-
Bug
-
Resolution: Won't Fix
-
P3
-
None
-
6u21
-
None
-
sparc
-
solaris_10
Problem statement:
Customer ran into an issue with SSL. In PROD,the SSL handshake is successful in first attempt. Cu then tries to reuse this cached session and then its fails with this error:
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
Here's the SSL debug output leading to the error:
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
[write] MD5 and SHA1 hashes: len = 191
0000: 01 00 00 BB 03 01 4C CF 71 10 77 DB D9 0D 81 4A ......L.q.w....J
0010: 1B B7 BF 3B 51 09 24 89 AA F0 30 5D A7 BB B5 C6 ...;Q.$...0]....
0020: 80 30 74 E7 70 80 10 65 B5 D9 60 64 6B D2 B7 1A .0t.p..e..`dk...
0030: C6 4A EB 3C 92 5C 3D 00 44 00 04 00 05 00 2F 00 .J.<.\=.D...../.
0040: 35 C0 02 C0 04 C0 05 C0 0C C0 0E C0 0F C0 07 C0 5...............
0050: 09 C0 0A C0 11 C0 13 C0 14 00 33 00 39 00 32 00 ..........3.9.2.
0060: 38 00 0A C0 03 C0 0D C0 08 C0 12 00 16 00 13 00 8...............
0070: 09 00 15 00 12 00 03 00 08 00 14 00 11 01 00 00 ................
0080: 3E 00 0A 00 34 00 32 00 17 00 01 00 03 00 13 00 >...4.2.........
0090: 15 00 06 00 07 00 09 00 0A 00 18 00 0B 00 0C 00 ................
00A0: 19 00 0D 00 0E 00 0F 00 10 00 11 00 02 00 12 00 ................
00B0: 04 00 05 00 14 00 08 00 16 00 0B 00 02 01 00 ...............
JobCourier38, WRITE: TLSv1 Handshake, length = 191
[Raw write]: length = 196
[Raw write]: length = 196
0000: 16 03 01 00 BF 01 00 00 BB 03 01 4C CF 71 10 77 ...........L.q.w
0010: DB D9 0D 81 4A 1B B7 BF 3B 51 09 24 89 AA F0 30 ....J...;Q.$...0
0020: 5D A7 BB B5 C6 80 30 74 E7 70 80 10 65 B5 D9 60 ].....0t.p..e..`
0030: 64 6B D2 B7 1A C6 4A EB 3C 92 5C 3D 00 44 00 04 dk....J.<.\=.D..
0040: 00 05 00 2F 00 35 C0 02 C0 04 C0 05 C0 0C C0 0E .../.5..........
0050: C0 0F C0 07 C0 09 C0 0A C0 11 C0 13 C0 14 00 33 ...............3
0060: 00 39 00 32 00 38 00 0A C0 03 C0 0D C0 08 C0 12 .9.2.8..........
0070: 00 16 00 13 00 09 00 15 00 12 00 03 00 08 00 14 ................
0080: 00 11 01 00 00 3E 00 0A 00 34 00 32 00 17 00 01 .....>...4.2....
0090: 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 18 ................
00A0: 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 11 ................
00B0: 00 02 00 12 00 04 00 05 00 14 00 08 00 16 00 0B ................
00C0: 00 02 01 00 ....
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 2F ./
JobCourier38, READ: TLSv1 Alert, length = 2
JobCourier38, RECV TLSv1 ALERT: fatal, illegal_parameter
JobCourier38, called closeSocket()
JobCourier38, handling exception: javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
The problem doesn't happen in QA.
From ssl debug output, one difference is that PROD output contains Elliptical Curve Cryptography (not necessary the cause)
Here's the difference in SSL debug output (in PROD):
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
Found this on the web:
error: " fatal, description = illegal_parameter"
Article:
http://forums.sun.com/thread.jspa?threadID=306461
Potential resolution:
I was getting illegal_parameter in SSL Handshake with weblogic 6.1. To fix it, I made the com.sun.net.ssl.internal.ssl.Provider be provider 2. I originally had it as provider 3 (preceded by com.sun.rsajca.Provider)
My providers (as listed in jdk131/jre/lib/security/java.security are:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
Once I made this change, my handshake negotiation worked just fine.
I also had to add the 3 jsse jars to the classpath BEFORE the weblogic jars.
In the meantime, data collected includes:
logon to cores2-da-sparc-2-b.central
/cores_data/local/bin/acl grant 73800616
cd /cores/73800616
1. SSL debug output -Djavax.net.ssl.debug=false from
good (QA) - APAC/uat_works-d1csi1m5.log
bad (PROD) system - p12csi1m1.log
2. explorer output from good and bad system
good (QA) - QA_nsqeap12/explorer.83d565a3.nsqeap12-2010.11.04.08.10
bad (PROD) - PROD_dspcsi16/explorer.842b2dae.dspcsi16-2010.10.31.06.10
Old bus with similiar error:
4119461 SSL Connections to Oracle Web Application Server do not work
Customer ran into an issue with SSL. In PROD,the SSL handshake is successful in first attempt. Cu then tries to reuse this cached session and then its fails with this error:
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
Here's the SSL debug output leading to the error:
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
[write] MD5 and SHA1 hashes: len = 191
0000: 01 00 00 BB 03 01 4C CF 71 10 77 DB D9 0D 81 4A ......L.q.w....J
0010: 1B B7 BF 3B 51 09 24 89 AA F0 30 5D A7 BB B5 C6 ...;Q.$...0]....
0020: 80 30 74 E7 70 80 10 65 B5 D9 60 64 6B D2 B7 1A .0t.p..e..`dk...
0030: C6 4A EB 3C 92 5C 3D 00 44 00 04 00 05 00 2F 00 .J.<.\=.D...../.
0040: 35 C0 02 C0 04 C0 05 C0 0C C0 0E C0 0F C0 07 C0 5...............
0050: 09 C0 0A C0 11 C0 13 C0 14 00 33 00 39 00 32 00 ..........3.9.2.
0060: 38 00 0A C0 03 C0 0D C0 08 C0 12 00 16 00 13 00 8...............
0070: 09 00 15 00 12 00 03 00 08 00 14 00 11 01 00 00 ................
0080: 3E 00 0A 00 34 00 32 00 17 00 01 00 03 00 13 00 >...4.2.........
0090: 15 00 06 00 07 00 09 00 0A 00 18 00 0B 00 0C 00 ................
00A0: 19 00 0D 00 0E 00 0F 00 10 00 11 00 02 00 12 00 ................
00B0: 04 00 05 00 14 00 08 00 16 00 0B 00 02 01 00 ...............
JobCourier38, WRITE: TLSv1 Handshake, length = 191
[Raw write]: length = 196
[Raw write]: length = 196
0000: 16 03 01 00 BF 01 00 00 BB 03 01 4C CF 71 10 77 ...........L.q.w
0010: DB D9 0D 81 4A 1B B7 BF 3B 51 09 24 89 AA F0 30 ....J...;Q.$...0
0020: 5D A7 BB B5 C6 80 30 74 E7 70 80 10 65 B5 D9 60 ].....0t.p..e..`
0030: 64 6B D2 B7 1A C6 4A EB 3C 92 5C 3D 00 44 00 04 dk....J.<.\=.D..
0040: 00 05 00 2F 00 35 C0 02 C0 04 C0 05 C0 0C C0 0E .../.5..........
0050: C0 0F C0 07 C0 09 C0 0A C0 11 C0 13 C0 14 00 33 ...............3
0060: 00 39 00 32 00 38 00 0A C0 03 C0 0D C0 08 C0 12 .9.2.8..........
0070: 00 16 00 13 00 09 00 15 00 12 00 03 00 08 00 14 ................
0080: 00 11 01 00 00 3E 00 0A 00 34 00 32 00 17 00 01 .....>...4.2....
0090: 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 18 ................
00A0: 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 11 ................
00B0: 00 02 00 12 00 04 00 05 00 14 00 08 00 16 00 0B ................
00C0: 00 02 01 00 ....
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 2F ./
JobCourier38, READ: TLSv1 Alert, length = 2
JobCourier38, RECV TLSv1 ALERT: fatal, illegal_parameter
JobCourier38, called closeSocket()
JobCourier38, handling exception: javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
The problem doesn't happen in QA.
From ssl debug output, one difference is that PROD output contains Elliptical Curve Cryptography (not necessary the cause)
Here's the difference in SSL debug output (in PROD):
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
Found this on the web:
error: " fatal, description = illegal_parameter"
Article:
http://forums.sun.com/thread.jspa?threadID=306461
Potential resolution:
I was getting illegal_parameter in SSL Handshake with weblogic 6.1. To fix it, I made the com.sun.net.ssl.internal.ssl.Provider be provider 2. I originally had it as provider 3 (preceded by com.sun.rsajca.Provider)
My providers (as listed in jdk131/jre/lib/security/java.security are:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
Once I made this change, my handshake negotiation worked just fine.
I also had to add the 3 jsse jars to the classpath BEFORE the weblogic jars.
In the meantime, data collected includes:
logon to cores2-da-sparc-2-b.central
/cores_data/local/bin/acl grant 73800616
cd /cores/73800616
1. SSL debug output -Djavax.net.ssl.debug=false from
good (QA) - APAC/uat_works-d1csi1m5.log
bad (PROD) system - p12csi1m1.log
2. explorer output from good and bad system
good (QA) - QA_nsqeap12/explorer.83d565a3.nsqeap12-2010.11.04.08.10
bad (PROD) - PROD_dspcsi16/explorer.842b2dae.dspcsi16-2010.10.31.06.10
Old bus with similiar error:
4119461 SSL Connections to Oracle Web Application Server do not work