Red Hat Bugzilla – Bug 962568
SSL DHE cipher suites broken in OpenJDK 7
Last modified: 2013-07-01 08:22:05 EDT
Description of problem:
When performing Diffie-Hellman key agreement for SSL/TLS, the TLS
specification (RFC 5246) says that "Leading bytes of Z that contain all zero
bits are stripped before it is used as the pre_master_secret."
However, com.sun.crypto.provider.DHKeyAgreement.java does not strip leading
zero bytes. This causes approximately 1 out 256 SSL/TLS handshakes with
DH/DHE cipher suites to fail (when the leading byte happens, by chance, to
Version-Release number of selected component (if applicable):
java 220.127.116.11. openjdk package version 18.104.22.168.el6_4
Steps to Reproduce:
1. Start the provided TestServer class:
java -Djavax.net.debug=all -Djavax.net.ssl.keyStore=./test_keystore.jks
2. Test repeated connections through openssl. Can use attached script:
You will occassionally see openssl gets a handshake failure. The ssl logging logs a "SSLHandshakeException: Invalid Padding lengh"
Roughly one out of 256 connections fail.
Every connection succeeds
It seems this commit from March 2012 inadvertently broke this:
The commit was done to fix this bug:
Created attachment 747450 [details]
Created attachment 747451 [details]
test openssl script
Reported to Oracle (bugs.sun.com) as bug 9001039; bug report available this this email on OpenJDK list:
A patch and testcase are available in OpenJDK Bugzilla:
This is now visible with Oracle bug ID 8014618:
Once this patch is committed upstream, it can be backported to the 7u trees.
Fixed in 2.4.0: http://blog.fuseyism.com/index.php/2013/06/10/icedtea-2-4-0-released/
In 2.3.10: http://blog.fuseyism.com/index.php/2013/06/28/security-icedtea-2-3-10-for-openjdk-7-released/
Need info from jvanek when this is packaged.
6.4 have already recieved 2.3.10. So the issue should be fixed.