java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves

Bug #1691126 reported by Christopher D'Cunha on 2017-05-16
76
This bug affects 13 people
Affects Status Importance Assigned to Milestone
openjdk-7 (Ubuntu)
Trusty
High
Tiago Stürmer Daitx

Bug Description

Tested with the puppetserver package (version 2.2.0-1puppetlabs1).

When running:

$ openssl s_client -showcerts -connect "$(hostname -f):8140"

The following java exception is thrown in the puppetserver:

2017-05-16 14:20:42,835 WARN [qtp1887840931-59] [o.e.j.u.t.QueuedThreadPool]
java.lang.ExceptionInInitializerError: null
        at sun.security.ssl.HelloExtensions.<init>(HelloExtensions.java:85) ~[na:1.7.0_131]
        at sun.security.ssl.HandshakeMessage$ClientHello.<init>(HandshakeMessage.java:240) ~[na:1.7.0_131]
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:219) ~[na:1.7.0_131]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:961) ~[na:1.7.0_131]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:901) ~[na:1.7.0_131]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:899) ~[na:1.7.0_131]
        at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_131]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1333) ~[na:1.7.0_131]
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:612) ~[puppet-server-release.jar:na]
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:239) ~[puppet-server-release.jar:na]
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) ~[puppet-server-release.jar:na]
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) ~[puppet-server-release.jar:na]
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) ~[puppet-server-release.jar:na]
        at java.lang.Thread.run(Thread.java:745) [na:1.7.0_131]
Caused by: java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves
        at sun.security.ssl.SupportedEllipticCurvesExtension.<clinit>(SupportedEllipticCurvesExtension.java:154) ~[na:1.7.0_131]
        ... 14 common frames omitted

This bug seems to be the same as the one described in:
- https://bugzilla.redhat.com/show_bug.cgi?id=1422738
- https://bugs.openjdk.java.net/browse/JDK-8173783
- http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3329

It looks like this was introduced by adding open-jdk 7u131-2.6.9-0 to http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/pool/main/o/openjdk-7/

EDIT: WORKAROUND

The original workaround steps no longer work because the required package has been removed from http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/pool/main/o/openjdk-7.

The new steps make you use the repository at https://launchpad.net/~openjdk-r/+archive/ubuntu/ppa.

$ gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/
apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv DA1A4A13543B466853BAF164EB9B1D8886F44E2A

$ echo "deb http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty main
deb-src http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty main" > /etc/apt/sources.list.d/openjdk-r-ppa.list

$ apt-get update

$ apt-get install openjdk-7-jre-headless=7u121-2.6.8-1~14.04

$ service puppetserver restart

----

> We also need:
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu

$ lsb_release -rd
Description: Ubuntu 14.04.5 LTS
Release: 14.04

> 2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center

$ apt-cache policy openjdk-7-jre-headless
openjdk-7-jre-headless:
  Installed: 7u131-2.6.9-0ubuntu0.14.04.1
  Candidate: 7u131-2.6.9-0ubuntu0.14.04.1
  Version table:
 *** 7u131-2.6.9-0ubuntu0.14.04.1 0
        500 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     7u51-2.4.6-1ubuntu4 0
        500 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

> 3) What you expected to happen

We expected this command to return certificate information for a web server:

$ openssl s_client -showcerts -connect "$(hostname -f):8140"

> 4) What happened instead

The command failed and the webserver had a Java stack trace (see above).

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: openjdk-7-jre-headless 7u131-2.6.9-0ubuntu0.14.04.1
ProcVersionSignature: Ubuntu 3.19.0-58.64~14.04.1-generic 3.19.8-ckt16
Uname: Linux 3.19.0-58-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.23
Architecture: amd64
Date: Tue May 16 14:21:01 2017
Ec2AMI: ami-30b59b43
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: eu-west-1a
Ec2InstanceType: t2.small
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
ProcEnviron:
 TERM=screen-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: openjdk-7
UpgradeStatus: No upgrade log present (probably fresh install)

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openjdk-7 (Ubuntu):
status: New → Confirmed
Andre Keller (0x2a) wrote :

PuppetDB suffers from the same (or a similar problem):
7-05-17 00:30:47,343 WARN [o.e.j.u.t.QueuedThreadPool] Unexpected thread death: org.eclipse.jetty.util.thread.QueuedThreadPool$3@75c8fe98 in qtp987139935{STARTED,8<=10<=200,i=3,q=0}
2017-05-17 00:30:48,282 WARN [o.e.j.u.t.QueuedThreadPool]
java.lang.NoClassDefFoundError: Could not initialize class sun.security.ssl.SupportedEllipticCurvesExtension
        at sun.security.ssl.HelloExtensions.<init>(HelloExtensions.java:85) ~[na:1.7.0_131]
        at sun.security.ssl.HandshakeMessage$ClientHello.<init>(HandshakeMessage.java:240) ~[na:1.7.0_131]
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:219) ~[na:1.7.0_131]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:961) ~[na:1.7.0_131]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:901) ~[na:1.7.0_131]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:899) ~[na:1.7.0_131]
        at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_131]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1333) ~[na:1.7.0_131]
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:612) ~[puppetdb.jar:na]
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:239) ~[puppetdb.jar:na]
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) ~[puppetdb.jar:na]
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) ~[puppetdb.jar:na]
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) ~[puppetdb.jar:na]
        at java.lang.Thread.run(Thread.java:745) [na:1.7.0_131]

Graham Leggett (minfrin-y) wrote :

Looking at the changelog for https://launchpad.net/ubuntu/+source/openjdk-7/7u131-2.6.9-0ubuntu0.14.04.1 I see we have a combination of security fixes and other changes rolled up in the same security patch.

