Relates :
|
|
Relates :
|
|
Relates :
|
ADDITIONAL SYSTEM INFORMATION : java version "11.0.5" 2019-10-15 LTS Java(TM) SE Runtime Environment 18.9 (build 11.0.5+10-LTS) Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode) Windows 10 Pro A DESCRIPTION OF THE PROBLEM : We develop an application with which we bundle the Oracle JDK. We currently use Java 8 but are looking to go to Java 11. Our Legal department requires that the Elliptic Curve Cryptography library is removed so we have done so, according to the instructions in jdk/legal/jdk.crypto.ec/ecc.md which tells us to simply delete libsunec.so/libsunec.dylib/sunec.dll. Doing so works well on Java 8 but with Java 11(.0.5, but as it appears earlier versions as well) this results in failure to establish TLS connections. We've seen two types of failures as shown below. The first one is from the small test program I'm attaching. 1) Exception in thread "main" java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.isCurveSupported([B)Z at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.isCurveSupported(Native Method) at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.ensureCurveIsSupported(ECKeyPairGenerator.java:135) at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.initialize(ECKeyPairGenerator.java:114) at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:699) at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:112) at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575) at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88) at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263) at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532) at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249) at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648) at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515) at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107) at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395) at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168) at com.example.NoEcTest.main(NoEcTest.java:13) 2) java.lang.RuntimeException: Could not generate ECDH keypair at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:117) at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575) at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88) at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263) at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532) at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249) at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648) at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515) at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107) at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87) at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:735) at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:710) at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:598) [REDACTED] Caused by: java.security.NoSuchAlgorithmException: EC KeyPairGenerator not available at java.base/java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:236) at java.base/sun.security.ssl.JsseJce.getKeyPairGenerator(JsseJce.java:237) at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:109) ... 35 more} REGRESSION : Last worked in version 8u231 STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : 1) Install Oracle JDK 11.0.5 on Windows 2) Remove sunec.dll 3) Try to establish a TLS connection EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - To be able to connect (as long as the server accepts some non-EC cipher suites). ACTUAL - Exception in thread "main" java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.isCurveSupported([B)Z at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.isCurveSupported(Native Method) at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.ensureCurveIsSupported(ECKeyPairGenerator.java:135) at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.initialize(ECKeyPairGenerator.java:114) at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:699) at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:112) at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575) at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88) at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263) at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532) at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249) at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648) at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515) at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107) at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395) at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168) at com.example.NoEcTest.main(NoEcTest.java:13) ---------- BEGIN SOURCE ---------- package com.example; import java.io.IOException; import java.net.HttpURLConnection; import java.net.URL; public class NoEcTest { public static void main(String[] args) throws IOException { URL url = new URL("https://example.com/"); HttpURLConnection con = (HttpURLConnection) url.openConnection(); con.setRequestMethod("GET"); con.connect(); System.out.println(con.getResponseCode()); } } ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : Providing another EC library (like Bouncy Castle). FREQUENCY : always
|