openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #12352
[Bug 1691126] Re: java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves
Hi, sorry for the problem people are experiencing. Tiago has prepared
packages which are undergoing review and testing. I have made these
package available in the ubuntu-security-proposed ppa (except for on the
armhf architecture) at https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/ .
It would be greatly appreciated if people could test these packages to
verify that the address the regression you're seeing. That said, it's
important to understand that these still need to be tested, and should
not be used in production.
Thanks, and again, my apologies.
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1691126
Title:
java.lang.IllegalArgumentException: System property
jdk.tls.namedGroups(null) contains no supported elliptic curves
Status in openjdk-7 package in Ubuntu:
Invalid
Status in openjdk-7 source package in Trusty:
In Progress
Bug description:
Tested with the puppetserver package (version 2.2.0-1puppetlabs1).
When running:
$ openssl s_client -showcerts -connect "$(hostname -f):8140"
The following java exception is thrown in the puppetserver:
2017-05-16 14:20:42,835 WARN [qtp1887840931-59] [o.e.j.u.t.QueuedThreadPool]
java.lang.ExceptionInInitializerError: null
at sun.security.ssl.HelloExtensions.<init>(HelloExtensions.java:85) ~[na:1.7.0_131]
at sun.security.ssl.HandshakeMessage$ClientHello.<init>(HandshakeMessage.java:240) ~[na:1.7.0_131]
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:219) ~[na:1.7.0_131]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:961) ~[na:1.7.0_131]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:901) ~[na:1.7.0_131]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:899) ~[na:1.7.0_131]
at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_131]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1333) ~[na:1.7.0_131]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:612) ~[puppet-server-release.jar:na]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:239) ~[puppet-server-release.jar:na]
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) ~[puppet-server-release.jar:na]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) ~[puppet-server-release.jar:na]
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) ~[puppet-server-release.jar:na]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_131]
Caused by: java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves
at sun.security.ssl.SupportedEllipticCurvesExtension.<clinit>(SupportedEllipticCurvesExtension.java:154) ~[na:1.7.0_131]
... 14 common frames omitted
This bug seems to be the same as the one described in:
- https://bugzilla.redhat.com/show_bug.cgi?id=1422738
- https://bugs.openjdk.java.net/browse/JDK-8173783
- http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3329
It looks like this was introduced by adding open-jdk 7u131-2.6.9-0 to
http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/pool/main/o/openjdk-7/
EDIT: WORKAROUND
The original workaround steps no longer work because the required
package has been removed from http://eu-
west-1.ec2.archive.ubuntu.com/ubuntu/pool/main/o/openjdk-7.
The new steps make you use the repository at
https://launchpad.net/~openjdk-r/+archive/ubuntu/ppa.
$ gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/
apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv DA1A4A13543B466853BAF164EB9B1D8886F44E2A
$ echo "deb http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty main
deb-src http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty main" > /etc/apt/sources.list.d/openjdk-r-ppa.list
$ apt-get update
$ apt-get install openjdk-7-jre-headless=7u121-2.6.8-1~14.04
$ service puppetserver restart
----
> We also need:
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
$ lsb_release -rd
Description: Ubuntu 14.04.5 LTS
Release: 14.04
> 2) The version of the package you are using, via 'apt-cache policy
pkgname' or by checking in Software Center
$ apt-cache policy openjdk-7-jre-headless
openjdk-7-jre-headless:
Installed: 7u131-2.6.9-0ubuntu0.14.04.1
Candidate: 7u131-2.6.9-0ubuntu0.14.04.1
Version table:
*** 7u131-2.6.9-0ubuntu0.14.04.1 0
500 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
100 /var/lib/dpkg/status
7u51-2.4.6-1ubuntu4 0
500 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
> 3) What you expected to happen
We expected this command to return certificate information for a web
server:
$ openssl s_client -showcerts -connect "$(hostname -f):8140"
> 4) What happened instead
The command failed and the webserver had a Java stack trace (see
above).
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: openjdk-7-jre-headless 7u131-2.6.9-0ubuntu0.14.04.1
ProcVersionSignature: Ubuntu 3.19.0-58.64~14.04.1-generic 3.19.8-ckt16
Uname: Linux 3.19.0-58-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.23
Architecture: amd64
Date: Tue May 16 14:21:01 2017
Ec2AMI: ami-30b59b43
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: eu-west-1a
Ec2InstanceType: t2.small
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
ProcEnviron:
TERM=screen-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: openjdk-7
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1691126/+subscriptions
References