Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8175885

Problem with JDK 1.8.0.121 with JSSE in ssl connection

    Details

      Description

      FULL PRODUCT VERSION :
      /opt/jdk1.8.0_121/bin/java -version
      java version "1.8.0_121"
      Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)


      ADDITIONAL OS VERSION INFORMATION :
      uname -a
      SunOS usqwrts001 5.10 Generic_147440-19 sun4v sparc SUNW,T5240


      A DESCRIPTION OF THE PROBLEM :
      We are facing real problem with new release of java jdk1.8.0.121 with ssl connection to our LDAP. Our connection in this release of JDK is finishing with below error which can be seen inside weblogic.log:

      ####<23.02.2017 13:06:40.607 MET> <Debug> <SecuritySSL> <usqwrts001> <server00> <ConnSetupMgr> <<WLS Kernel>> <> <> <1487851600607> <BEA-000000> <[Thread[ConnSetupMgr,5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBuffer[]).
      javax.net.ssl.SSLHandshakeException: Unsupported curveId: 21
              at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
              at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
              at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
              at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
              at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:664)
              at weblogic.security.SSL.jsseadapter.JaSSLEngine$5.run(JaSSLEngine.java:134)
              at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:734)
              at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)
              at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:603)
              at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:507)
              at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:96)
              at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:75)
              at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:219)
              at weblogic.security.providers.authentication.LDAPAtnDelegate$AtnLDAPSSLSocketFactory.makeSocket(LDAPAtnDelegate.java:4915)
              at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.access$000(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr$1.run(Unknown Source)
              at java.lang.Thread.run(Thread.java:745)
      Caused By: javax.net.ssl.SSLHandshakeException: Unsupported curveId: 21
              at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:1053)
              at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:284)
              at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
              at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
              at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
              at java.security.AccessController.doPrivileged(Native Method)
              at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
              at weblogic.socket.JSSEFilterImpl.doTasks(JSSEFilterImpl.java:205)
              at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:111)
              at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:75)
              at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:219)
              at weblogic.security.providers.authentication.LDAPAtnDelegate$AtnLDAPSSLSocketFactory.makeSocket(LDAPAtnDelegate.java:4915)
              at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.access$000(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr$1.run(Unknown Source)
              at java.lang.Thread.run(Thread.java:745)


      We traced packages between JVM and LDAP and that communication is ending on client side (JVM) with Internal Error 80.

      Communication looks identically like for jdk1.8.0.112 but JVM for this release is able to exchange keys. For jdk1.8.0_121 this is not possible as after server hello for selected Cipher Suite communication is ending with Internal Error

      TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)
      Content Type: Alert (21)
      Version: TLS 1.2 (0x0303)
      Alert Message
      Level: Fatal (2)
      Description: Internal Error (80)

      Connection process can be described in short way:

      1 Client (JVM) is sending Client HELLO with all Cipher Specs
      2. Server (LDAP) responding Server HELLO with specified Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      3. Communication is ending with Internal Error

      For JDK 1.8.0.112 communication is not ending and Client is able to exchange Keys.

      We found that include inside the release jdk1.8.0_121 jsse.jar is differ than in jdk1.8.0_112 and below classes are different:

      CipherSuite$BulkCipher
      CipherSuite$CipherType
      CipherSuite$KeyExchange
      CipherSuite$MacAlg
      CipherSuite$PRF
      CipherSuiteList
      CipherSuite
      ClientHandshaker
      ECDHCrypt
      HandshakeMessage$CertificateMsg
      HandshakeMessage$CertificateRequest
      HandshakeMessage$CertificateVerify$1
      HandshakeMessage$CertificateVerify
      HandshakeMessage$ClientHello
      HandshakeMessage$DH
      HandshakeMessage$DistinguishedName
      HandshakeMessage$ECDH
      HandshakeMessage$Finished
      HandshakeMessage$RSA
      HandshakeMessage$ServerHelloDone
      HandshakeMessage$ServerHello
      HandshakeMessage$ServerKeyExchange
      Handshaker$1
      Handshaker$DelegatedTask
      Handshaker
      JsseJce$EcAvailability
      JsseJce
      ServerHandshaker$1
      ServerHandshaker$2
      ServerHandshaker$3
      ServerHandshaker
      SupportedEllipticCurvesExtension

