Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-13325

SSL/TLS handshake failure

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Minor
    • Resolution: Duplicate
    • 27.2.0
    • None
    • Security Level: Default (Default Security Scheme)
    • None
    • Centos 8
      java-11-openjdk-11.0.10
    • HB

    Description

      After updating java from version 11.0.9 to 11.0.10 there is a compatibility problem with bouncycastle version 1.66 (/opt/opennms/lib/bcprov-jdk15on-1.66.jar) which leeds to a java traceback (see below) in the TLS handshake (for example in "org.opennms.netmgt.poller.monitors.HttpsMonitor"). In my (small) test environment I have tested the beta version of bouncycaste (bcprov-jdk15on-169b08.jar) and the problem seems to be solved. (There is an open issue on the github page: https://github.com/bcgit/bc-java/issues/881)

       

      Here is the java traceback:

      javax.net.ssl.SSLHandshakeException: Could not generate secret
      at sun.security.ssl.KAKeyDerivation.t12DeriveKey(KAKeyDerivation.java:91) ~[?:?]
      at sun.security.ssl.KAKeyDerivation.deriveKey(KAKeyDerivation.java:61) ~[?:?]
      at sun.security.ssl.ECDHClientKeyExchange$ECDHEClientKeyExchangeProducer.produce(ECDHClientKeyExchange.java:419) ~[?:?]
      at sun.security.ssl.ClientKeyExchange$ClientKeyExchangeProducer.produce(ClientKeyExchange.java:65) ~[?:?]
      at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) ~[?:?]
      at sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) ~[?:?]
      at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
      at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
      at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[?:?]
      at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:?]
      at sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[?:?]
      at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1418) ~[?:?]
      at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1324) ~[?:?]
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ~[?:?]
      at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:829) ~[?:?]
      at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1199) ~[?:?]
      at java.io.OutputStream.write(OutputStream.java:122) ~[?:?]
      at org.opennms.netmgt.poller.monitors.HttpMonitor$HttpMonitorClient.sendHttpCommand(HttpMonitor.java:540) ~[opennms-services-27.2.0.jar:?]
      at org.opennms.netmgt.poller.monitors.HttpMonitor.poll(HttpMonitor.java:153) [opennms-services-27.2.0.jar:?]
      at org.opennms.netmgt.poller.client.rpc.PollerClientRpcModule$1.get(PollerClientRpcModule.java:77) [org.opennms.features.poller.client-rpc-27.2.0.jar:?]
      at org.opennms.netmgt.poller.client.rpc.PollerClientRpcModule$1.get(PollerClientRpcModule.java:71) [org.opennms.features.poller.client-rpc-27.2.0.jar:?]
      at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1700) [?:?]
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
      at java.lang.Thread.run(Thread.java:829) [?:?]
      Caused by: java.security.InvalidKeyException: cannot identify XDH private key
      at org.bouncycastle.jcajce.provider.asymmetric.edec.KeyAgreementSpi.engineDoPhase(Unknown Source) ~[bcprov-jdk15on-1.66.jar:1.66.0]
      at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:579) ~[?:?]
      at sun.security.ssl.KAKeyDerivation.t12DeriveKey(KAKeyDerivation.java:75) ~[?:?]
      ... 24 more

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              thi Thomas Hilse
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: