Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-13111

BouncyCastle breaks SSL support in OpenNMS

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 27.0.2, 27.0.3
    • Fix Version/s: 28.0.0
    • Component/s: None
    • Security Level: Default (Default Security Scheme)
    • Sprint:
      Horizon 2021 - May 12 - May 26
    • HB Backlog Status:
      Backlog

      Description

      After upgrading to 27.0.4-SNAPSHOT, I found that the SSL connector for Jetty was no longer working:

      # curl -k -vvv https://localhost:8443/opennms/
      * About to connect() to localhost port 8443 (#0)
      *   Trying ::1...
      * Connected to localhost (::1) port 8443 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      * skipping SSL peer certificate verification
      * NSS error -5938 (PR_END_OF_FILE_ERROR)
      * Encountered end of file
      * Closing connection 0
      curl: (35) Encountered end of file
      

      I found this in jetty-server.log

      2021-02-01 18:31:34,836 DEBUG [qtp719752770-2318] o.e.j.i.s.SslConnection: DecryptedEndPoint@531a4c54{l=/165.227.42.192:8443,r=/142.185.90.26:25106,OPEN,fill=-,flush=-,to=74/30000} stored flush exception
      javax.net.ssl.SSLHandshakeException: Could not generate secret
              at sun.security.ssl.KAKeyDerivation.t13DeriveKey(KAKeyDerivation.java:128) ~[?:?]
              at sun.security.ssl.KAKeyDerivation.deriveKey(KAKeyDerivation.java:63) ~[?:?]
              at sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:597) ~[?:?]
              at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) ~[?:?]
              at sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1234) ~[?:?]
              at sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1170) ~[?:?]
              at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:852) ~[?:?]
              at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813) ~[?:?]
              at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
              at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
              at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
              at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
              at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
              at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]
              at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:639) [jetty-io-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:336) [jetty-server-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:254) [jetty-server-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) [jetty-io-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540) [jetty-io-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395) [jetty-io-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) [jetty-io-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) [jetty-io-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773) [jetty-util-9.4.34.v20201102.jar:9.4.34.v20201102]
              at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905) [jetty-util-9.4.34.v20201102.jar:9.4.34.v20201102]
              at java.lang.Thread.run(Thread.java:834) [?:?]
      Caused by: java.security.InvalidKeyException: cannot identify XDH private key
              at org.bouncycastle.jcajce.provider.asymmetric.edec.KeyAgreementSpi.engineDoPhase(Unknown Source) ~[bcprov-jdk15on-1.66.jar:1.66.0]
              at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:579) ~[?:?]
              at sun.security.ssl.KAKeyDerivation.t13DeriveKey(KAKeyDerivation.java:104) ~[?:?]
              ... 26 more
      

      Removing bcprov-jdk15on-1.66.jar from the classpath and replacing it with bcprov-jdk15on-168.jar restored SSL:

      # curl -k -vvv https://localhost:8443/opennms/
      * About to connect() to localhost port 8443 (#0)
      *   Trying ::1...
      * Connected to localhost (::1) port 8443 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      * skipping SSL peer certificate verification
      * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      * Server certificate:
      *       subject: CN=hostname.org
      *       start date: Jan 31 16:42:15 2021 GMT
      *       expire date: May 01 16:42:15 2021 GMT
      *       common name: hostname.org
      *       issuer: CN=R3,O=Let's Encrypt,C=US
      > GET /opennms/ HTTP/1.1
      > User-Agent: curl/7.29.0
      > Host: localhost:8443
      > Accept: */*
      > 
      < HTTP/1.1 302 Found
      < Date: Mon, 01 Feb 2021 18:36:50 GMT
      < Content-Type: text/html;charset=utf-8
      < Location: https://localhost:8443/opennms/frontPage.htm
      < Content-Length: 0
      < Server: Jetty(9.4.34.v20201102)
      < 
      * Connection #0 to host localhost left intact
      

      OpenNMS JVM is running on: /usr/lib/jvm/java-11-openjdk-11.0.10.0.9-0.el7_9.x86_64

      SSL settings:

      # cat /opt/opennms/etc/opennms.properties.d/https.properties 
      opennms.web.base-url = https://%x%c/
      org.opennms.netmgt.jetty.https-port = 8443
      org.opennms.netmgt.jetty.https-keystore = /opt/opennms/etc/opennms.letsencrypt.jks
      org.opennms.netmgt.jetty.https-keystorepassword = changeit
      org.opennms.netmgt.jetty.https-keypassword = changeit
      

      Keystore is generated with:

      openssl pkcs12 -export -in /etc/letsencrypt/live/hostname.org/fullchain.pem -inkey /etc/letsencrypt/live/hostname.org/privkey.pem -out pkcs.p12 -name opennms -password pass:changeit
      rm -f keystore.jks
      /usr/lib/jvm/java-11-openjdk/bin/keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias opennms
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              cgorantla Chandra Gorantla
              Reporter:
              j-white Jesse White
              Votes:
              1 Vote for this issue
              Watchers:
              16 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                HB Grooming Date:

                  Git Integration