← Back to team overview

openjdk team mailing list archive

[Bug 1691126] Re: java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves

 

Looking at https://bugs.openjdk.java.net/browse/JDK-8148516, I'm not
seeing a CVE number attached. In addition, this issue is marked as an
"enhancement".

Would it be possible to confirm how an enhancement ended up inside a
security release?

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1691126

Title:
  java.lang.IllegalArgumentException: System property
  jdk.tls.namedGroups(null) contains no supported elliptic curves

Status in openjdk-7 package in Ubuntu:
  Invalid
Status in openjdk-7 source package in Trusty:
  Fix Released

Bug description:
  Tested with the puppetserver package (version 2.2.0-1puppetlabs1).

  When running:

  $ openssl s_client -showcerts -connect "$(hostname -f):8140"

  The following java exception is thrown in the puppetserver:

  2017-05-16 14:20:42,835 WARN  [qtp1887840931-59] [o.e.j.u.t.QueuedThreadPool]
  java.lang.ExceptionInInitializerError: null
          at sun.security.ssl.HelloExtensions.<init>(HelloExtensions.java:85) ~[na:1.7.0_131]
          at sun.security.ssl.HandshakeMessage$ClientHello.<init>(HandshakeMessage.java:240) ~[na:1.7.0_131]
          at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:219) ~[na:1.7.0_131]
          at sun.security.ssl.Handshaker.processLoop(Handshaker.java:961) ~[na:1.7.0_131]
          at sun.security.ssl.Handshaker$1.run(Handshaker.java:901) ~[na:1.7.0_131]
          at sun.security.ssl.Handshaker$1.run(Handshaker.java:899) ~[na:1.7.0_131]
          at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_131]
          at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1333) ~[na:1.7.0_131]
          at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:612) ~[puppet-server-release.jar:na]
          at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:239) ~[puppet-server-release.jar:na]
          at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) ~[puppet-server-release.jar:na]
          at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) ~[puppet-server-release.jar:na]
          at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) ~[puppet-server-release.jar:na]
          at java.lang.Thread.run(Thread.java:745) [na:1.7.0_131]
  Caused by: java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves
          at sun.security.ssl.SupportedEllipticCurvesExtension.<clinit>(SupportedEllipticCurvesExtension.java:154) ~[na:1.7.0_131]
          ... 14 common frames omitted

  This bug seems to be the same as the one described in:
  - https://bugzilla.redhat.com/show_bug.cgi?id=1422738
  - https://bugs.openjdk.java.net/browse/JDK-8173783
  - http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3329

  It looks like this was introduced by adding open-jdk 7u131-2.6.9-0 to
  http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/pool/main/o/openjdk-7/


  EDIT: WORKAROUND

  The original workaround steps no longer work because the required
  package has been removed from http://eu-
  west-1.ec2.archive.ubuntu.com/ubuntu/pool/main/o/openjdk-7.

  The new steps make you use the repository at
  https://launchpad.net/~openjdk-r/+archive/ubuntu/ppa.

  $ gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/
  apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv DA1A4A13543B466853BAF164EB9B1D8886F44E2A

  $ echo "deb http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty main 
  deb-src http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty main" > /etc/apt/sources.list.d/openjdk-r-ppa.list

  $ apt-get update

  $ apt-get install openjdk-7-jre-headless=7u121-2.6.8-1~14.04

  $ service puppetserver restart


  ----

  > We also need:
  > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu

  $ lsb_release -rd
  Description:    Ubuntu 14.04.5 LTS
  Release:        14.04

  > 2) The version of the package you are using, via 'apt-cache policy
  pkgname' or by checking in Software Center

  $ apt-cache policy openjdk-7-jre-headless
  openjdk-7-jre-headless:
    Installed: 7u131-2.6.9-0ubuntu0.14.04.1
    Candidate: 7u131-2.6.9-0ubuntu0.14.04.1
    Version table:
   *** 7u131-2.6.9-0ubuntu0.14.04.1 0
          500 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
          100 /var/lib/dpkg/status
       7u51-2.4.6-1ubuntu4 0
          500 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  > 3) What you expected to happen

  We expected this command to return certificate information for a web
  server:

  $ openssl s_client -showcerts -connect "$(hostname -f):8140"

  > 4) What happened instead

  The command failed and the webserver had a Java stack trace (see
  above).

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: openjdk-7-jre-headless 7u131-2.6.9-0ubuntu0.14.04.1
  ProcVersionSignature: Ubuntu 3.19.0-58.64~14.04.1-generic 3.19.8-ckt16
  Uname: Linux 3.19.0-58-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.23
  Architecture: amd64
  Date: Tue May 16 14:21:01 2017
  Ec2AMI: ami-30b59b43
  Ec2AMIManifest: (unknown)
  Ec2AvailabilityZone: eu-west-1a
  Ec2InstanceType: t2.small
  Ec2Kernel: unavailable
  Ec2Ramdisk: unavailable
  ProcEnviron:
   TERM=screen-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: openjdk-7
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1691126/+subscriptions


Follow ups

References