-
Bug
-
Resolution: Fixed
-
P3
-
8
-
b08
-
x86
-
solaris_11
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8063944 | 8u45 | Valerie Peng | P3 | Resolved | Fixed | b01 |
JDK-8039048 | 8u40 | Valerie Peng | P3 | Resolved | Fixed | b04 |
JDK-8069782 | emb-8u47 | Valerie Peng | P3 | Resolved | Fixed | team |
FULL PRODUCT VERSION :
java version "1.8.0"
Java(TM) SE Runtime Environment (build 1.8.0-b129)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b69, mixed mode)
java version "1.8.0"
Java(TM) SE Runtime Environment (build 1.8.0-b132)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b70, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
SunOS 7iv05-server-2 5.11 11.1 i86pc i386 i86pc
A DESCRIPTION OF THE PROBLEM :
Trying to access a locally installed Tomcat 8.0.3 instance via HTTPS using a SSL certificate doesn't work with Java 8 build 129 and 132; the browser only shows an error message indicating a SSL connection error.
However, using the same Tomcat with Java 7u51 instead of Java 8 works.
See the discussion in the java.net forum:
https://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/problem-java-18-and-ssl
REGRESSION. Last worked in version 7u51
ADDITIONAL REGRESSION INFORMATION:
$ /usr/local/jdk/jdk1.7.0/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) Server VM (build 24.51-b03, mixed mode)
$ /usr/local/jdk/jdk1.7.0/bin/java -d64 -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create a certificate:
$ keytool -genkeypair -alias tomcat -keyalg RSA
$ keytool -certreq -keyalg RSA -alias tomcat -file tomcat.csr
2. Sign the request using my own CA:
$ openssl ca -out tomcat.cer -policy policy_anything -days 3650 -infiles tomcat.csr
3. Import the root CA certificate and the signed certificate into the Tomcat user's keytore:
$ keytool -import -alias root -trustcacerts -file <my-own-root-ca.crt>
$ keytool -import -alias tomcat -file tomcat.cer
4. Install Tomcat 8.0.3 and enable the SSL connector as described in the docs, i.e. enable the following connector in <tomcat_home>/conf/server.conf:
<Connector port="4443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${user.home}/.keystore" keystorePass="changeit" />
5. Start Tomcat and try to access its web page via HTTPS (http://localhost:8443)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The Tomcat welcome web page saying "If you're seeing this, you've successfully installed Tomcat. Congratulations!"
ACTUAL -
The web page can't be loaded because of an SSL connection error.
Firefox shows:
An error occurred during a connection to 7iv05-server-2.vkb.loc:8443.
SSL received a record with an incorrect Message Authentication Code.
(Error code: ssl_error_bad_mac_read)
Google Chrome says:
SSL connection error
ERROR MESSAGES/STACK TRACES THAT OCCUR :
The file catalina.out in Tomcat's log folder contains the following stack trace:
07-Mar-2014 12:13:31.338 SEVERE [http-nio-8443-exec-15] org.apache.coyote.http11.AbstractHttp11Processor.process Error processing request
java.lang.IllegalStateException: Must use either different key or iv for GCM encryption
at com.oracle.security.ucrypto.NativeGCMCipher.engineDoFinal(NativeGCMCipher.java:359)
at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:830)
at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
at javax.crypto.Cipher.doFinal(Cipher.java:2416)
at sun.security.ssl.CipherBox.encrypt(CipherBox.java:396)
at sun.security.ssl.EngineOutputRecord.write(EngineOutputRecord.java:300)
at sun.security.ssl.EngineOutputRecord.write(EngineOutputRecord.java:225)
at sun.security.ssl.EngineWriter.writeRecord(EngineWriter.java:186)
at sun.security.ssl.SSLEngineImpl.writeRecord(SSLEngineImpl.java:1280)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1251)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1166)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.tomcat.util.net.SecureNioChannel.write(SecureNioChannel.java:498)
at org.apache.tomcat.util.net.NioBlockingSelector.write(NioBlockingSelector.java:101)
at org.apache.tomcat.util.net.NioSelectorPool.write(NioSelectorPool.java:173)
at org.apache.coyote.http11.InternalNioOutputBuffer.writeToSocket(InternalNioOutputBuffer.java:139)
at org.apache.coyote.http11.InternalNioOutputBuffer.addToBB(InternalNioOutputBuffer.java:197)
at org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:41)
at org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:320)
at org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:118)
at org.apache.coyote.http11.AbstractOutputBuffer.doWrite(AbstractOutputBuffer.java:257)
at org.apache.coyote.Response.doWrite(Response.java:523)
at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:391)
at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:426)
at org.apache.catalina.connector.OutputBuffer.realWriteChars(OutputBuffer.java:474)
at org.apache.tomcat.util.buf.CharChunk.flushBuffer(CharChunk.java:393)
at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:276)
at org.apache.catalina.connector.Response.finishResponse(Response.java:409)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:557)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1015)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:652)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1575)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1533)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:744)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Use Java 7u51 instead of Java 8.
java version "1.8.0"
Java(TM) SE Runtime Environment (build 1.8.0-b129)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b69, mixed mode)
java version "1.8.0"
Java(TM) SE Runtime Environment (build 1.8.0-b132)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b70, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
SunOS 7iv05-server-2 5.11 11.1 i86pc i386 i86pc
A DESCRIPTION OF THE PROBLEM :
Trying to access a locally installed Tomcat 8.0.3 instance via HTTPS using a SSL certificate doesn't work with Java 8 build 129 and 132; the browser only shows an error message indicating a SSL connection error.
However, using the same Tomcat with Java 7u51 instead of Java 8 works.
See the discussion in the java.net forum:
https://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/problem-java-18-and-ssl
REGRESSION. Last worked in version 7u51
ADDITIONAL REGRESSION INFORMATION:
$ /usr/local/jdk/jdk1.7.0/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) Server VM (build 24.51-b03, mixed mode)
$ /usr/local/jdk/jdk1.7.0/bin/java -d64 -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create a certificate:
$ keytool -genkeypair -alias tomcat -keyalg RSA
$ keytool -certreq -keyalg RSA -alias tomcat -file tomcat.csr
2. Sign the request using my own CA:
$ openssl ca -out tomcat.cer -policy policy_anything -days 3650 -infiles tomcat.csr
3. Import the root CA certificate and the signed certificate into the Tomcat user's keytore:
$ keytool -import -alias root -trustcacerts -file <my-own-root-ca.crt>
$ keytool -import -alias tomcat -file tomcat.cer
4. Install Tomcat 8.0.3 and enable the SSL connector as described in the docs, i.e. enable the following connector in <tomcat_home>/conf/server.conf:
<Connector port="4443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${user.home}/.keystore" keystorePass="changeit" />
5. Start Tomcat and try to access its web page via HTTPS (http://localhost:8443)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The Tomcat welcome web page saying "If you're seeing this, you've successfully installed Tomcat. Congratulations!"
ACTUAL -
The web page can't be loaded because of an SSL connection error.
Firefox shows:
An error occurred during a connection to 7iv05-server-2.vkb.loc:8443.
SSL received a record with an incorrect Message Authentication Code.
(Error code: ssl_error_bad_mac_read)
Google Chrome says:
SSL connection error
ERROR MESSAGES/STACK TRACES THAT OCCUR :
The file catalina.out in Tomcat's log folder contains the following stack trace:
07-Mar-2014 12:13:31.338 SEVERE [http-nio-8443-exec-15] org.apache.coyote.http11.AbstractHttp11Processor.process Error processing request
java.lang.IllegalStateException: Must use either different key or iv for GCM encryption
at com.oracle.security.ucrypto.NativeGCMCipher.engineDoFinal(NativeGCMCipher.java:359)
at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:830)
at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
at javax.crypto.Cipher.doFinal(Cipher.java:2416)
at sun.security.ssl.CipherBox.encrypt(CipherBox.java:396)
at sun.security.ssl.EngineOutputRecord.write(EngineOutputRecord.java:300)
at sun.security.ssl.EngineOutputRecord.write(EngineOutputRecord.java:225)
at sun.security.ssl.EngineWriter.writeRecord(EngineWriter.java:186)
at sun.security.ssl.SSLEngineImpl.writeRecord(SSLEngineImpl.java:1280)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1251)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1166)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.tomcat.util.net.SecureNioChannel.write(SecureNioChannel.java:498)
at org.apache.tomcat.util.net.NioBlockingSelector.write(NioBlockingSelector.java:101)
at org.apache.tomcat.util.net.NioSelectorPool.write(NioSelectorPool.java:173)
at org.apache.coyote.http11.InternalNioOutputBuffer.writeToSocket(InternalNioOutputBuffer.java:139)
at org.apache.coyote.http11.InternalNioOutputBuffer.addToBB(InternalNioOutputBuffer.java:197)
at org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:41)
at org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:320)
at org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:118)
at org.apache.coyote.http11.AbstractOutputBuffer.doWrite(AbstractOutputBuffer.java:257)
at org.apache.coyote.Response.doWrite(Response.java:523)
at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:391)
at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:426)
at org.apache.catalina.connector.OutputBuffer.realWriteChars(OutputBuffer.java:474)
at org.apache.tomcat.util.buf.CharChunk.flushBuffer(CharChunk.java:393)
at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:276)
at org.apache.catalina.connector.Response.finishResponse(Response.java:409)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:557)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1015)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:652)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1575)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1533)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:744)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Use Java 7u51 instead of Java 8.
- backported by
-
JDK-8039048 Accessing Tomcat 8.0.3 via HTTPS doesn't work using TLS 1.2 GCM with ucrypto provider
- Resolved
-
JDK-8063944 Accessing Tomcat 8.0.3 via HTTPS doesn't work using TLS 1.2 GCM with ucrypto provider
- Resolved
-
JDK-8069782 Accessing Tomcat 8.0.3 via HTTPS doesn't work using TLS 1.2 GCM with ucrypto provider
- Resolved