OpenJDK8 u352 breaks TLS negotiation

Solution Verified - Updated -

Issue

  • Upgrading EAP 7.3 Java to OpenJDK8 u352 causes the HTTPS connection to a backend JBoss Web Server 5.3 (Tomcat 9) to fail with the following exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java JBossWeb/jbcs-httpd24-2.4:152)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        at gov.nasa.sewp.installcert.driver.InstallCert.main(InstallCert.java:69)
Could not obtain server certificate chain

  • After upgrading to the OpenJDK8 u352, the backend server does not negotiate the TLS connection. The ClientHello is sent and the server immediately sends a handshake_failure alert instead of the ServerHello.

  • After upgrading to the OpenJDK8 u352, the Java application making a secure connection to the database fails with the following exception:

javax.net.ssl|WARNING|24|pool-1-thread-1|SSLSocketImpl.java:1542|handling exception (
"throwable" : {
  java.lang.RuntimeException: Could not generate ECDH keypair
        at sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:116)
...
  Caused by: java.security.InvalidAlgorithmParameterException: unknown curve name: 1.2.840.10045.3.1.7
        at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown Source)
...
javax.net.ssl|FINE|24|pool-1-thread-1|SSLSocketImpl.java:1634|close the SSL connection (initiative)
Failed to get access token: ServiceException(code=MPAYSOA_03400 msg=Error getting token: javax.net.ssl.SSLException: Could not generate ECDH keypair)

javax.net.ssl|SEVERE|2E|HttpConnection-12004-1|TransportContext.java:316|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
...
  Caused by: java.io.EOFException: SSL peer shut down incorrectly
...
javax.net.ssl|FINE|2E|HttpConnection-12004-1|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), length = 2

Environment

  • OpenJDK8 u352

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content