summaryrefslogtreecommitdiff
path: root/user/openjdk8/icedtea-jdk-tls-nist-curves.patch
diff options
context:
space:
mode:
Diffstat (limited to 'user/openjdk8/icedtea-jdk-tls-nist-curves.patch')
-rw-r--r--user/openjdk8/icedtea-jdk-tls-nist-curves.patch47
1 files changed, 47 insertions, 0 deletions
diff --git a/user/openjdk8/icedtea-jdk-tls-nist-curves.patch b/user/openjdk8/icedtea-jdk-tls-nist-curves.patch
new file mode 100644
index 000000000..75fb3af8c
--- /dev/null
+++ b/user/openjdk8/icedtea-jdk-tls-nist-curves.patch
@@ -0,0 +1,47 @@
+Bug #7404 TLS negotiation error in OpenJDK 8 u131
+
+Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
+on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
+errors for some clients.
+
+Root cause appears to be OpenJDK announcing support for NIST curves the
+underlying NSS library does doesn't. This patch limits OpenJDK's
+announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
+(secp521r1).
+
+Related issues:
+
+* https://github.com/docker-library/openjdk/issues/115
+* https://bugs.alpinelinux.org/issues/7404
+* https://access.redhat.com/discussions/2339811
+* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
+* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
+
+--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-05-08 20:03:50.000000000 -0700
++++ openjdk/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java 2017-06-14 13:37:00.000000000 -0700
+@@ -168,21 +168,10 @@
+ "contains no supported elliptic curves");
+ }
+ } else { // default curves
+- int[] ids;
+- if (requireFips) {
+- ids = new int[] {
+- // only NIST curves in FIPS mode
+- 23, 24, 25, 9, 10, 11, 12, 13, 14,
+- };
+- } else {
+- ids = new int[] {
+- // NIST curves first
+- 23, 24, 25, 9, 10, 11, 12, 13, 14,
+- // non-NIST curves
+- 22,
+- };
+- }
+-
++ int[] ids = new int[] {
++ // NSS currently only supports these three NIST curves
++ 23, 24, 25
++ };
+ idList = new ArrayList<>(ids.length);
+ for (int curveId : ids) {
+ if (isAvailableCurve(curveId)) {