diff options
Diffstat (limited to 'user/openjdk8/icedtea-jdk-tls-nist-curves.patch')
-rw-r--r-- | user/openjdk8/icedtea-jdk-tls-nist-curves.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/user/openjdk8/icedtea-jdk-tls-nist-curves.patch b/user/openjdk8/icedtea-jdk-tls-nist-curves.patch new file mode 100644 index 000000000..75fb3af8c --- /dev/null +++ b/user/openjdk8/icedtea-jdk-tls-nist-curves.patch @@ -0,0 +1,47 @@ +Bug #7404 TLS negotiation error in OpenJDK 8 u131 + +Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115 +on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation +errors for some clients. + +Root cause appears to be OpenJDK announcing support for NIST curves the +underlying NSS library does doesn't. This patch limits OpenJDK's +announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25 +(secp521r1). + +Related issues: + +* https://github.com/docker-library/openjdk/issues/115 +* https://bugs.alpinelinux.org/issues/7404 +* https://access.redhat.com/discussions/2339811 +* https://bugzilla.redhat.com/show_bug.cgi?id=1022017 +* https://bugzilla.redhat.com/show_bug.cgi?id=1348525 + +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-05-08 20:03:50.000000000 -0700 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-06-14 13:37:00.000000000 -0700 +@@ -168,21 +168,10 @@ + "contains no supported elliptic curves"); + } + } else { // default curves +- int[] ids; +- if (requireFips) { +- ids = new int[] { +- // only NIST curves in FIPS mode +- 23, 24, 25, 9, 10, 11, 12, 13, 14, +- }; +- } else { +- ids = new int[] { +- // NIST curves first +- 23, 24, 25, 9, 10, 11, 12, 13, 14, +- // non-NIST curves +- 22, +- }; +- } +- ++ int[] ids = new int[] { ++ // NSS currently only supports these three NIST curves ++ 23, 24, 25 ++ }; + idList = new ArrayList<>(ids.length); + for (int curveId : ids) { + if (isAvailableCurve(curveId)) { |