SSL handshake failing with sni disabled for newer java 8 versions

[vijaydulange20]

Getting SSL exception with java 8.352.08.1
When I am trying to fire google rest api, it is failing for java [8.352.08.1] where as same is working with java 8.252.09.1
Below code can mimic same behavior.

SSLPoke is taken from below location:
https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class

java -Djsse.enableSNIExtension=false SSLPoke compute.googleapis.com 443

With java [8.352.08.1] , above code fails with error

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323) at sun.security.validator.Validator.validate(Validator.java:271) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:818) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1180) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1152) at SSLPoke.main(SSLPoke.java:31) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
But if we set -Djsse.enableSNIExtension=true, it is able to successfully connect.

This behavior seems to be from java8.272.10.1

If we use java version previous to it, like Java 8.265.01.1 /Java [8.252.09.1]
it is able to successfully connect even though Djsse.enableSNIExtension is set to false
Below shows output with old java version.[8.252.09.1]

[root@vm1~]# java -Djsse.enableSNIExtension=false SSLPoke compute.googleapis.com 443 Successfully connected
What has changed from since java[8.272.10.1] as SSL connection is failing with enableSNIExtension set to false?
What is workaround/backward compatibility to use with enableSNIExtension=false ?

[alvdavi]

Hi,

There is indeed a significant change on OpenJDK (and therefore Corretto) between 262 and 272. In order to support TLSv1.3 on OpenJDK8, the TLS stack from OpenJDK11 was backported to OpenJDK8. This is probably the reason for the regression being introduced. I have been able to reproduce this and I can confirm the issue is also present in 11.

Let me do some investigation