severe openjdk-7-jre ssl negotiation incompatibility (fixed upstream long ago...)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openjdk-7 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
See also:
https:/
How to reproduce:
Install (for example) Hudson CI 2.2.0 and activate the SSL port. Here is the config:
NAME=hudson
JAVA=/usr/
JAVA_ARGS="-Xmx512M -XX:+UseG1GC -Dcom.sun.
PIDFILE=
HUDSON_USER=hudson
HUDSON_
HUDSON_
RUN_STANDALONE=true
HUDSON_
MAXOPENFILES=8192
HTTP_PORT=9087
AJP_PORT=-1
HUDSON_
Then try to connect using wget, curl or apache reverse proxy and you'll get in hudson.log:
RequestHandlerT
RequestHandlerT
Curl outputs:
curl: (35) error:14077438:SSL routines:
Current openjdk-6-jre is also affected.
Using my own java 7 build (built against Ubuntu 11.10) works flawlessly on 12.04 (NOT icedtea based, just built using java 7 sources and using java 6 binaries). It is available at https:/
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: openjdk-7-jre 7~u3-2.
ProcVersionSign
Uname: Linux 3.2.0-23-generic x86_64
NonfreeKernelMo
ApportVersion: 2.0.1-0ubuntu5
Architecture: amd64
Date: Thu Apr 26 22:55:48 2012
EcryptfsInUse: Yes
ProcEnviron:
TERM=xterm
SHELL=/bin/bash
PATH=(custom, user)
LANG=de_DE.UTF-8
LANGUAGE=de:en
SourcePackage: openjdk-7
UpgradeStatus: Upgraded to precise on 2012-02-12 (74 days ago)
Ununtu 12.04 LTS
apt-cache policy openjdk-7-jdk 1.1~pre1- 1ubuntu2 1.1~pre1- 1ubuntu2 1.1~pre1- 1ubuntu2 0 za.archive. ubuntu. com/ubuntu/ precise/universe i386 Packages dpkg/status
openjdk-7-jdk:
Installed: 7~u3-2.
Candidate: 7~u3-2.
Version table:
*** 7~u3-2.
500 http://
100 /var/lib/
From the OpenJDK7 server (broken):
Allow unsafe renegotiation: true RSA_WITH_ AES_256_ CBC_SHA, TLS_ECDHE_ ECDSA_WITH_ AES_256_ CBC_SHA, TLS_SRP_ SHA_DSS_ WITH_AES_ 256_CBC_ SHA, TLS_SRP_ SHA_RSA_ WITH_AES_ 256_CBC_ SHA, TLS_DHE_ RSA_WITH_ AES_256_ CBC_SHA, TLS_DHE_ DSS_WITH_ AES_256_ CBC_SHA, TLS_DHE_ RSA_WITH_ CAMELLIA_ 256_CBC_ SHA, TLS_DHE_ DSS_WITH_ CAMELLIA_ 256_CBC_ SHA, TLS_ECDH_ RSA_WITH_ AES_256_ CBC_SHA, TLS_ECDH_ ECDSA_WITH_ AES_256_ CBC_SHA, TLS_RSA_ WITH_AES_ 256_CBC_ SHA, TLS_RSA_ WITH_CAMELLIA_ 256_CBC_ SHA, TLS_ECDHE_ RSA_WITH_ 3DES_EDE_ CBC_SHA, TLS_ECDHE_ ECDSA_WITH_ 3DES_EDE_ CBC_SHA, TLS_SRP_ SHA_DSS_ WITH_3DES_ EDE_CBC_ SHA, TLS_SRP_ SHA_RSA_ WITH_3DES_ EDE_CBC_ SHA, SSL_DHE_ RSA_WITH_ 3DES_EDE_ CBC_SHA, SSL_DHE_ DSS_WITH_ 3DES_EDE_ CBC_SHA, TLS_ECDH_ RSA_WITH_ 3DES_EDE_ CBC_SHA, TLS_ECDH_ ECDSA_WITH_ 3DES_EDE_ CBC_SHA, SSL_RSA_ WITH_3DES_ EDE_CBC_ SHA, TLS_ECDHE_ RSA_WITH_ AES_128_ CBC_SHA, TLS_ECDHE_ ECDSA_WITH_ AES_128_ CBC_SHA, TLS_SRP_ SHA_DSS_ WITH_AES_ 128_CBC_ SHA, TLS_SRP_ SHA_RSA_ WITH_AES_ 128_CBC_ SHA, TLS_DHE_ RSA_WITH_ AES_128_ CBC_SHA, TLS_DHE_ DSS_WITH_ AES_128_ CBC_SHA, TLS_DHE_ RSA_WITH_ SEED_CBC_ SHA, TLS_DHE_ DSS_WITH_ SEED_CBC_ SHA, TLS_DHE_ RSA_WITH_ CAMELLIA_ 128_CBC_ SHA, TLS_DHE_ DSS_WITH_ CAMELLIA_ 128_CBC_ SHA, TLS_ECDH_ RSA_WITH_ AES_128_ CBC_SHA, TLS_ECDH_ ECDSA_WITH_ AES_128_ CBC_SHA, TLS_RSA_ WITH_AES_ 128_CBC_ SHA, TLS_RSA_ WITH_SEED_ CBC_SHA, TLS_RSA_ WITH_CAMELLIA_ 128_CBC_ SHA, TLS_ECDHE_ RSA_WITH_ RC4_128_ SHA, TLS_ECDHE_ ECDSA_WITH_ RC4_128_ SHA, TLS_ECDH_ RSA_WITH_ RC4_128_ SHA, TLS_ECDH_ ECDSA_WITH_ RC4_128_ SHA, SSL_RSA_ WITH_RC4_ 128_SHA, SSL_RSA_ WITH_RC4_ 128_MD5, SSL_DHE_ RSA_WITH_ DES_CBC_ SHA, SSL_DHE_ DSS_WITH_ DES_CBC_ SHA, SSL_RSA_ WITH_DES_ CBC_SHA, SSL_DHE_ RSA_EXPORT_ WITH_DES40_ CBC_SHA, SSL_DHE_ DSS_EXPORT_ WITH_DES40_ CBC_SHA, SSL_RSA_ EXPORT_ WITH_DES40_ CBC_SHA, SSL_RSA_ EXPORT_ WITH_RC2_ CBC_40_ MD5, SSL_RSA_ EXPORT_ WITH_RC4_ 40_MD5, TLS_EMPTY_ RENEGOTIATION_ INFO_SCSV] compressed_ prime, ansiX962_ compressed_ char2] WITH_NULL_ NULL]
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
MessageManager, setSoTimeout(20000) called
MessageManager, READ: TLSv1 Handshake, length = 221
*** ClientHello, TLSv1.1
RandomCookie: GMT: 1321675401 bytes = { 45, 56, 62, 197, 251, 165, 178, 142, 76, 186, 140, 230, 174, 158, 214, 5, 72, 177, 23, 221, 215, 202, 222, 100, 112, 251, 116, 222 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_
Compression Methods: { 1, 0 }
Extension ec_point_formats, formats: [uncompressed, ansiX962_
Extension elliptic_curves, curve names: {sect571r1, sect571k1, secp521r1, sect409k1, sect409r1, secp384r1, sect283k1, sect283r1, secp256k1, secp256r1, sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1, secp160r2}
Unsupported extension type_35, data:
Unsupported extension type_15, data: 01
***
%% Initialized: [Session-1, SSL_NULL_
matching alias: fmsrns
MessageManager, handling excep...