Bug 1419205

Summary: System property jdk.tls.namedGroups(null) contains no supported elliptic curves
Product: Red Hat Enterprise Linux 6 Reporter: Robert Bost <rbost>
Component: java-1.6.0-sunAssignee: jiri vanek <jvanek>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.8CC: ahughes, asaji, dbhole, iarnell, jreznik, rbost, tgummels, tlavigne, tumeya
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1494111 (view as bug list) Environment:
Last Closed: 2017-09-21 12:45:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1425544, 1425546, 1494111    
Attachments:
Description Flags
EchoServer.java none

Description Robert Bost 2017-02-03 22:24:25 UTC 
This issue has been reported here: http://bugs.java.com/view_bug.do?bug_id=JDK-8173783

Description of problem: 

Not able to connect over TLS to Java application running on java-1.6.0-sun. Reproducer attached as EchoServer.java.


Version-Release number of selected component (if applicable): java-1.6.0-sun-1.6.0.141-1jpp.1.el6_8.x86_64


How reproducible: Always


Steps to Reproduce:
1. Start server: 

# java -Djavax.net.ssl.keyStore=/etc/tomcat6/keystore.jks -Djavax.net.ssl.keyStorePassword=changeit EchoServer

2. Make call from client:

# openssl s_client -connect localhost:9999 -msg
CONNECTED(00000003)
>>> TLS 1.2 Handshake [length 00f2], ClientHello
    01 00 00 ee 03 03 58 95 02 4b b5 88 33 61 00 fc
    af 82 3d d8 5d 5d ba 71 58 c8 56 38 26 6b e7 43
    f7 97 e3 2f 19 7a 00 00 84 c0 30 c0 2c c0 28 c0
    24 c0 14 c0 0a 00 a3 00 9f 00 6b 00 6a 00 39 00
    38 00 88 00 87 c0 32 c0 2e c0 2a c0 26 c0 0f c0
    05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0
    23 c0 13 c0 09 00 a2 00 9e 00 67 00 40 00 33 00
    32 c0 12 c0 08 00 9a 00 99 00 45 00 44 00 16 00
    13 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 c0 0d c0
    03 00 9c 00 3c 00 2f 00 96 00 41 00 0a 00 07 c0
    11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 00 00
    41 00 0b 00 04 03 00 01 02 00 0a 00 08 00 06 00
    19 00 18 00 17 00 23 00 00 00 0d 00 20 00 1e 06
    01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04
    03 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00
    01 01
139895221839688:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

3. Check back in terminal running the EchoServer:

Exception in thread "main" java.lang.ExceptionInInitializerError
	at com.sun.net.ssl.internal.ssl.HelloExtensions.<init>(HelloExtensions.java:73)
	at com.sun.net.ssl.internal.ssl.HandshakeMessage$ClientHello.<init>(HandshakeMessage.java:223)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:204)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:945)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:881)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1014)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1323)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:880)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
	at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:264)
	at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:306)
	at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:158)
	at java.io.InputStreamReader.read(InputStreamReader.java:167)
	at java.io.BufferedReader.fill(BufferedReader.java:136)
	at java.io.BufferedReader.readLine(BufferedReader.java:299)
	at java.io.BufferedReader.readLine(BufferedReader.java:362)
	at EchoServer.main(EchoServer.java:26)
Caused by: java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves
	at com.sun.net.ssl.internal.ssl.SupportedEllipticCurvesExtension.<clinit>(HelloExtensions.java:567)
	... 17 more


Actual results: Handshake does not complete


Expected results: Handshake completes and TLS connection succeeds


Additional info: Forcing client to not use ECC cipher works. For example, this works fine:

 # curl -I --ciphers rsa_aes_128_cbc_sha_256 -v -k localhost:8443
Comment 2 Robert Bost 2017-02-15 21:05:38 UTC 
Created attachment 1250722 [details]
EchoServer.java
Comment 3 Robert Bost 2017-02-16 20:44:24 UTC 
This issue has been resolved in https://bugs.openjdk.java.net/browse/JDK-8173783

Can we push this update out?
Comment 4 Andrew John Hughes 2017-02-17 06:01:32 UTC 
What update? As far as I can see, you will need to wait for the next java-1.6.0-sun update in April (u151).
Comment 5 Robert Bost 2017-02-20 15:28:45 UTC 
Misunderstanding on my end about oracle's release process. I saw a resolved bug with fix version mentioned and assumed it was released.
Comment 13 Iain Arnell 2017-03-07 13:18:58 UTC 
Oracle has released the fix in a BPR build 6u141 b32. Available as patch 25550386 on MOS.
Comment 15 vdadhich 2017-04-07 07:48:03 UTC 
Since one of the customer on redhat customer portal is facing the same issue.
I have attached the redhat support case 01825514 to the bug. 
We need help in below query. 
Query is:
We would like to know if this can be resolved without waiting for 1.7.   As the issue is with something using elliptic curves < 256. 
EAP version is 6.4.9
Comment 16 Deepak Bhole 2017-04-07 16:43:18 UTC 
(In reply to vdadhich from comment #15)
> Since one of the customer on redhat customer portal is facing the same issue.
> I have attached the redhat support case 01825514 to the bug. 
> We need help in below query. 
> Query is:
> We would like to know if this can be resolved without waiting for 1.7.   As
> the issue is with something using elliptic curves < 256. 
> EAP version is 6.4.9

This bug is in the Oracle JDK, and right now is marked fixed for 6u151:
https://bugs.openjdk.java.net/browse/JDK-8174853

6u151 is expected soon (shortly after April 18) and we will update it in RHEL as soon as it is released.