TLS negotiation error in OpenJDK 8 JRE u131
Attempting to curl an application over HTTPS result in a TLS negotiation error with OpenSSL when the application is being served from Alpine Linux 3.6 running openjdk8-jre.
How to reproduce?
- Launch Alpine Linux 3.6 container running a JVM application serving HTTPS
- curl the application
$ curl -Ikv https://172.28.128.14/status
* Hostname was NOT found in DNS cache
* Trying 172.28.128.14...
* Connected to 172.28.128.14 (172.28.128.14) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
What version of Java am I running?
$ sudo docker exec -it docker_svc_1 java -version
openjdk version "1.8.0_131"
OpenJDK Runtime Environment (IcedTea 3.4.0) (Alpine 8.131.11-r1)
OpenJDK 64-Bit Server VM (build 25.131-b11, mixed mode)
Related bug in the OpenJDK Docker image project, which, according to its Dockerfile, just installs openjdk8-jre: https://github.com/docker-library/openjdk/issues/115
curl from macOS Sierra doesn’t complain, and neither does curl on Alpine Linux 3.6, but older (but supported) OSes like Ubuntu 14.04 are unable to communicate without issue. The issue does not exist in the same OpenJDK version running on Debian Jessie.
(from redmine: issue id 7404, created on 2017-06-09, closed on 2017-06-16)
- Changesets:
- Revision aba7b091 on 2017-06-16T12:17:21Z:
community/openjdk8: Bug #7404 TLS negotiation error in OpenJDK 8 u131
Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.
Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).
Related issues:
* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
ref #7404
- Revision a83deb21 on 2017-06-16T12:21:10Z:
community/openjdk8: Bug #7404 TLS negotiation error in OpenJDK 8 u131
Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.
Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).
Related issues:
* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
ref #7404
- Revision 0700bbb3 on 2018-06-13T21:18:57Z:
community/openjdk8: Bug #7404 TLS negotiation error in OpenJDK 8 u131
Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.
Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).
Related issues:
* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
ref #7404
- Uploads:
- icedtea-jdk-tls-nist-curves.patch Configure JVM w/ NSS-supported elliptic curves only