Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8167472

Chrome interop regression with JDK-8148516

    Details

    • Subcomponent:
    • Introduced In Build:
      b01
    • Introduced In Version:
    • Resolved In Build:
      b141

      Backports

        Description

        Bug report:
        =========
        There are issues with Chrome browser and Java9 ea+138 SSL. While I have investigated what could cause the issue I found following. When I disable following ciphers
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        then Chrome begins to work as expected.

        Under other browsers like FireFox or Internet Explorer everything is fine.

        One thing to mention, Java9 ea+121 worked fine even with Chrome, so I assume there was regression in one of following versions, but unsure in which one exactly.

        In fact all Java SSL based servers are affected, Chrome refuses to run. I get something like that
        Caused by: java.lang.NullPointerException
            at sun.security.ssl.EllipticCurvesExtension.getECGenParamSpec(java.base@9-ea/EllipticCurvesExtension.java:374)
            at sun.security.ssl.ECDHCrypt.<init>(java.base@9-ea/ECDHCrypt.java:63)
            at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(java.base@9-ea/ServerHandshaker.java:1584)
            at sun.security.ssl.ServerHandshaker.trySetCipherSuite(java.base@9-ea/ServerHandshaker.java:1368)
            at sun.security.ssl.ServerHandshaker.chooseCipherSuite(java.base@9-ea/ServerHandshaker.java:1172)
            at sun.security.ssl.ServerHandshaker.clientHello(java.base@9-ea/ServerHandshaker.java:800)
            at sun.security.ssl.ServerHandshaker.processMessage(java.base@9-ea/ServerHandshaker.java:237)
            at sun.security.ssl.Handshaker.processLoop(java.base@9-ea/Handshaker.java:1061)
            at sun.security.ssl.Handshaker$1.run(java.base@9-ea/Handshaker.java:1000)
            at sun.security.ssl.Handshaker$1.run(java.base@9-ea/Handshaker.java:997)
            at java.security.AccessController.doPrivileged(java.base@9-ea/Native Method)
            at sun.security.ssl.Handshaker$DelegatedTask.run(java.base@9-ea/Handshaker.java:1476)
            at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1189)
            at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1041)
            ... 26 more

          Issue Links

            Activity

            Hide
            xuelei Xue-Lei Fan added a comment -
            Simple and straightforward fix, no new regression test. I had tested with Chrome, the fix works as expected.
            Show
            xuelei Xue-Lei Fan added a comment - Simple and straightforward fix, no new regression test. I had tested with Chrome, the fix works as expected.
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/51b28d24c9fb
            User: xuelei
            Date: 2016-10-11 09:11:52 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/51b28d24c9fb User: xuelei Date: 2016-10-11 09:11:52 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/51b28d24c9fb
            User: lana
            Date: 2016-10-19 19:44:45 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/51b28d24c9fb User: lana Date: 2016-10-19 19:44:45 +0000
            Hide
            xuelei Xue-Lei Fan added a comment -
            Cause of the issue:

            In the past code, we ignore unknown curves. With the updated of JDK-8167472, there is a bug that for a unknown curves, a null reference will be returned. That's to say, JDK cannot work with unknown curves any more.

            For Chrome, it uses the extension which prefers a curve unknown/unsupported to our implementation. As results in failures. While the curves for Firefox and IE are also supported by JDK. Further more, the preferred 'curve' in Chrome browser is not actually a curve of EC algorithms, the extension is used for purpose other than EC curves by Google.

            If disabling the EC cipher suites, the EC curves will not be used any more. So the issue disappears.
            Show
            xuelei Xue-Lei Fan added a comment - Cause of the issue: In the past code, we ignore unknown curves. With the updated of JDK-8167472 , there is a bug that for a unknown curves, a null reference will be returned. That's to say, JDK cannot work with unknown curves any more. For Chrome, it uses the extension which prefers a curve unknown/unsupported to our implementation. As results in failures. While the curves for Firefox and IE are also supported by JDK. Further more, the preferred 'curve' in Chrome browser is not actually a curve of EC algorithms, the extension is used for purpose other than EC curves by Google. If disabling the EC cipher suites, the EC curves will not be used any more. So the issue disappears.
            Hide
            afomin Alexander Fomin added a comment -
            As far as we have an automated tests for the fix, UR SQE OK to take it in CPU17_01
            Show
            afomin Alexander Fomin added a comment - As far as we have an automated tests for the fix, UR SQE OK to take it in CPU17_01

              People

              • Assignee:
                xuelei Xue-Lei Fan
                Reporter:
                xuelei Xue-Lei Fan
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: