-
Bug
-
Resolution: Fixed
-
P2
-
11.0.5-oracle, 13, 14
-
b25
-
x86_64
-
windows_10
-
Not verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8257185 | 13.0.6 | Olga Mikhaltcova | P2 | Resolved | Fixed | b02 |
| JDK-8234538 | 11.0.7-oracle | Ivan Gerasimov | P2 | Resolved | Fixed | b01 |
| JDK-8236258 | 11.0.7 | Xuelei Fan | P2 | Resolved | Fixed | b01 |
| JDK-8235294 | 11.0.6-oracle | Ivan Gerasimov | P2 | Closed | Fixed | b07 |
| JDK-8235979 | 11.0.6 | Xuelei Fan | P2 | Resolved | Fixed | b08 |
| JDK-8256914 | openjdk8u272 | Martin Balao Alonso | P2 | Closed | Fixed | b06 |
| JDK-8243694 | 8u261 | Prasadarao Koppula | P2 | Closed | Fixed | b05 |
| JDK-8247027 | emb-8u261 | Prasadarao Koppula | P2 | Resolved | Fixed | team |
ADDITIONAL SYSTEM INFORMATION :
java version "11.0.5" 2019-10-15 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.5+10-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode)
Windows 10 Pro
A DESCRIPTION OF THE PROBLEM :
We develop an application with which we bundle the Oracle JDK. We currently use Java 8 but are looking to go to Java 11.
Our Legal department requires that the Elliptic Curve Cryptography library is removed so we have done so, according to the instructions in jdk/legal/jdk.crypto.ec/ecc.md which tells us to simply delete libsunec.so/libsunec.dylib/sunec.dll.
Doing so works well on Java 8 but with Java 11(.0.5, but as it appears earlier versions as well) this results in failure to establish TLS connections. We've seen two types of failures as shown below. The first one is from the small test program I'm attaching.
1)
Exception in thread "main" java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.isCurveSupported([B)Z
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.isCurveSupported(Native Method)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.ensureCurveIsSupported(ECKeyPairGenerator.java:135)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.initialize(ECKeyPairGenerator.java:114)
at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:699)
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:112)
at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575)
at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88)
at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263)
at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532)
at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249)
at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648)
at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at com.example.NoEcTest.main(NoEcTest.java:13)
2)
java.lang.RuntimeException: Could not generate ECDH keypair
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:117)
at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575)
at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88)
at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263)
at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532)
at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249)
at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648)
at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:735)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:710)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:598)
[REDACTED]
Caused by: java.security.NoSuchAlgorithmException: EC KeyPairGenerator not available
at java.base/java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:236)
at java.base/sun.security.ssl.JsseJce.getKeyPairGenerator(JsseJce.java:237)
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:109)
... 35 more}
REGRESSION : Last worked in version 8u231
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Install Oracle JDK 11.0.5 on Windows
2) Remove sunec.dll
3) Try to establish a TLS connection
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
To be able to connect (as long as the server accepts some non-EC cipher suites).
ACTUAL -
Exception in thread "main" java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.isCurveSupported([B)Z
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.isCurveSupported(Native Method)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.ensureCurveIsSupported(ECKeyPairGenerator.java:135)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.initialize(ECKeyPairGenerator.java:114)
at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:699)
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:112)
at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575)
at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88)
at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263)
at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532)
at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249)
at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648)
at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at com.example.NoEcTest.main(NoEcTest.java:13)
---------- BEGIN SOURCE ----------
package com.example;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
public class NoEcTest {
public static void main(String[] args) throws IOException {
URL url = new URL("https://example.com/");
HttpURLConnection con = (HttpURLConnection) url.openConnection();
con.setRequestMethod("GET");
con.connect();
System.out.println(con.getResponseCode());
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Providing another EC library (like Bouncy Castle).
FREQUENCY : always
java version "11.0.5" 2019-10-15 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.5+10-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode)
Windows 10 Pro
A DESCRIPTION OF THE PROBLEM :
We develop an application with which we bundle the Oracle JDK. We currently use Java 8 but are looking to go to Java 11.
Our Legal department requires that the Elliptic Curve Cryptography library is removed so we have done so, according to the instructions in jdk/legal/jdk.crypto.ec/ecc.md which tells us to simply delete libsunec.so/libsunec.dylib/sunec.dll.
Doing so works well on Java 8 but with Java 11(.0.5, but as it appears earlier versions as well) this results in failure to establish TLS connections. We've seen two types of failures as shown below. The first one is from the small test program I'm attaching.
1)
Exception in thread "main" java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.isCurveSupported([B)Z
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.isCurveSupported(Native Method)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.ensureCurveIsSupported(ECKeyPairGenerator.java:135)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.initialize(ECKeyPairGenerator.java:114)
at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:699)
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:112)
at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575)
at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88)
at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263)
at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532)
at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249)
at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648)
at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at com.example.NoEcTest.main(NoEcTest.java:13)
2)
java.lang.RuntimeException: Could not generate ECDH keypair
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:117)
at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575)
at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88)
at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263)
at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532)
at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249)
at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648)
at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:735)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:710)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:598)
[REDACTED]
Caused by: java.security.NoSuchAlgorithmException: EC KeyPairGenerator not available
at java.base/java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:236)
at java.base/sun.security.ssl.JsseJce.getKeyPairGenerator(JsseJce.java:237)
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:109)
... 35 more}
REGRESSION : Last worked in version 8u231
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Install Oracle JDK 11.0.5 on Windows
2) Remove sunec.dll
3) Try to establish a TLS connection
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
To be able to connect (as long as the server accepts some non-EC cipher suites).
ACTUAL -
Exception in thread "main" java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.isCurveSupported([B)Z
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.isCurveSupported(Native Method)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.ensureCurveIsSupported(ECKeyPairGenerator.java:135)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.initialize(ECKeyPairGenerator.java:114)
at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:699)
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:112)
at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575)
at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88)
at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263)
at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532)
at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249)
at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648)
at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at com.example.NoEcTest.main(NoEcTest.java:13)
---------- BEGIN SOURCE ----------
package com.example;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
public class NoEcTest {
public static void main(String[] args) throws IOException {
URL url = new URL("https://example.com/");
HttpURLConnection con = (HttpURLConnection) url.openConnection();
con.setRequestMethod("GET");
con.connect();
System.out.println(con.getResponseCode());
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Providing another EC library (like Bouncy Castle).
FREQUENCY : always
- backported by
-
JDK-8234538 UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
JDK-8234615 Separate the algorithms in the SunEC provider
-
- Closed
-
(3 backported by, 3 relates to, 2 links to)