      When we will use jsse.jar taken from jdk1.8.0.112 and used inside release jdk1.0.121 then communication is in place and JVM is able to establish connection with LDAP using SSL by Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 . So for sure something is different and could be there is kind of bug inside jsse.jar in new release. Please investigate and give us recommended solution.


      REGRESSION. Last worked in version 8u112

      ADDITIONAL REGRESSION INFORMATION:
      /opt/jdk1.8.0_112/bin/java -version
      java version "1.8.0_112"
      Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
      Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Start weblogic (with included external authentication in LDAP by SSL) with jdk 1.8.0.121 Release
      2 Try to authenticate user in Weblogic console or application



      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      User shoudl be authenticated by LDAP
      ACTUAL -
      SSL communication is ending on JVM side with Internal Error:


      TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)
      Content Type: Alert (21)
      Version: TLS 1.2 (0x0303)
      Alert Message
      Level: Fatal (2)
      Description: Internal Error (80)

      Inside Weblogic this is error:

      ####<23.02.2017 13:06:40.607 MET> <Debug> <SecuritySSL> <usqwrts001> <server00> <ConnSetupMgr> <<WLS Kernel>> <> <> <1487851600607> <BEA-000000> <[Thread[ConnSetupMgr,5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBuffer[]).
      javax.net.ssl.SSLHandshakeException: Unsupported curveId: 21


      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      weblogic.log

      ####<23.02.2017 13:06:40.607 MET> <Debug> <SecuritySSL> <usqwrts001> <server00> <ConnSetupMgr> <<WLS Kernel>> <> <> <1487851600607> <BEA-000000> <[Thread[ConnSetupMgr,5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBuffer[]).
      javax.net.ssl.SSLHandshakeException: Unsupported curveId: 21
              at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
              at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
              at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
              at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
              at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:664)
              at weblogic.security.SSL.jsseadapter.JaSSLEngine$5.run(JaSSLEngine.java:134)
              at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:734)
              at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)
              at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:603)
              at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:507)
              at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:96)
              at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:75)
              at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:219)
              at weblogic.security.providers.authentication.LDAPAtnDelegate$AtnLDAPSSLSocketFactory.makeSocket(LDAPAtnDelegate.java:4915)
              at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.access$000(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr$1.run(Unknown Source)
              at java.lang.Thread.run(Thread.java:745)
      Caused By: javax.net.ssl.SSLHandshakeException: Unsupported curveId: 21
              at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:1053)
              at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:284)
              at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
              at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
              at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
              at java.security.AccessController.doPrivileged(Native Method)
              at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
              at weblogic.socket.JSSEFilterImpl.doTasks(JSSEFilterImpl.java:205)
              at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:111)
              at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:75)
              at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:219)
              at weblogic.security.providers.authentication.LDAPAtnDelegate$AtnLDAPSSLSocketFactory.makeSocket(LDAPAtnDelegate.java:4915)
              at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr.access$000(Unknown Source)
              at netscape.ldap.LDAPConnSetupMgr$1.run(Unknown Source)
              at java.lang.Thread.run(Thread.java:745)

      Output from snoop:

      TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)
      Content Type: Alert (21)
      Version: TLS 1.2 (0x0303)
      Alert Message
      Level: Fatal (2)
      Description: Internal Error (80)

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      Workaround is to use previous release: jdk1.8.0.112 But until bug will be fixed we cannot use latest release of java jdk1.8.0.121

        Attachments

          Activity

            People

            • Assignee:
              psonal Pallavi Sonal
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: