Bug 1348525

Summary: OpenJDK should report the elliptic curves supported by NSS, not the SunEC library
Product: Red Hat Enterprise Linux 6 Reporter: Marcel Kolaja <mkolaja>
Component: java-1.8.0-openjdkAssignee: Andrew John Hughes <ahughes>
Status: CLOSED ERRATA QA Contact: Lukáš Zachar <lzachar>
Severity: urgent Docs Contact:
Priority: high    
Version: 6.5CC: ahughes, cskoehle, dbhole, hkario, jesusr, jkurik, jmontleo, jvanek, mdshaikh, mnavrati, Neustradamus, ptisnovs, rbost, rhbugzilla.5.nebuchadnezar, salmy, shineepk, tg, tmraz
Target Milestone: rcKeywords: Reopened, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: java-1.8.0-openjdk-1.8.0.91-3.b14.el6_8 Doc Type: Bug Fix
Doc Text:
Prior to this update, a list of elliptic curves provided by an OpenJDK Secure Sockets Layer (SSL) server to a client included some elliptic curves that were not supported. As a consequence, the connection failed when the client selected an unsupported elliptic curve from the list. This update fixes the list of elliptic curves reported by OpenJDK to match the ones OpenJDK can provide. As a result, the connection no longer fails in the described situation.
 Story Points: ---
Clone Of: 1022017 Environment:
Last Closed: 2016-07-12 18:36:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1022017    
Bug Blocks:    

Description Marcel Kolaja 2016-06-21 11:43:12 UTC 
This bug has been copied from bug #1022017 and has been proposed
to be backported to 6.8 z-stream (EUS).
Comment 5 Andrew John Hughes 2016-06-21 23:48:46 UTC 
To replicate:

1. Set up a Java TLSv1.2 server and run using -Djavax.net.debug=ssl,handshake
2. Connect using openssl s_client -curves prime192v1 -connect <host>:<port>

The OpenSSL installation needs to support additional curves (I couldn't replicate the issue with the RHEL 6.8 one as it only supports the same three curves that our OpenJDK build does). The above -curves command to OpenSSL restricts it to passing just:

Extension elliptic_curves, curve names: {1.2.840.10045.3.1.1}

to the server rather than a full list of all curves.

The issue is that OpenJDK's SunEC provider with NSS doesn't support prime192v1, yet the unpatched Java code believes it does.

On unpatched, the connection fails when it thinks it can use its first preference cipher, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, but the actual
key generation throws an exception:

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
matching alias: rsakey
main, handling exception: java.lang.RuntimeException: Could not generate DH keypair
%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
main, SEND TLSv1.2 ALERT:  fatal, description = internal_error

On patched, it realises they share no supported curves, and so downgrades to a non-ECC connection which works:

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
matching alias: rsakey
matching alias: usaduke
matching alias: dsakey
%% Negotiating:  [Session-1, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384]
Comment 6 Hubert Kario 2016-06-22 09:57:13 UTC 
I've created a quick reproducer that requires just python and few pure-python libraries that tests that:

https://github.com/tomato42/tlsfuzzer/blob/ecdhe-curves/scripts/test-unsupported-cuve-fallback.py

Usage: https://github.com/tomato42/tlsfuzzer/tree/ecdhe-curves#usage

Please contact me if you plan to use it in RHEL QA.
Comment 9 errata-xmlrpc 2016-07-12 18:36:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1409