00:49   sun/security/ssl/SSLServerSocketImpl.java
     8125  07-10-2019 10:59   sun/security/ssl/SSLSessionContextImpl.java
    29295  04-04-2020 01:12   sun/security/ssl/SSLSessionImpl.java
     7317  09-19-2018 10:02   sun/security/ssl/SSLSocketFactoryImpl.java
   104269  04-07-2020 00:49   sun/security/ssl/SSLSocketImpl.java
     9316  04-07-2020 00:49   sun/security/ssl/SunJSSE.java
    15501  09-19-2018 10:02   sun/security/ssl/SunX509KeyManagerImpl.java
     6731  07-10-2019 10:59   sun/security/ssl/TrustManagerFactoryImpl.java
    14664  07-10-2019 10:59   sun/security/ssl/TrustStoreManager.java
     1988  09-19-2018 10:02   sun/security/ssl/UnknownExtension.java
     4363  09-19-2018 10:02   sun/security/ssl/Utilities.java
    34094  09-19-2018 10:02   sun/security/ssl/X509KeyManagerImpl.java
    18148  03-02-2020 03:31   sun/security/ssl/X509TrustManagerImpl.java

[sbordet]

I don't know what to say.

8u251 is not an official tag in the OpenJDK repository (https://hg.openjdk.java.net/jdk8u/jdk8u/tags).

I don't know from what sources the Zulu distribution has been built from, and the sources bundled with it may or may not be those used to build the binary.

If I do the changes based on the Zulu sources, it may or may not work for Zulu, but it may not work for Oracle because Oracle's 8u251 could be different from Zulu's since 8u251 is not an official tag and nobody knows from what sources it actually derives from.

We only maintains official OpenJDK tags. I will update the documentation, which was true so far (Oracle always liked to produce a version that was 1 number less than the OpenJDK tag, but the source seemed to be consistent or at least not that different), but apparently not this time.

Best option is to not use 8u251, from any vendor.

Stick with 8u252, there are slightly more chances that the binaries are derived from the official OpenJDK tag.

[vainyksi]

Hello I am observing same issue for openjdk 8u252

Caused by: java.lang.NoSuchFieldError: nullSession
	at sun.security.ssl.ClientHandshaker.getKickstartMessage(ClientHandshaker.java:1350)
	at sun.security.ssl.Handshaker.kickstart(Handshaker.java:1117)
	at sun.security.ssl.SSLEngineImpl.kickstartHandshake(SSLEngineImpl.java:736)
	at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1232)
	at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1185)
	at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:511)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:864)
	at org.eclipse.jetty.io.NegotiatingClientConnection.onOpen(NegotiatingClientConnection.java:64)
	at org.eclipse.jetty.io.ssl.SslConnection.onOpen(SslConnection.java:267)
	at org.eclipse.jetty.io.SelectorManager.connectionOpened(SelectorManager.java:324)
	at org.eclipse.jetty.io.ManagedSelector.createEndPoint(ManagedSelector.java:254)
	at org.eclipse.jetty.io.ManagedSelector.access$1800(ManagedSelector.java:61)
	at org.eclipse.jetty.io.ManagedSelector$CreateEndPoint.run(ManagedSelector.java:886)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
	at java.lang.Thread.run(Thread.java:748)

similar if I want to build alpn manually

[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR : 
[INFO] -------------------------------------------------------------
[ERROR] /home/mibanik/projects/jetty-alpn/alpn-boot/src/main/java/sun/security/ssl/ClientHandshaker.java:[1350,45] cannot find symbol
  symbol:   variable nullSession
  location: class sun.security.ssl.SSLSessionImpl
[INFO] 1 error
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Jetty :: ALPN :: Project 8.1.14-SNAPSHOT:
[INFO] 
[INFO] Jetty :: ALPN :: Project ........................... SUCCESS [  0.232 s]
[INFO] Jetty :: ALPN :: Boot .............................. FAILURE [  0.719 s]
[INFO] Jetty :: ALPN :: Tests ............................. SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.483 s
[INFO] Finished at: 2020-05-18T12:13:39+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.8.0:compile (default-compile) on project alpn-boot: Compilation failure
[ERROR] /home/mibanik/projects/jetty-alpn/alpn-boot/src/main/java/sun/security/ssl/ClientHandshaker.java:[1350,45] cannot find symbol
[ERROR]   symbol:   variable nullSession
[ERROR]   location: class sun.security.ssl.SSLSessionImpl
[ERROR] 
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR] 
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <goals> -rf :alpn-boot

my java version:

$ java -version
openjdk version "1.8.0_252"
OpenJDK Runtime Environment (build 1.8.0_252-8u252-b09-1ubuntu1-b09)
OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode)

I believe nullSession attribute was truly removed from SSLSessionImpl in latest java8 update

Do you have any suggestion how to solve this problem?

Thanks

[sbordet]

@vainyksi are you trying to build Jetty 8.1.14?

Can you please specify exactly what you're doing?

You need Jetty 9.4.28 to work with 8u252.
Please also read https://webtide.com/jetty-alpn-java-8u252/

[joakime]

Jetty 8.1.14 is EOL (End of Life)

https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html

Also be aware of the vulnerabilities with that old of a version of Jetty.

https://www.eclipse.org/jetty/security-reports.html