JDK-8176479 : javax.net.ssl.SSLHandshakeException: Unsupported curveId: 21
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8u121
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • Submitted: 2017-03-10
  • Updated: 2017-05-31
  • Resolved: 2017-05-31
Related Reports
Relates :  
JDK-8148516 - Increase the minimum strength of EC keys
Description
1. Yes issue is Not present when we are using JDK 1.8.0.112 is only present
in jdk 1.8.0.121 as EC keys less than 256 are not supported anymore.

2. Using -Dcom.sun.net.ssl.enableECC=false and restart the WebLogic server
problem does not exist due the fact that ECC is disabled and Ciphers with EC
are not used.

But this is not solution but only workaround. Due to security reason we do
not like disable ECC and use Ciphers without EC. So we would like to find way
to still use Ciphers with EC with keys  from 256bits. So we need to find way
to send list of supported Curves ID in Client Hello message to make
successful Handshake between our Weblogic (on jdk1.8.0.121) and  LDAP.
Comments
The server should be patched to handle supported EC curves. Awaiting feedback from that team. Marking as incomplete for now.
29-03-2017
Please refer to the JDK 8u121 release notes at http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html Copied here the details of the relevant fix and the bug id: -------------------------------------------------------- Improve the default strength of EC in JDK To improve the default strength of EC cryptography, EC keys less than 224 bits have been deactivated in certification path processing (via the jdk.certpath.disabledAlgorithms Security Property) and SSL/TLS connections (via the jdk.tls.disabledAlgorithms Security Property) in JDK. Applications can update this restriction in the Security Properties and permit smaller key sizes if really needed (for example, "EC keySize < 192"). EC curves less than 256 bits are removed from the SSL/TLS implementation in JDK. The new System Property, jdk.tls.namedGroups, defines a list of enabled named curves for EC cipher suites in order of preference. If an application needs to customize the default enabled EC curves or the curves preference, please update the System Property accordingly. For example: jdk.tls.namedGroups="secp256r1, secp384r1, secp521r1" Note that the default enabled or customized EC curves follow the algorithm constraints. For example, the customized EC curves cannot re-activate the disabled EC keys defined by the Java Security Properties. See JDK-8148516
15-03-2017