Commit aba7b091 authored by Shatil Rafiullah's avatar Shatil Rafiullah Committed by Natanael Copa
Browse files

community/openjdk8: Bug #7404 TLS negotiation error in OpenJDK 8 u131

Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.

Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).

Related issues:

* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525

ref #7404
parent 651231bf
......@@ -6,7 +6,7 @@ _icedteaver=3.4.0
# pkgver is <JDK version>.<JDK update>.<JDK build>
# Check http://icedtea.classpath.org/wiki/Main_Page when updating!
pkgver=8.131.11
pkgrel=1
pkgrel=2
pkgdesc="OpenJDK 8 provided by IcedTea"
url="http://icedtea.classpath.org/"
arch="all"
......@@ -66,6 +66,7 @@ source="http://icedtea.classpath.org/download/source/icedtea-$_icedteaver.tar.gz
icedtea-jdk-includes.patch
icedtea-jdk-getmntent-buffer.patch
icedtea-autoconf-config.patch
icedtea-jdk-tls-nist-curves.patch
"
builddir="$srcdir/icedtea-$_icedteaver"
......@@ -286,4 +287,5 @@ b135991c76b0db8fa7c363e0903624668e11eda7b54a943035c214aa4d7fc8c3e8110ed200edcec8
cdebe2c59657e7fd317a4841b2fbe95d9e8d7ee9d1593edf352ed7f49a92a42cbce82cbaa404d3f02c6d273eae03222a79559c09bf6cf439396c5ec5434f5458 icedtea-jdk-musl.patch
e8d9f1b867bf4fc84aa00d1237b264bcf503b1ed5f34735e14b0b747a728953fe0051a5af69ed058d377fbf65d8be1ed9e38fe5fc6edb2d50b31f34bf3ba91dc icedtea-jdk-includes.patch
7e6fa46b10c630517bfa46943858aea1d032c12d32ba3fcb7a2143ae1e896c34fa4cb8f925af80cb19f8e29149b835aa054adfd30ebb00539f6c78588d6f5211 icedtea-jdk-getmntent-buffer.patch
662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167 icedtea-autoconf-config.patch"
662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167 icedtea-autoconf-config.patch
313ba3467efad73120d307c16be8e793fa39de92d6c28c2faed11c14dd6f60e0f1a290f330d4dc849ae8f97c7bea84eec2d0be02c70bc9903664e22497dd2d22 icedtea-jdk-tls-nist-curves.patch"
Bug #7404 TLS negotiation error in OpenJDK 8 u131
Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.
Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).
Related issues:
* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java 2017-05-08 20:03:50.000000000 -0700
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java 2017-06-14 13:37:00.000000000 -0700
@@ -168,21 +168,10 @@
"contains no supported elliptic curves");
}
} else { // default curves
- int[] ids;
- if (requireFips) {
- ids = new int[] {
- // only NIST curves in FIPS mode
- 23, 24, 25, 9, 10, 11, 12, 13, 14,
- };
- } else {
- ids = new int[] {
- // NIST curves first
- 23, 24, 25, 9, 10, 11, 12, 13, 14,
- // non-NIST curves
- 22,
- };
- }
-
+ int[] ids = new int[] {
+ // NSS currently only supports these three NIST curves
+ 23, 24, 25
+ };
idList = new ArrayList<>(ids.length);
for (int curveId : ids) {
if (isAvailableCurve(curveId)) {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment