[NMS-7959] Bouncycastle JARs break large-key crypto operations - The OpenNMS Issue Tracker

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 16.0.3, Meridian-2015.1.1, 17.0.0
Fix Version/s: 16.0.4, Meridian-2015.1.1, 17.0.0, 18.0.0
Component/s: Build / Packaging
Security Level: Default (Default Security Scheme)
Labels:
- https
- ssl
Environment:
Fedora 21 (4.1.8-100.fc21.x86_64 #1 SMP Tue Sep 22 12:13:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux)
Oracle JDK 1.8_65

Sprint:
Newts - Sprint 7

Description

When trying to use the org.opennms.core.web.HttpClientWrapper class to make an HTTPS client connection to a server supporting high-strength cipher suites, I get the following exception stack trace:

javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_65]
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:290) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:259) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) ~[httpclient-4.3.6.jar:4.3.6]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) ~[httpclient-4.3.6.jar:4.3.6]
	at org.opennms.netmgt.notifd.MattermostNotificationStrategy.send(MattermostNotificationStrategy.java:111) [opennms-services-18.0.0-SNAPSHOT.jar:?]
	at org.opennms.netmgt.notifd.ClassExecutor.execute(ClassExecutor.java:69) [opennms-services-18.0.0-SNAPSHOT.jar:?]
	at org.opennms.netmgt.notifd.NotificationTask.run(NotificationTask.java:269) [opennms-services-18.0.0-SNAPSHOT.jar:?]
Caused by: java.lang.RuntimeException: Could not generate DH keypair
	at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:81) ~[?:1.8.0_65]
	at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:721) ~[?:1.8.0_65]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:281) ~[?:1.8.0_65]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_65]
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_65]
	... 16 more
Caused by: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
	at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown Source) ~[bcprov-jdk14-1.38.jar:1.38.0]
	at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:76) ~[?:1.8.0_65]
	at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:721) ~[?:1.8.0_65]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:281) ~[?:1.8.0_65]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_65]
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_65]
	... 16 more

The bouncycastle JCE provider appears to be taking precedence over the JDK-provided one, resulting in this problem. Removing the bcprov JAR from OPENNMS_HOME/lib enables the connections to succeed.

We appear to have picked up an undeclared dependency on the following artifacts from group bouncycastle

bcmail-jdk14
bcprov-jdk14
bctsp-jdk14

We have existing exclusions in the dependencies/jasper POM for bcmail and bcprov. Somebody thought iText could be the culprit.

Attachments

Issue Links

blocks

NMS-9416 EAP-TTLS tunneling protocol for RADIUS poller/detector

Reopened

Bouncycastle JARs break large-key crypto operations

Details

Description

Attachments

Issue Links

Activity

People

Dates