Bug #7404 TLS negotiation error in OpenJDK 8 u131
Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.
Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).
Related issues:
* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-05-08 20:03:50.000000000 -0700
+++ openjdk/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-06-14 13:37:00.000000000 -0700
@@ -168,21 +168,10 @@
"contains no supported elliptic curves");
}
} else { // default curves
- int[] ids;
- if (requireFips) {
- ids = new int[] {
- // only NIST curves in FIPS mode
- 23, 24, 25, 9, 10, 11, 12, 13, 14,
- };
- } else {
- ids = new int[] {
- // NIST curves first
- 23, 24, 25, 9, 10, 11, 12, 13, 14,
- // non-NIST curves
- 22,
- };
- }
-
+ int[] ids = new int[] {
+ // NSS currently only supports these three NIST curves
+ 23, 24, 25
+ };
idList = new ArrayList<>(ids.length);
for (int curveId : ids) {
if (isAvailableCurve(curveId)) {