← Back to team overview

openjdk team mailing list archive

  1. openjdk team
  2. Mailing list archive
  3. Message #07975

[Bug 989236] [NEW] severe openjdk-6-jre ssl negotiation incompatibility (fixed upstream long ago...)

  Thread PreviousDate PreviousThread Next 
Public bug reported:

See also:

https://bugster.forgerock.org/jira/browse/OPENDJ-461

How to reproduce:

Install (for example) Hudson CI 2.2.0 and activate the SSL port. Here is
the config:

NAME=hudson
JAVA=/usr/lib/jvm/java-1.6.0-openjdk/bin/java
JAVA_ARGS="-Xmx512M -XX:+UseG1GC -Dcom.sun.management.jmxremote.port=18189 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djavax.net.debug=ssl,handshake"
PIDFILE=/var/run/hudson/hudson.pid
HUDSON_USER=hudson
HUDSON_WAR=/usr/share/hudson/hudson.war
HUDSON_HOME=/var/lib/hudson
RUN_STANDALONE=true
HUDSON_LOG=/var/log/hudson/$NAME.log
MAXOPENFILES=8192
HTTP_PORT=9087
AJP_PORT=-1
HUDSON_ARGS="--webroot=/var/run/hudson/war --httpsPort=$((HTTP_PORT+1)) --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT "


Then try to connect using wget, curl or apache reverse proxy and you'll get in hudson.log:

RequestHandlerThread[#5], handling exception: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
RequestHandlerThread[#5], IOException in getSession():  javax.net.ssl.SSLException: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID

Curl outputs:

curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
alert internal error


Current openjdk-7-jre is also affected.


Using my own java 7 build (built against Ubuntu 11.10) works flawlessly on 12.04  (NOT icedtea based, just built using java 7 sources and using java 6 binaries). It is available at https://build.opensuse.org/package/show?package=optjdk7&project=home%3Akalium%3Atest .

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: openjdk-6-jre 6b24-1.11.1-4ubuntu2
ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14
Uname: Linux 3.2.0-23-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu5
Architecture: amd64
Date: Thu Apr 26 22:46:39 2012
EcryptfsInUse: Yes
ProcEnviron:
 TERM=xterm
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=de_DE.UTF-8
 LANGUAGE=de:en
SourcePackage: openjdk-6
UpgradeStatus: Upgraded to precise on 2012-02-12 (74 days ago)

** Affects: openjdk-6 (Ubuntu)
     Importance: Undecided
         Status: Confirmed


** Tags: amd64 apport-bug precise

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in Ubuntu.
https://bugs.launchpad.net/bugs/989236

Title:
  severe openjdk-6-jre ssl negotiation incompatibility (fixed upstream
  long ago...)

Status in “openjdk-6” package in Ubuntu:
  Confirmed

Bug description:
  See also:

  https://bugster.forgerock.org/jira/browse/OPENDJ-461

  How to reproduce:

  Install (for example) Hudson CI 2.2.0 and activate the SSL port. Here
  is the config:

  NAME=hudson
  JAVA=/usr/lib/jvm/java-1.6.0-openjdk/bin/java
  JAVA_ARGS="-Xmx512M -XX:+UseG1GC -Dcom.sun.management.jmxremote.port=18189 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djavax.net.debug=ssl,handshake"
  PIDFILE=/var/run/hudson/hudson.pid
  HUDSON_USER=hudson
  HUDSON_WAR=/usr/share/hudson/hudson.war
  HUDSON_HOME=/var/lib/hudson
  RUN_STANDALONE=true
  HUDSON_LOG=/var/log/hudson/$NAME.log
  MAXOPENFILES=8192
  HTTP_PORT=9087
  AJP_PORT=-1
  HUDSON_ARGS="--webroot=/var/run/hudson/war --httpsPort=$((HTTP_PORT+1)) --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT "

  
  Then try to connect using wget, curl or apache reverse proxy and you'll get in hudson.log:

  RequestHandlerThread[#5], handling exception: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
  RequestHandlerThread[#5], IOException in getSession():  javax.net.ssl.SSLException: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID

  Curl outputs:

  curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
  alert internal error

  
  Current openjdk-7-jre is also affected.

  
  Using my own java 7 build (built against Ubuntu 11.10) works flawlessly on 12.04  (NOT icedtea based, just built using java 7 sources and using java 6 binaries). It is available at https://build.opensuse.org/package/show?package=optjdk7&project=home%3Akalium%3Atest .

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: openjdk-6-jre 6b24-1.11.1-4ubuntu2
  ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14
  Uname: Linux 3.2.0-23-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.0.1-0ubuntu5
  Architecture: amd64
  Date: Thu Apr 26 22:46:39 2012
  EcryptfsInUse: Yes
  ProcEnviron:
   TERM=xterm
   SHELL=/bin/bash
   PATH=(custom, user)
   LANG=de_DE.UTF-8
   LANGUAGE=de:en
  SourcePackage: openjdk-6
  UpgradeStatus: Upgraded to precise on 2012-02-12 (74 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/989236/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next