community/openjdk8: Bug #7404 TLS negotiation error in OpenJDK 8 u131

Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115 on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation errors for some clients. Root cause appears to be OpenJDK announcing support for NIST curves the underlying NSS library does doesn't. This patch limits OpenJDK's announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25 (secp521r1). Related issues: * https://github.com/docker-library/openjdk/issues/115 * https://bugs.alpinelinux.org/issues/7404 * https://access.redhat.com/discussions/2339811 * https://bugzilla.redhat.com/show_bug.cgi?id=1022017 * https://bugzilla.redhat.com/show_bug.cgi?id=1348525 ref #7404
author: Shatil Rafiullah <shatil@atomtickets.com> 2017-06-15 10:09:25 -0700
committer: Natanael Copa <ncopa@alpinelinux.org> 2017-06-16 14:21:10 +0200
commit: a83deb21e05db11acc1db3112d0ad9d65f521b5f (patch)
tree: 21d9b543ae28797a6a7a65544aa16187261ccf0a
parent: ae75ee252e5f5b74ab965dca33af72390d00626a (diff)
download: alpine_aports-a83deb21e05db11acc1db3112d0ad9d65f521b5f.tar.bz2
alpine_aports-a83deb21e05db11acc1db3112d0ad9d65f521b5f.tar.xz
alpine_aports-a83deb21e05db11acc1db3112d0ad9d65f521b5f.zip
2 files changed, 51 insertions, 2 deletions
diff --git a/community/openjdk8/APKBUILD b/community/openjdk8/APKBUILD
index 4f8db316d5..a954089bd0 100644
--- a/community/openjdk8/APKBUILD
+++ b/community/openjdk8/APKBUILD
@@ -6,7 +6,7 @@ _icedteaver=3.4.0
 # pkgver is <JDK version>.<JDK update>.<JDK build>
 # Check http://icedtea.classpath.org/wiki/Main_Page when updating!
 pkgver=8.131.11
-pkgrel=1
+pkgrel=2
 pkgdesc="OpenJDK 8 provided by IcedTea"
 url="http://icedtea.classpath.org/"
 arch="all"
@@ -66,6 +66,7 @@ source="http://icedtea.classpath.org/download/source/icedtea-$_icedteaver.tar.gz
        icedtea-jdk-includes.patch
        icedtea-jdk-getmntent-buffer.patch
        icedtea-autoconf-config.patch
+        icedtea-jdk-tls-nist-curves.patch
        "
 builddir="$srcdir/icedtea-$_icedteaver"
@@ -286,4 +287,5 @@ b135991c76b0db8fa7c363e0903624668e11eda7b54a943035c214aa4d7fc8c3e8110ed200edcec8
 cdebe2c59657e7fd317a4841b2fbe95d9e8d7ee9d1593edf352ed7f49a92a42cbce82cbaa404d3f02c6d273eae03222a79559c09bf6cf439396c5ec5434f5458  icedtea-jdk-musl.patch
 e8d9f1b867bf4fc84aa00d1237b264bcf503b1ed5f34735e14b0b747a728953fe0051a5af69ed058d377fbf65d8be1ed9e38fe5fc6edb2d50b31f34bf3ba91dc  icedtea-jdk-includes.patch
 7e6fa46b10c630517bfa46943858aea1d032c12d32ba3fcb7a2143ae1e896c34fa4cb8f925af80cb19f8e29149b835aa054adfd30ebb00539f6c78588d6f5211  icedtea-jdk-getmntent-buffer.patch
-662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167  icedtea-autoconf-config.patch"
+662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167  icedtea-autoconf-config.patch
+313ba3467efad73120d307c16be8e793fa39de92d6c28c2faed11c14dd6f60e0f1a290f330d4dc849ae8f97c7bea84eec2d0be02c70bc9903664e22497dd2d22  icedtea-jdk-tls-nist-curves.patch"
diff --git a/community/openjdk8/icedtea-jdk-tls-nist-curves.patch b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch
new file mode 100644
index 0000000000..24c4c44a53
--- /dev/null
+++ b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch
@@ -0,0 +1,47 @@
+Bug #7404 TLS negotiation error in OpenJDK 8 u131
+Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
+on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
+errors for some clients.
+Root cause appears to be OpenJDK announcing support for NIST curves the
+underlying NSS library does doesn't. This patch limits OpenJDK's
+announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
+(secp521r1).
+Related issues:
+* https://github.com/docker-library/openjdk/issues/115
+* https://bugs.alpinelinux.org/issues/7404
+* https://access.redhat.com/discussions/2339811
+* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
+* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
+--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java   2017-05-08 20:03:50.000000000 -0700
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java        2017-06-14 13:37:00.000000000 -0700
+@@ -168,21 +168,10 @@
+                     "contains no supported elliptic curves");
+             }
+         } else {        // default curves
+-            int[] ids;
+-            if (requireFips) {
+-                ids = new int[] {
+-                    // only NIST curves in FIPS mode
+-                    23, 24, 25, 9, 10, 11, 12, 13, 14,
+-                };
+-            } else {
+-                ids = new int[] {
+-                    // NIST curves first
+-                    23, 24, 25, 9, 10, 11, 12, 13, 14,
+-                    // non-NIST curves
+-                    22,
+-                };
+-            }
+-
+            int[] ids = new int[] {
+                // NSS currently only supports these three NIST curves
+                23, 24, 25
+            };
+             idList = new ArrayList<>(ids.length);
+             for (int curveId : ids) {
+                 if (isAvailableCurve(curveId)) {
author	Shatil Rafiullah <shatil@atomtickets.com>	2017-06-15 10:09:25 -0700
committer	Natanael Copa <ncopa@alpinelinux.org>	2017-06-16 14:21:10 +0200
commit	a83deb21e05db11acc1db3112d0ad9d65f521b5f (patch)
tree	21d9b543ae28797a6a7a65544aa16187261ccf0a
parent	ae75ee252e5f5b74ab965dca33af72390d00626a (diff)
download	alpine_aports-a83deb21e05db11acc1db3112d0ad9d65f521b5f.tar.bz2 alpine_aports-a83deb21e05db11acc1db3112d0ad9d65f521b5f.tar.xz alpine_aports-a83deb21e05db11acc1db3112d0ad9d65f521b5f.zip

diff --git a/community/openjdk8/APKBUILD b/community/openjdk8/APKBUILD index 4f8db316d5..a954089bd0 100644 --- a/community/openjdk8/APKBUILD +++ b/community/openjdk8/APKBUILD
@@ -6,7 +6,7 @@ _icedteaver=3.4.0
6	# pkgver is <JDK version>.<JDK update>.<JDK build>	6	# pkgver is <JDK version>.<JDK update>.<JDK build>
7	# Check http://icedtea.classpath.org/wiki/Main_Page when updating!	7	# Check http://icedtea.classpath.org/wiki/Main_Page when updating!
8	pkgver=8.131.11	8	pkgver=8.131.11
9	pkgrel=1	9	pkgrel=2
10	pkgdesc="OpenJDK 8 provided by IcedTea"	10	pkgdesc="OpenJDK 8 provided by IcedTea"
11	url="http://icedtea.classpath.org/"	11	url="http://icedtea.classpath.org/"
12	arch="all"	12	arch="all"
@@ -66,6 +66,7 @@ source="http://icedtea.classpath.org/download/source/icedtea-$_icedteaver.tar.gz
66	icedtea-jdk-includes.patch	66	icedtea-jdk-includes.patch
67	icedtea-jdk-getmntent-buffer.patch	67	icedtea-jdk-getmntent-buffer.patch
68	icedtea-autoconf-config.patch	68	icedtea-autoconf-config.patch
		69	icedtea-jdk-tls-nist-curves.patch
69	"	70	"
70	builddir="$srcdir/icedtea-$_icedteaver"	71	builddir="$srcdir/icedtea-$_icedteaver"
71		72
@@ -286,4 +287,5 @@ b135991c76b0db8fa7c363e0903624668e11eda7b54a943035c214aa4d7fc8c3e8110ed200edcec8
286	cdebe2c59657e7fd317a4841b2fbe95d9e8d7ee9d1593edf352ed7f49a92a42cbce82cbaa404d3f02c6d273eae03222a79559c09bf6cf439396c5ec5434f5458 icedtea-jdk-musl.patch	287	cdebe2c59657e7fd317a4841b2fbe95d9e8d7ee9d1593edf352ed7f49a92a42cbce82cbaa404d3f02c6d273eae03222a79559c09bf6cf439396c5ec5434f5458 icedtea-jdk-musl.patch
287	e8d9f1b867bf4fc84aa00d1237b264bcf503b1ed5f34735e14b0b747a728953fe0051a5af69ed058d377fbf65d8be1ed9e38fe5fc6edb2d50b31f34bf3ba91dc icedtea-jdk-includes.patch	288	e8d9f1b867bf4fc84aa00d1237b264bcf503b1ed5f34735e14b0b747a728953fe0051a5af69ed058d377fbf65d8be1ed9e38fe5fc6edb2d50b31f34bf3ba91dc icedtea-jdk-includes.patch
288	7e6fa46b10c630517bfa46943858aea1d032c12d32ba3fcb7a2143ae1e896c34fa4cb8f925af80cb19f8e29149b835aa054adfd30ebb00539f6c78588d6f5211 icedtea-jdk-getmntent-buffer.patch	289	7e6fa46b10c630517bfa46943858aea1d032c12d32ba3fcb7a2143ae1e896c34fa4cb8f925af80cb19f8e29149b835aa054adfd30ebb00539f6c78588d6f5211 icedtea-jdk-getmntent-buffer.patch
289	662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167 icedtea-autoconf-config.patch"	290	662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167 icedtea-autoconf-config.patch
		291	313ba3467efad73120d307c16be8e793fa39de92d6c28c2faed11c14dd6f60e0f1a290f330d4dc849ae8f97c7bea84eec2d0be02c70bc9903664e22497dd2d22 icedtea-jdk-tls-nist-curves.patch"


diff --git a/community/openjdk8/icedtea-jdk-tls-nist-curves.patch b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch new file mode 100644 index 0000000000..24c4c44a53 --- /dev/null +++ b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch
@@ -0,0 +1,47 @@
		1	Bug #7404 TLS negotiation error in OpenJDK 8 u131
		2
		3	Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
		4	on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
		5	errors for some clients.
		6
		7	Root cause appears to be OpenJDK announcing support for NIST curves the
		8	underlying NSS library does doesn't. This patch limits OpenJDK's
		9	announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
		10	(secp521r1).
		11
		12	Related issues:
		13
		14	* https://github.com/docker-library/openjdk/issues/115
		15	* https://bugs.alpinelinux.org/issues/7404
		16	* https://access.redhat.com/discussions/2339811
		17	* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
		18	* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
		19
		20	--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java 2017-05-08 20:03:50.000000000 -0700
		21	+++ openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java 2017-06-14 13:37:00.000000000 -0700
		22	@@ -168,21 +168,10 @@
		23	"contains no supported elliptic curves");
		24	}
		25	} else { // default curves
		26	- int[] ids;
		27	- if (requireFips) {
		28	- ids = new int[] {
		29	- // only NIST curves in FIPS mode
		30	- 23, 24, 25, 9, 10, 11, 12, 13, 14,
		31	- };
		32	- } else {
		33	- ids = new int[] {
		34	- // NIST curves first
		35	- 23, 24, 25, 9, 10, 11, 12, 13, 14,
		36	- // non-NIST curves
		37	- 22,
		38	- };
		39	- }
		40	-
		41	+ int[] ids = new int[] {
		42	+ // NSS currently only supports these three NIST curves
		43	+ 23, 24, 25
		44	+ };
		45	idList = new ArrayList<>(ids.length);
		46	for (int curveId : ids) {
		47	if (isAvailableCurve(curveId)) {