Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-7959

Bouncycastle JARs break large-key crypto operations

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 16.0.3, Meridian-2015.1.1, 17.0.0
    • Component/s: Build / Packaging
    • Security Level: Default (Default Security Scheme)
    • Labels:
    • Environment:
      Fedora 21 (4.1.8-100.fc21.x86_64 #1 SMP Tue Sep 22 12:13:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux)
      Oracle JDK 1.8_65
    • Sprint:
      Newts - Sprint 7

      Description

      When trying to use the org.opennms.core.web.HttpClientWrapper class to make an HTTPS client connection to a server supporting high-strength cipher suites, I get the following exception stack trace:

      javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_65]
      	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:290) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:259) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) ~[httpclient-4.3.6.jar:4.3.6]
      	at org.opennms.netmgt.notifd.MattermostNotificationStrategy.send(MattermostNotificationStrategy.java:111) [opennms-services-18.0.0-SNAPSHOT.jar:?]
      	at org.opennms.netmgt.notifd.ClassExecutor.execute(ClassExecutor.java:69) [opennms-services-18.0.0-SNAPSHOT.jar:?]
      	at org.opennms.netmgt.notifd.NotificationTask.run(NotificationTask.java:269) [opennms-services-18.0.0-SNAPSHOT.jar:?]
      Caused by: java.lang.RuntimeException: Could not generate DH keypair
      	at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:81) ~[?:1.8.0_65]
      	at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:721) ~[?:1.8.0_65]
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:281) ~[?:1.8.0_65]
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_65]
      	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_65]
      	... 16 more
      Caused by: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
      	at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown Source) ~[bcprov-jdk14-1.38.jar:1.38.0]
      	at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:76) ~[?:1.8.0_65]
      	at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:721) ~[?:1.8.0_65]
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:281) ~[?:1.8.0_65]
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_65]
      	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_65]
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_65]
      	... 16 more
      

      The bouncycastle JCE provider appears to be taking precedence over the JDK-provided one, resulting in this problem. Removing the bcprov JAR from OPENNMS_HOME/lib enables the connections to succeed.

      We appear to have picked up an undeclared dependency on the following artifacts from group bouncycastle

      • bcmail-jdk14
      • bcprov-jdk14
      • bctsp-jdk14

      We have existing exclusions in the dependencies/jasper POM for bcmail and bcprov. Somebody thought iText could be the culprit.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ranger Benjamin Reed
                Reporter:
                jeffg Jeff Gehlbach
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: