Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8161984

Issue with TLS_RSA_WITH_AES Cipher Suite when using Hardtoken HSM like Thales NCipher

    Details

      Description

      FULL PRODUCT VERSION :
      java version "1.8.0_77"

      Java(TM) SE Runtime Environment (build 1.8.0_77-b03) Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)


      ADDITIONAL OS VERSION INFORMATION :
      Linux 2.6.32-573.22.1.el6.x86_64 #1 SMP Thu Mar 17 03:23:39 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      Unlimited Strength JCE installed
      Using nfast client libraries to connect with Thales NCipher HSM device

      A DESCRIPTION OF THE PROBLEM :
      The nfast version (for HSM) being used is:
      enquiry, nfuser 2.32.15cam13 built on Jan 28 2011 17:32:18

      The HSM device in use is Thales NCIPHER based HSM.

      We are seeing issues when using the following CIPHER suites with the Thales NCIPHER HSM
      TLS_RSA_WITH_AES_256_CBC_SHA256
      TLS_RSA_WITH_AES_256_CBC_SHA
      TLS_RSA_WITH_AES_128_CBC_SHA256
      TLS_RSA_WITH_AES_128_CBC_SHA

      When any of the above CIPHERS are enabled and provided as supported by client and chosen for handshake by server then we get an error.

      Looks like this has been fixed as when we tested with the JDK 1.8.0_112 early access release the problem doesn't happen any more. We would like to know when this fix would be publicly available as part of a general release.


      REGRESSION. Last worked in version 6u45

      ADDITIONAL REGRESSION INFORMATION:
      java version "1.8.0_77"

      Java(TM) SE Runtime Environment (build 1.8.0_77-b03) Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Just establish SSL connection with the Server using the TLS_RSA cipher suites enabled.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Should establish SSL successfully
      ACTUAL -
      2016-06-21 06:47:05,589 INFO [SystemOut] qtp706604026-43, fatal error: 80: problem unwrapping net record

      javax.net.ssl.SSLProtocolException: Unable to process PreMasterSecret, may be too big



      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      2016-06-21 06:47:05,589 INFO [SystemOut] qtp706604026-43, fatal error: 80: problem unwrapping net record

      javax.net.ssl.SSLProtocolException: Unable to process PreMasterSecret, may be too big

      2016-06-21 06:47:05,589 INFO [SystemOut] %% Invalidated: [Session-3228, TLS_RSA_WITH_AES_128_CBC_SHA]

      2016-06-21 06:47:05,589 INFO [SystemOut] qtp706604026-43

      2016-06-21 06:47:05,589 INFO [SystemOut] , SEND TLSv1 ALERT:

      2016-06-21 06:47:05,589 INFO [SystemOut] fatal,

      2016-06-21 06:47:05,589 INFO [SystemOut] description = internal_error

      2016-06-21 06:47:05,589 INFO [SystemOut] qtp706604026-43, WRITE: TLSv1 Alert, length = 2


      REPRODUCIBILITY :
      This bug can be reproduced always.

      SUPPORT :
      YES

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                psonal Pallavi Sonal (Inactive)
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: