0

Here is the situation: SSLServerSocket timeout is set to 10 seconds. Everything works as expected, BUT if client is trying to establish TLS connection and "hangs" during negotiation - socket waits forever, ignores 10 second timeout.. and connection is terminated only by client. This is some hacker activity or some kind of other activity.. Is this Java secure socket vulnerability?

Activity log:

SMTP PID=184 Date=2019-08-26,07:32:45 DEBUG: new connection from host [66.45.239.113] to port 465 (United States)
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:32:45.547 EEST|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLS13
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:32:45.548 EEST|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLS13
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:32:45.548 EEST|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 for TLS13
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:32:45.548 EEST|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLS13
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:32:45.548 EEST|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for TLS13
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:35:03.253 EEST|SSLSocketInputRecord.java:458|Raw read (
  0000: 80 4C 01 03 01                                     .L...
)
javax.net.ssl|ERROR|CE|Thread-191|2019-08-26 07:35:03.254 EEST|TransportContext.java:312|Fatal (HANDSHAKE_FAILURE): SSLv2Hello is not enabled (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled
        at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:366)
        at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:184)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
        at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:721)
        at java.base/sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:331)
        at com.xsistema.xmailserver.mail.smtp.session.SMTPConnection.getTLSVersion(SMTPConnection.java:141)
        at com.xsistema.xmailserver.mail.smtp.session.SMTPConnection.run(SMTPConnection.java:240)}

)
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:35:03.254 EEST|SSLSocketOutputRecord.java:71|WRITE: TLS13 alert(handshake_failure), length = 2
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:35:03.254 EEST|SSLSocketOutputRecord.java:85|Raw write (
  0000: 15 03 03 00 02 02 28                               ......(
)
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:35:03.254 EEST|SSLSocketImpl.java:1389|close the underlying socket
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:35:03.254 EEST|SSLSocketImpl.java:1408|close the SSL connection (initiative)
javax.net.ssl|ERROR|CE|Thread-191|2019-08-26 07:35:03.254 EEST|SSLSocketImpl.java:334|handshake failed (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled
        at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:366)
        at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:184)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
        at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:721)
        at java.base/sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:331)
        at com.xsistema.xmailserver.mail.smtp.session.SMTPConnection.getTLSVersion(SMTPConnection.java:141)
        at com.xsistema.xmailserver.mail.smtp.session.SMTPConnection.run(SMTPConnection.java:240)}

)
SMTP PID=184 Date=2019-08-26,07:35:03 DEBUG: SSL socket cipher suite: NONE:SSL-NULL-WITH-NULL-NULL
SMTP PID=184 Date=2019-08-26,07:35:03 DEBUG: connection from remote host [66.45.239.113] was closed and removed. Current active or waiting connections: 3

Client connected at 07:32:45, and sent some bytes only after more than 2 minutes, at 07:35:03. So in this scenario it can send first bytes after hour or more, and connection will be opened. And if it sends 1000 requests and waits - 1000 connections will be opened forever?? Perhaps the solution is to measure the time before reading InputStream?

Ernestas Gruodis
  • 8,567
  • 14
  • 55
  • 117
  • That is an accept timeout. It isn't inherited by the accepted socket. `Handshake failure does not cause a hang, it causes an alert to be sent and the connection closed. – user207421 Aug 25 '19 at 22:22
  • But it seems that client intentionally delaying to send `ClientHello` message after connecting.. – Ernestas Gruodis Aug 26 '19 at 04:45
  • For those who wants to close this issue - please read my question - IT IS related to programming language - and this security hole can affect all Java secure sockets / server performance. – Ernestas Gruodis Aug 26 '19 at 16:14

0 Answers0