Bug 1019554 - Please enable ECC support in OpenJDK 8
Summary: Please enable ECC support in OpenJDK 8
Alias: None
Product: Fedora
Classification: Fedora
Component: java-1.8.0-openjdk
Version: 22
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: jiri vanek
QA Contact: Fedora Extras Quality Assurance
: 1019553 1225576 (view as bug list)
Depends On: 1075702
Blocks: ecc
TreeView+ depends on / blocked
Reported: 2013-10-16 05:00 UTC by Omair Majid
Modified: 2016-02-28 12:20 UTC (History)
11 users (show)

Fixed In Version: java-1.8.0-openjdk-
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-02-28 12:20:20 UTC

Attachments (Terms of Use)

Description Omair Majid 2013-10-16 05:00:26 UTC
OpenJDK (>=7) supports various ECC algorithms as indicated in http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunEC

Please enable ECC support in Fedora packages now.

Comment 1 Andrew John Hughes 2013-10-23 03:26:30 UTC
The in-tree copy of ECC still shouldn't be enabled; it results in a bundled version of NSS.  The correct way to fix this (as has been done in Debian & Gentoo for years) is to enable the NSS provider at the lowest priority.  When NSS gains ECC support (this bug should depend on that), OpenJDK will then gain it automatically.

Comment 2 Andrew Haley 2014-02-12 16:58:26 UTC
The NSS provider isn't really a solution because of this bug:

As it stands it is unlikely that the NSS provider is going to be fixed.

Comment 3 Andrew John Hughes 2014-02-18 22:10:42 UTC
Does that occur when the NSS provider is at any priority or just the highest?

The SunEC provider is basically a big chunk of code copied from NSS. Are you sure it doesn't exhibit the same issues?

Using the NSS provider to handle ECC has been the solution on Debian & Gentoo since around 2010. The Sun EC provider hasn't been used by any FOSS distro and is potentially a legal & security minefield.

Comment 4 Jaroslav Reznik 2015-03-03 15:08:32 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:

Comment 5 Andrew John Hughes 2015-05-27 14:52:00 UTC
This package doesn't exist in Fedora 22, does it?

This could be enabled in versions of Fedora that still have java-1.7.0-openjdk in the same way it has been in RHEL.

Comment 6 jiri vanek 2015-05-27 14:55:26 UTC
No fedora have openjdk 7 since today.

One guy is running private copr repo, but he is merging from CentOs.

So if we fix it in rhel, in time it will bubble also without any more of our attendance.

Comment 7 Andrew John Hughes 2015-05-27 17:18:14 UTC
Ok, let's file this against OpenJDK 8 instead then, where the problem also exists.

Comment 8 Andrew John Hughes 2015-05-27 17:19:13 UTC
*** Bug 1225576 has been marked as a duplicate of this bug. ***

Comment 9 Omair Majid 2015-05-27 18:28:21 UTC
*** Bug 1019553 has been marked as a duplicate of this bug. ***

Comment 10 Andrew John Hughes 2015-05-29 01:57:08 UTC
In the interim, Fedora could enable the PKCS11 provider at the lowest priority. While it has the issue mentioned in comment #2, that's only an issue on long running processes and I believe is better than having no ECC support at all, especially as use on Fedora is likely to be client TLS connections and not servers.

Due to the way the PKCS11 provider has been altered in OpenJDK 8, the SunEC provider shell does need to be present for it to work (they share common code in a rather bizarre way). The native implementation code for the SunEC provider should still be deleted. You'll also need to alter the list of available curves as we did in 7 (see the 7 RPM patches).

Comment 11 Thomas Meyer 2015-05-29 02:25:14 UTC

i stumbled upon this because I wanted to run the latest jetty as HTTP2 server, see https://bugs.eclipse.org/bugs/show_bug.cgi?id=468106#c12

Comment 12 Andrew Haley 2015-05-29 08:03:23 UTC
The PKCS11 provider is known to leak memory, but the SunEC provider is not known to leak memory. I haven't looked, but as far as I'm aware the SunEC provider does not use the PKCS11 interface, and the memory leak is entirely in the interface between Java and native code. We should try the SunEC provider.

Comment 15 Fedora Update System 2016-02-25 09:14:25 UTC
java-1.8.0-openjdk- has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9fd9fc27d8

Comment 16 Fedora Update System 2016-02-26 20:53:51 UTC
java-1.8.0-openjdk- has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9fd9fc27d8

Comment 17 Fedora Update System 2016-02-28 12:20:15 UTC
java-1.8.0-openjdk- has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.