View Issue Details

IDProjectCategoryView StatusLast Update
0009482CentOS-7javapublic2016-04-01 08:17
ReporterThierry 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformOSCentOSOS Version7.1-1503
Product Version7.1-1503 
Target VersionFixed in Version 
Summary0009482: NoSuchAlgorithmException: EC AlgorithmParameters not available if SSL logs enabled
DescriptionI get the following Exception:
javax.net.ssl.SSLException: java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906)
        at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889)
        at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1815)
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:116)
        at java.io.DataInputStream.read(DataInputStream.java:149)
        at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)
        at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)
        at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)
        at java.io.InputStreamReader.read(InputStreamReader.java:184)
        at java.io.BufferedReader.fill(BufferedReader.java:161)
        at java.io.BufferedReader.read1(BufferedReader.java:212)
        at java.io.BufferedReader.read(BufferedReader.java:286)
        at java.io.Reader.read(Reader.java:140)
        ...
Caused by: java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available
        at sun.security.util.ECUtil.getECParameters(ECUtil.java:100)
        at sun.security.util.ECUtil.getECParameterSpec(ECUtil.java:149)
        at sun.security.ssl.JsseJce.getECParameterSpec(JsseJce.java:385)
        at sun.security.ssl.SupportedEllipticCurvesExtension.toString(SupportedEllipticCurvesExtension.java:127)
        at sun.security.ssl.HelloExtensions.print(HelloExtensions.java:150)
        at sun.security.ssl.HandshakeMessage$ClientHello.print(HandshakeMessage.java:323)
        at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:340)
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
        ... 11 more
Caused by: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.security.Security.getImpl(Security.java:695)
        at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:146)
        at sun.security.util.ECUtil.getECParameters(ECUtil.java:98)
        ... 24 more


The problem appears when ssl logs are enabled:
  System.setProperty("javax.net.debug", "ssl:handshake:data");
  System.setProperty("java.security.debug", "ssl");

If logs are disabled, no Exception is raised.

I guess that this problem is related to bug https://bugzilla.redhat.com/show_bug.cgi?id=1167153 which has been been only partially solved.

The SSL logs are:
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
cx1, handling exception: java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available
cx1, SEND TLSv1.2 ALERT: fatal, description = internal_error
cx1, WRITE: TLSv1.2 Alert, length = 2
cx1, called closeSocket()

If no EC algorithm is proposed in the list, then no error is raised (even with the logs enabled).
Unfortunately, it is not possible to control what the remote host will propose.

I've found two workarounds to this problem:
  - Disable the ssl logs (but in case of problem it's quite difficult to investigate)
  - or enable the SunEC provider in java.security config file by adding the line
            security.provider.9=sun.security.ec.SunEC
    to the list of providers.

In the Exception stack trace, pay attention to the line :
   sun.security.ssl.SupportedEllipticCurvesExtension.toString(SupportedEllipticCurvesExtension.java:127)
It is probably where the Exception should be caught and discarded.
Not being able to print the name of an algorithm shouldn't break the SSL connection.
Steps To ReproduceEnable logs on the server side:
  System.setProperty("javax.net.debug", "ssl:handshake:data");
  System.setProperty("java.security.debug", "ssl");

Use a client which connects to the server and negotiates EC algorithms.
Additional InformationJava release:
openjdk version "1.8.0_60"
OpenJDK Runtime Environment (build 1.8.0_60-b27)
OpenJDK 64-Bit Server VM (build 25.60-b23, mixed mode)
TagsNo tags attached.
abrt_hash
URL

Activities

martijn.brinkers

martijn.brinkers

2016-03-25 07:30

reporter   ~0026129

According to the RedHat bug report https://bugzilla.redhat.com/show_bug.cgi?id=1167153 this was "fixed" but the current version of Java 8 (25-03-2016) still seems to have this problem. This makes using Java 8 on CentOS nearly impossible to use because most Java applications nowadays need to setup some sort of TLS connection. Because of all the vulnerabilities in older TLS protocols, use of EC algorithms is highly recommended.
tigalch

tigalch

2016-03-25 20:29

manager   ~0026136

The bug you reference to is for Fedora 21 (if i read it correct). Obviously the fix has not been pushed to RHEL7. If you raise a bug there against RHEL7, and point at the fix from Fedore 21, this might get fixed. After that CentOS will inherit the fix.
tpouzet

tpouzet

2016-04-01 08:17

reporter   ~0026191

The subject seems to be already covered by this report for RHEL7 : https://bugzilla.redhat.com/show_bug.cgi?id=1245810 which is a clone of this one for RHEL6 : https://bugzilla.redhat.com/show_bug.cgi?id=1208307 Which references the report martijn.brinkers pointed-at.

Issue History

Date Modified Username Field Change
2015-09-18 08:55 Thierry New Issue
2016-03-25 07:30 martijn.brinkers Note Added: 0026129
2016-03-25 20:29 tigalch Note Added: 0026136
2016-04-01 08:17 tpouzet Note Added: 0026191