RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1022950 - java.lang.RuntimeException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
Summary: java.lang.RuntimeException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: java-1.7.0-openjdk
Version: 6.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Andrew John Hughes
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On: 1008456
Blocks: 1056252
TreeView+ depends on / blocked
 
Reported: 2013-10-24 10:44 UTC by Michal Haško
Modified: 2018-12-06 15:24 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1008456
Environment:
Last Closed: 2014-03-13 13:59:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Michal Haško 2013-10-24 10:44:13 UTC 
+++ This bug was initially created as a clone of Bug #1008456 +++

First of all, this is most likely not a bug in java-1.7.0-openjdk, because it is also reproducible on java-1.7.0-oracle and java-1.7.0-ibm. I think it is somewhere in the underlying libraries. Please help me identify where the issue is and what is causing it.


Description of problem:
When trying to configure SSL support for tomcat7 from EWS2, the following error was encountered:


Version-Release number of selected component (if applicable):
Tomcat7 from EWS-2.0.1 GA


How reproducible:
100%


Steps to Reproduce:
1. make sure JDK7 is used (java -version)
2. generate the java keystore file:
   # /usr/lib/jvm/java/bin/keytool -genkey -alias tomcat -keyalg RSA \
     -keystore /root/keystore.jks
3. comment out the default APR listener from tomcat7/conf/server.xml:
    <!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />-->
4. add ssl connector to tomcat7/conf/server.xml:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
               keystoreFile="/root/keystore.jks" keystorePass="tomcat"
               clientAuth="false" sslProtocol="TLS" />
5. start tomcat:
   # tomcat7/bin/startup.sh
6. # wget --no-check-certificate -4 -O - https://localhost:8443/


Actual results:
The following exception is observed in catalina.out:
Oct 24, 2013 6:19:49 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE: 
java.lang.RuntimeException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1359)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:793)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
	at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1675)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:744)
Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
	at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:323)
	at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:687)
	at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:63)
	at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1208)
	at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1062)
	at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:889)
	at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299)
	at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
	at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
	... 5 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
	at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
	at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:314)
	... 19 more



Expected results:
should return a tomcat welcome page 


Additional info:
 - This is *only* reproducible on JDK7, not on JDK7.
 - Using 'curl -k https://localhost:8443/' instead of wget works fine (weird, right?)
Comment 1 Deepak Bhole 2013-10-24 15:58:50 UTC 
Assigning to Andrew to take a look.
Comment 2 RHEL Program Management 2013-10-28 19:55:31 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 Andrew John Hughes 2013-11-07 15:34:59 UTC 
"This is *only* reproducible on JDK7, not on JDK7."

Err... that comment makes no sense :)
Comment 13 Thorsten Glaser 2014-04-25 12:57:23 UTC 
This is caused by ECC differences in supported algorithms, and a bug on the Java™ side causing the server to always offer ECC even if it finds no suitable curves.

Potential workarounds are:
• switch to Sun’s ECC implementation instead of the one using NSS
• disable ECC completely

I’ve used the latter.

Accessing the server with cURL vs. GNU wget showing different behaviour is most likely due to them using diverging crypto libraries; for example, I could connect to a server suffering from the bug just fine from a MirBSD system, whose OpenSSL does not include any ECC, so the bug did not trigger.

Reference: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1006776
Comment 14 Thorsten Glaser 2014-04-25 12:58:56 UTC 
Related RH bug: https://bugzilla.redhat.com/show_bug.cgi?id=1022017
Note You need to log in before you can comment on or make changes to this bug.