Hide Forgot
+++ This bug was initially created as a clone of Bug #1008456 +++ First of all, this is most likely not a bug in java-1.7.0-openjdk, because it is also reproducible on java-1.7.0-oracle and java-1.7.0-ibm. I think it is somewhere in the underlying libraries. Please help me identify where the issue is and what is causing it. Description of problem: When trying to configure SSL support for tomcat7 from EWS2, the following error was encountered: Version-Release number of selected component (if applicable): Tomcat7 from EWS-2.0.1 GA How reproducible: 100% Steps to Reproduce: 1. make sure JDK7 is used (java -version) 2. generate the java keystore file: # /usr/lib/jvm/java/bin/keytool -genkey -alias tomcat -keyalg RSA \ -keystore /root/keystore.jks 3. comment out the default APR listener from tomcat7/conf/server.xml: <!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />--> 4. add ssl connector to tomcat7/conf/server.xml: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/root/keystore.jks" keystorePass="tomcat" clientAuth="false" sslProtocol="TLS" /> 5. start tomcat: # tomcat7/bin/startup.sh 6. # wget --no-check-certificate -4 -O - https://localhost:8443/ Actual results: The following exception is observed in catalina.out: Oct 24, 2013 6:19:49 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run SEVERE: java.lang.RuntimeException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1359) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:793) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335) at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1675) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:323) at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:687) at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:63) at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1208) at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1062) at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:889) at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker$1.run(Handshaker.java:808) at sun.security.ssl.Handshaker$1.run(Handshaker.java:806) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299) at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285) at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343) ... 5 more Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method) at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:314) ... 19 more Expected results: should return a tomcat welcome page Additional info: - This is *only* reproducible on JDK7, not on JDK7. - Using 'curl -k https://localhost:8443/' instead of wget works fine (weird, right?)
Assigning to Andrew to take a look.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
"This is *only* reproducible on JDK7, not on JDK7." Err... that comment makes no sense :)
This is caused by ECC differences in supported algorithms, and a bug on the Java™ side causing the server to always offer ECC even if it finds no suitable curves. Potential workarounds are: • switch to Sun’s ECC implementation instead of the one using NSS • disable ECC completely I’ve used the latter. Accessing the server with cURL vs. GNU wget showing different behaviour is most likely due to them using diverging crypto libraries; for example, I could connect to a server suffering from the bug just fine from a MirBSD system, whose OpenSSL does not include any ECC, so the bug did not trigger. Reference: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1006776
Related RH bug: https://bugzilla.redhat.com/show_bug.cgi?id=1022017