FULL PRODUCT VERSION :
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) Client VM (build 25.131-b11, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
We run a Windows 32 bit JRE from a Windows UNC path on a Windows 64 bit os
A DESCRIPTION OF THE PROBLEM :
With the update from Java 8u121 to 8u131 our Java application is not able to use the elliptic curve cipher suites any more when the JRE is started from a Windows network path/UNC path. Here is the program to get the available ciphers:
import java.util.Arrays;
import javax.net.ssl.SSLServerSocketFactory;
public class Ciphers
{
public static void main(String[] args) throws Exception
{
SSLServerSocketFactory ssf = (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
String[] supportedCipherSuites = ssf.getSupportedCipherSuites();
Arrays.sort(supportedCipherSuites);
for (String availableCipher : supportedCipherSuites)
{
System.out.println(availableCipher);
}
}
}
If the JRE is started from a local drive the list contains various ECDHE* ciphers e.g.
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
If started from an UNC path (java.exe is on the UNC path, not the application) - even if the UNC path pints to a local drive, all ciphers are missing.
The required elliptic curve ciphers seem to be provided by sunec.jar and the corresponding dll. We have tried to work around Java SecurityManager restrictions for the package
REGRESSION. Last worked in version 8u121
ADDITIONAL REGRESSION INFORMATION:
We believe a change in Launcher causes the error:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/af0e709d28f9
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
run the given program from a JRE on a Windows UNC path
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
same list of security providers/ciphers is available when java is started from a network/UNC path, especially the ECDHE algorithms are available
ACTUAL -
the mentioned algorithms are not available
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.util.Arrays;
import javax.net.ssl.SSLServerSocketFactory;
public class Ciphers
{
public static void main(String[] args) throws Exception
{
SSLServerSocketFactory ssf = (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
String[] supportedCipherSuites = ssf.getSupportedCipherSuites();
Arrays.sort(supportedCipherSuites);
for (String availableCipher : supportedCipherSuites)
{
System.out.println(availableCipher);
}
}
}
---------- END SOURCE ----------