Do we know which change caused this regression?

Changed in openjdk-7 (Ubuntu):
assignee: nobody → Tiago Stürmer Daitx (tdaitx)
status: Confirmed → In Progress
Tiago Stürmer Daitx (tdaitx) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

This regression was introduced in OpenJDK 7 by the backport of JDK-8148516 [1] from OpenJDK 8 to OpenJDK 7. The backport was done under JDK-8175450 [2] and committed to 7u121 in revision #8321 [3].

The fix, as reported by Christopher, is indeed the backport of JDK-8173783. This has been verified, a new package is building and a fix will be released after going through a security review. This ticket will be updated automatically when the new package is released.

Let me know if you have additional questions.

[1] https://bugs.openjdk.java.net/browse/JDK-8148516
[2] https://bugs.openjdk.java.net/browse/JDK-8175450
[3] http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/0c67352a1aa9

tags: added: regression-update
Robie Basak (racb) on 2017-05-17
Changed in openjdk-7 (Ubuntu Trusty):
importance: Undecided → High
Changed in openjdk-7 (Ubuntu Trusty):
assignee: nobody → Tiago Stürmer Daitx (tdaitx)
status: New → In Progress
Changed in openjdk-7 (Ubuntu):
status: In Progress → Invalid
description: updated

Hi Tiago, Thanks for the updates.

I see a few changes in the status that I don't fully understand. Mainly:

  importance: Undecided → High

and

  status: In Progress → Invalid

Is this bug report really Invalid? Is there something else we should be doing (e.g. using a version of the `puppetserver` that works with this `java` version)?

Simon Déziel (sdeziel) wrote :

Christopher, the invalid task was because Tiago moved it to the Trusty specific version which is now in progress.

Steve Beattie (sbeattie) wrote :

Hi, sorry for the problem people are experiencing. Tiago has prepared packages which are undergoing review and testing. I have made these package available in the ubuntu-security-proposed ppa (except for on the armhf architecture) at https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ .

It would be greatly appreciated if people could test these packages to verify that the address the regression you're seeing. That said, it's important to understand that these still need to be tested, and should not be used in production.

Thanks, and again, my apologies.

Simon Déziel (sdeziel) wrote :

Hi Steve, I can confirm the package from the ubuntu-security-proposed PPA fixes the issue. Thanks to Tiago and you for the quick turnaround!

# /usr/lib/jvm/java-7-openjdk-amd64/bin/java -version
java version "1.7.0_131"
OpenJDK Runtime Environment (IcedTea 2.6.9) (7u131-2.6.9-0ubuntu0.14.04.2)
OpenJDK 64-Bit Server VM (build 24.131-b00, mixed mode)

Hi,

We can confirm that it resolves the issue.

Thanks.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-7 - 7u131-2.6.9-0ubuntu0.14.04.2

---------------
openjdk-7 (7u131-2.6.9-0ubuntu0.14.04.2) trusty-security; urgency=medium

  * Fix JDK regression introduced by 7u131 upgrade: (LP: #1691126)
    - d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch:
      fix "IllegalArgumentException: jdk.tls.namedGroups" backported
      from http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f5d0aadb4d1c

 -- Tiago Stürmer Daitx <email address hidden> Wed, 17 May 2017 00:39:54 +0000

Changed in openjdk-7 (Ubuntu Trusty):
status: In Progress → Fix Released
Graham Leggett (minfrin-y) wrote :

Looking at https://bugs.openjdk.java.net/browse/JDK-8148516, I'm not seeing a CVE number attached. In addition, this issue is marked as an "enhancement".

Would it be possible to confirm how an enhancement ended up inside a security release?

On 2017-05-18 07:54 PM, Graham Leggett wrote:
> Looking at https://bugs.openjdk.java.net/browse/JDK-8148516, I'm not
> seeing a CVE number attached.

The change is about dropping support for algorithms that are no longer
considered secure so I don't think there is any CVE attached to this.

> In addition, this issue is marked as an "enhancement".

Probably not the best name but they only have a limited set of bug types
in their bugtracker.

> The change is about dropping support for algorithms that are no longer
> considered secure so I don't think there is any CVE attached to this.

We were affected by the regression as well but I think in the long run,
this is a relatively small price to pay to not have to carry outdated
crypto. I find the security team to be very good and conservative with
backporting security fixes but most importantly when mistakes happen,
they get fixed pretty quickly.

Wizarth (wizarth) wrote :

Confirmed that the update fixes this for me.

Andre Keller (0x2a) wrote :

I can also confirm that the update fixes the issue I was seeing with PuppetDB.

no longer affects: openjdk-7 (Ubuntu)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers