Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JDK 11.0.10 support for X25519 and X448 in TLS #868

Closed
KyleBS opened this issue Jan 22, 2021 · 1 comment
Closed

JDK 11.0.10 support for X25519 and X448 in TLS #868

KyleBS opened this issue Jan 22, 2021 · 1 comment

Comments

@KyleBS
Copy link

KyleBS commented Jan 22, 2021

Howdy,

With the release of JDK 11.0.10, I've begun to see the following exceptions in my logs:

Caused by: java.lang.ClassCastException: class org.bouncycastle.jcajce.provider.asymmetric.edec.BCXDHPublicKey cannot be cast to class java.security.interfaces.XECPublicKey (org.bouncycastle.jcajce.provider.asymmetric.edec.BCXDHPublicKey is in unnamed mod
ule of loader 'app'; java.security.interfaces.XECPublicKey is in module java.base of loader 'bootstrap')
        at sun.security.ssl.XDHKeyExchange$XDHEPossession.<init>(XDHKeyExchange.java:108) ~[?:?]
        at sun.security.ssl.NamedGroup$XDHFunctions.createPossession(NamedGroup.java:754) ~[?:?]
        at sun.security.ssl.NamedGroup.createPossession(NamedGroup.java:394) ~[?:?]
        at sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:568) ~[?:?]
        at sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:84) ~[?:?]
        at sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:257) ~[?:?]
        at sun.security.ssl.SSLExtension.produce(SSLExtension.java:563) ~[?:?]
        at sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:253) ~[?:?]
        at sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:650) ~[?:?]
        at sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:525) ~[?:?]
        at sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107) ~[?:?]
        at sun.security.ssl.TransportContext.kickstart(TransportContext.java:232) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:433) ~[?:?]
        ... 54 more

In this release support was added for ECC curves X25519 and X448 in TLS. This appears to not play nicely with BC 1.67. Searching through prior issues, it seems that there was a similar report for JDK 13 that was fixed in #620. Fortunately for those needing a workaround, the one presented there works for me by setting the following JVM arg:

jdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192"

Sorry if this is a duplicate, just looking to get visibility out there!
@KyleBS
Copy link
Author

KyleBS commented Jan 22, 2021
edited
Loading

Going to go ahead and self-resolve as this appears fixed with ok3141@18c3bb7

@KyleBS KyleBS closed this as completed Jan 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@KyleBS