-
Bug
-
Resolution: Fixed
-
P2
-
8u261, 11.0.8-oracle
-
b01
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8253887 | 11.0.10 | David Alvarez | P2 | Resolved | Fixed | b01 |
| JDK-8251436 | 11.0.9-oracle | Sean Coffey | P2 | Closed | Fixed | b05 |
| JDK-8253613 | 11.0.9 | David Alvarez | P2 | Resolved | Fixed | b10 |
| JDK-8251393 | 8u281 | Sean Coffey | P2 | Resolved | Fixed | b01 |
| JDK-8251408 | 8u271 | Sean Coffey | P2 | Closed | Fixed | b05 |
| JDK-8257321 | emb-8u281 | Sean Coffey | P2 | Resolved | Fixed | team |
| JDK-8252277 | emb-8u271 | Sean Coffey | P2 | Resolved | Fixed | team |
Submitter seeing regression with JDK 8u261
When they enable FIPS, their code uses the JDK Security provider name Alias
feature to workaround the JDBC driver's SSL Context loading problem (i.e., in
CustomSSLSocketFactory.createSSLContext(), line 337
/* 337 */ SSLContext arg2 = SSLContext.getInstance("SSL");
The workaround is provided by OCI code JCEProviders.load(), with following
use of alias "TLS" for "SSL"
// Remove default jsse provider, and add a BC FIPS compatible one
com.sun.net.ssl.internal.ssl.Provider jsseProvider =
new com.sun.net.ssl.internal.ssl.Provider(BouncyCastleFipsProvider.PROVIDER_NAME);
jsseProvider.put("Alg.Alias.SSLContext.SSL", "TLS"); // Map SSL -> TLS for SSLContext
Security.removeProvider(jsseProvider.getName());
Security.insertProviderAt(jsseProvider, 2);
log.info("Initialized JSSE provider with BouncyCastle-FIPS in position 2");
Now with latest JDK8 261 B33, this workaround no longer works, and saw
following exception when connecting to ATP Database by using JDBC8 driver
Exception in thread "main" java.sql.SQLRecoverableException: IO Error: The
Network Adapter could not establish the connection
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:801)
at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:782)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:704)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:208)
at com.oracle.oci.cnrc.jdbc.Main.getConnection(Main.java:86)
at com.oracle.oci.cnrc.jdbc.Main.main(Main.java:42)
Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:569)
at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:521)
at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:660)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:287)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1481)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:540)
... 7 more
Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.
atoracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:344)
at oracle.net.nt.CustomSSLSocketFactory.getSSLContext(CustomSSLSocketFactory.java:305)
at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:271)
at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:170)
at oracle.net.nt.ConnOption.connect(ConnOption.java:172)
at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:508)
... 12 more
Caused by: java.security.NoSuchAlgorithmException: SSL SSLContext not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:337)
... 17 more
When they enable FIPS, their code uses the JDK Security provider name Alias
feature to workaround the JDBC driver's SSL Context loading problem (i.e., in
CustomSSLSocketFactory.createSSLContext(), line 337
/* 337 */ SSLContext arg2 = SSLContext.getInstance("SSL");
The workaround is provided by OCI code JCEProviders.load(), with following
use of alias "TLS" for "SSL"
// Remove default jsse provider, and add a BC FIPS compatible one
com.sun.net.ssl.internal.ssl.Provider jsseProvider =
new com.sun.net.ssl.internal.ssl.Provider(BouncyCastleFipsProvider.PROVIDER_NAME);
jsseProvider.put("Alg.Alias.SSLContext.SSL", "TLS"); // Map SSL -> TLS for SSLContext
Security.removeProvider(jsseProvider.getName());
Security.insertProviderAt(jsseProvider, 2);
log.info("Initialized JSSE provider with BouncyCastle-FIPS in position 2");
Now with latest JDK8 261 B33, this workaround no longer works, and saw
following exception when connecting to ATP Database by using JDBC8 driver
Exception in thread "main" java.sql.SQLRecoverableException: IO Error: The
Network Adapter could not establish the connection
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:801)
at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:782)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:704)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:208)
at com.oracle.oci.cnrc.jdbc.Main.getConnection(Main.java:86)
at com.oracle.oci.cnrc.jdbc.Main.main(Main.java:42)
Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:569)
at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:521)
at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:660)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:287)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1481)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:540)
... 7 more
Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.
atoracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:344)
at oracle.net.nt.CustomSSLSocketFactory.getSSLContext(CustomSSLSocketFactory.java:305)
at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:271)
at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:170)
at oracle.net.nt.ConnOption.connect(ConnOption.java:172)
at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:508)
... 12 more
Caused by: java.security.NoSuchAlgorithmException: SSL SSLContext not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:337)
... 17 more
- backported by
-
JDK-8251393 Provider.put no longer registering aliases in FIPS env
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
JDK-7092821 java.security.Provider.getService() is synchronized and became scalability bottleneck
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
(2 backported by, 3 relates to)
[JDK-8250787] Provider.put no longer registering aliases in FIPS env
[~alvdavi] Approved for 11.0.9. Please push to jdk-updates/jdk11u directly (not jdk11u-dev).
Fix request (11u)
Open P2 bug
RFR: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-September/003867.html
Open P2 bug
RFR: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-September/003867.html
This particular workaround (in the bug report) relies on SunJSSE provider doing its registration in the legacy way and stopped working when it's changed to use the Service-based model provider registration as part of JDK-7092821.
The put method populates a (per Provider) legacyMap. To register an alias in the form used, the alias addition assumes that the legacyMap contains an entry for SSLContext.TLS (and hence the impl class) - previously, it would register the alias with the same implClass.
With