Bug 1889414
| Summary: | java-1.8.0-openjdk / rhel-8 / FIPS: TLS connections killed by exception in P11AEADCipher class | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | zzambers | |
| Component: | java-1.8.0-openjdk | Assignee: | Andrew John Hughes <ahughes> | |
| Status: | CLOSED ERRATA | QA Contact: | OpenJDK QA <java-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.3 | CC: | jandrlik, jvanek | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | java-1.8.0-openjdk-1.8.0.272.b10-4.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1889497 1889543 (view as bug list) | Environment: | ||
| Last Closed: | 2021-05-18 15:31:11 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1889497, 1889543 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (java-1.8.0-openjdk bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1795 |
TLS connection randomly fails by exception thrown by P11AEADCipher class (in pkcs11/FIPS mode). It was discovered by ssl-tests [1]. Affected versions: java-1.8.0-openjdk-devel-1.8.0.272.b07-0.1.ea.el8_3 and higher Steps to reproduce: export JAVA_HOME=... make ssl-tests TEST_PKCS11_FIPS=1 SSLTESTS_SSL_CONFIG_FILTER="SunJSSE,Default,TLSv1.2,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" SSLTESTS_CUSTOM_JAVA_PARAMS="-Djdk.tls.ephemeralDHKeySize=2048" ... java.lang.RuntimeException: wrong refCount value: -1 at sun.security.pkcs11.NativeKeyHolder.releaseKeyID(P11Key.java:1310) at sun.security.pkcs11.P11Key.releaseKeyID(P11Key.java:152) at sun.security.pkcs11.P11AEADCipher.reset(P11AEADCipher.java:443) at sun.security.pkcs11.P11AEADCipher.implDoFinal(P11AEADCipher.java:708) at sun.security.pkcs11.P11AEADCipher.engineDoFinal(P11AEADCipher.java:538) ... FAILED: SunJSSE/Default: TLSv1.2 + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 Where exception in finally block [2] (higher) actually hides PKCS11Exception thrown at: [1] sun.security.pkcs11.P11AEADCipher.cancelOperation (P11AEADCipher.java:344) [2] sun.security.pkcs11.P11AEADCipher.reset (P11AEADCipher.java:440) [3] sun.security.pkcs11.P11AEADCipher.ensureInitialized (P11AEADCipher.java:359) [4] sun.security.pkcs11.P11AEADCipher.implDoFinal (P11AEADCipher.java:639) [5] sun.security.pkcs11.P11AEADCipher.engineDoFinal (P11AEADCipher.java:538) hidde: [1] sun.security.pkcs11.P11AEADCipher.cancelOperation (P11AEADCipher.java:344) [2] sun.security.pkcs11.P11AEADCipher.reset (P11AEADCipher.java:440) [3] sun.security.pkcs11.P11AEADCipher.ensureInitialized (P11AEADCipher.java:359) [4] sun.security.pkcs11.P11AEADCipher.implDoFinal (P11AEADCipher.java:639) [5] sun.security.pkcs11.P11AEADCipher.engineDoFinal (P11AEADCipher.java:538) ... [1] https://github.com/zzambers/ssl-tests [2] https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/ebfae7ddcfc1/src/share/classes/sun/security/pkcs11/P11AEADCipher.java#l708