Bug 1346460
| Summary: | Using -Djavax.net.debug=ssl,handshake with clients that send EC curve extension in ClientHello gives java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Chris Dolphy <cdolphy> | |
| Component: | java-1.8.0-openjdk | Assignee: | Andrew John Hughes <ahughes> | |
| Status: | CLOSED ERRATA | QA Contact: | Lukáš Zachar <lzachar> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.2 | CC: | ahughes, dbhole, jvanek, pbhoot | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | java-1.8.0-openjdk-1.8.0.101-2.b13.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1365618 1391684 (view as bug list) | Environment: | ||
| Last Closed: | 2016-11-03 22:57:11 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1365618, 1391684 | |||
|
Description
Chris Dolphy
2016-06-14 21:39:42 UTC
Replicated this on OpenJDK 8 with the SunEC and PKCS11 providers disabled. It seems to be a regression caused by "7194075: Various classes of sunec.jar are duplicated in rt.jar", as it doesn't occur with OpenJDK 7.
The methods in ECUtil throw a RuntimeException if they can't get an EC provider. Given that an EC provider is optional, they should instead return null. This is especially true as the same code seems happy enough to swallow exceptions about invalid parameters and return null (i.e. calling code expects null as failure anyway).
To replicate:
1. Start an OpenJDK TLSv2 server with all EC providers disabled and -Djavax.net.debug=ssl,handshake
2. Connect to it with a client that supports ECC e.g.
openssl s_client -connect <host>:<port>
It will crash when trying to print the curve names:
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
main, handling exception: java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available
main, SEND TLSv1.2 ALERT: fatal, description = internal_error
The result should be:
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
Extension elliptic_curves, curve names: {secp521r1, secp384r1, secp256r1}
...connection continues
This is only present in RHEL 7.3 if the SunEC provider is disabled by the user. We really need to fix this in 7.2, where there is no SunEC provider and this bug gets hit when debugging SSL connections. In line with comment #5, there is no immediate need for this in RHEL 6 as RHEL 6.8 already has the SunEC provider and so will only hit this if SunEC is manually disabled. We can look at fixing it for RHEL 6.9. I've created bug 1391684 for fixing this on RHEL 6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2139.html |