diff options
| author | Shatil Rafiullah <shatil@atomtickets.com> | 2017-06-15 10:09:25 -0700 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-06-16 12:17:21 +0000 |
| commit | aba7b091637e95dad55f2f2cc9050b989e12b4d2 (patch) | |
| tree | de3b924e68c67ae126a450aa2b56d09b0e378786 /community/openjdk8/icedtea-jdk-tls-nist-curves.patch | |
| parent | 651231bf0a7a63de2212c0983cc6dbb3cf15c932 (diff) | |
| download | aports-aba7b091637e95dad55f2f2cc9050b989e12b4d2.tar.bz2 aports-aba7b091637e95dad55f2f2cc9050b989e12b4d2.tar.xz | |
community/openjdk8: Bug #7404 TLS negotiation error in OpenJDK 8 u131
Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.
Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).
Related issues:
* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
ref #7404
Diffstat (limited to 'community/openjdk8/icedtea-jdk-tls-nist-curves.patch')
| -rw-r--r-- | community/openjdk8/icedtea-jdk-tls-nist-curves.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/community/openjdk8/icedtea-jdk-tls-nist-curves.patch b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch new file mode 100644 index 0000000000..24c4c44a53 --- /dev/null +++ b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch @@ -0,0 +1,47 @@ +Bug #7404 TLS negotiation error in OpenJDK 8 u131 + +Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115 +on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation +errors for some clients. + +Root cause appears to be OpenJDK announcing support for NIST curves the +underlying NSS library does doesn't. This patch limits OpenJDK's +announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25 +(secp521r1). + +Related issues: + +* https://github.com/docker-library/openjdk/issues/115 +* https://bugs.alpinelinux.org/issues/7404 +* https://access.redhat.com/discussions/2339811 +* https://bugzilla.redhat.com/show_bug.cgi?id=1022017 +* https://bugzilla.redhat.com/show_bug.cgi?id=1348525 + +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java 2017-05-08 20:03:50.000000000 -0700 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java 2017-06-14 13:37:00.000000000 -0700 +@@ -168,21 +168,10 @@ + "contains no supported elliptic curves"); + } + } else { // default curves +- int[] ids; +- if (requireFips) { +- ids = new int[] { +- // only NIST curves in FIPS mode +- 23, 24, 25, 9, 10, 11, 12, 13, 14, +- }; +- } else { +- ids = new int[] { +- // NIST curves first +- 23, 24, 25, 9, 10, 11, 12, 13, 14, +- // non-NIST curves +- 22, +- }; +- } +- ++ int[] ids = new int[] { ++ // NSS currently only supports these three NIST curves ++ 23, 24, 25 ++ }; + idList = new ArrayList<>(ids.length); + for (int curveId : ids) { + if (isAvailableCurve(curveId)) { |