diff options
author | Shatil Rafiullah <shatil@atomtickets.com> | 2017-06-15 10:09:25 -0700 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-06-16 14:21:10 +0200 |
commit | a83deb21e05db11acc1db3112d0ad9d65f521b5f (patch) | |
tree | 21d9b543ae28797a6a7a65544aa16187261ccf0a | |
parent | ae75ee252e5f5b74ab965dca33af72390d00626a (diff) | |
download | alpine_aports-a83deb21e05db11acc1db3112d0ad9d65f521b5f.tar.bz2 alpine_aports-a83deb21e05db11acc1db3112d0ad9d65f521b5f.tar.xz alpine_aports-a83deb21e05db11acc1db3112d0ad9d65f521b5f.zip |
community/openjdk8: Bug #7404 TLS negotiation error in OpenJDK 8 u131
Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
errors for some clients.
Root cause appears to be OpenJDK announcing support for NIST curves the
underlying NSS library does doesn't. This patch limits OpenJDK's
announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
(secp521r1).
Related issues:
* https://github.com/docker-library/openjdk/issues/115
* https://bugs.alpinelinux.org/issues/7404
* https://access.redhat.com/discussions/2339811
* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
ref #7404
-rw-r--r-- | community/openjdk8/APKBUILD | 6 | ||||
-rw-r--r-- | community/openjdk8/icedtea-jdk-tls-nist-curves.patch | 47 |
2 files changed, 51 insertions, 2 deletions
diff --git a/community/openjdk8/APKBUILD b/community/openjdk8/APKBUILD index 4f8db316d5..a954089bd0 100644 --- a/community/openjdk8/APKBUILD +++ b/community/openjdk8/APKBUILD | |||
@@ -6,7 +6,7 @@ _icedteaver=3.4.0 | |||
6 | # pkgver is <JDK version>.<JDK update>.<JDK build> | 6 | # pkgver is <JDK version>.<JDK update>.<JDK build> |
7 | # Check http://icedtea.classpath.org/wiki/Main_Page when updating! | 7 | # Check http://icedtea.classpath.org/wiki/Main_Page when updating! |
8 | pkgver=8.131.11 | 8 | pkgver=8.131.11 |
9 | pkgrel=1 | 9 | pkgrel=2 |
10 | pkgdesc="OpenJDK 8 provided by IcedTea" | 10 | pkgdesc="OpenJDK 8 provided by IcedTea" |
11 | url="http://icedtea.classpath.org/" | 11 | url="http://icedtea.classpath.org/" |
12 | arch="all" | 12 | arch="all" |
@@ -66,6 +66,7 @@ source="http://icedtea.classpath.org/download/source/icedtea-$_icedteaver.tar.gz | |||
66 | icedtea-jdk-includes.patch | 66 | icedtea-jdk-includes.patch |
67 | icedtea-jdk-getmntent-buffer.patch | 67 | icedtea-jdk-getmntent-buffer.patch |
68 | icedtea-autoconf-config.patch | 68 | icedtea-autoconf-config.patch |
69 | icedtea-jdk-tls-nist-curves.patch | ||
69 | " | 70 | " |
70 | builddir="$srcdir/icedtea-$_icedteaver" | 71 | builddir="$srcdir/icedtea-$_icedteaver" |
71 | 72 | ||
@@ -286,4 +287,5 @@ b135991c76b0db8fa7c363e0903624668e11eda7b54a943035c214aa4d7fc8c3e8110ed200edcec8 | |||
286 | cdebe2c59657e7fd317a4841b2fbe95d9e8d7ee9d1593edf352ed7f49a92a42cbce82cbaa404d3f02c6d273eae03222a79559c09bf6cf439396c5ec5434f5458 icedtea-jdk-musl.patch | 287 | cdebe2c59657e7fd317a4841b2fbe95d9e8d7ee9d1593edf352ed7f49a92a42cbce82cbaa404d3f02c6d273eae03222a79559c09bf6cf439396c5ec5434f5458 icedtea-jdk-musl.patch |
287 | e8d9f1b867bf4fc84aa00d1237b264bcf503b1ed5f34735e14b0b747a728953fe0051a5af69ed058d377fbf65d8be1ed9e38fe5fc6edb2d50b31f34bf3ba91dc icedtea-jdk-includes.patch | 288 | e8d9f1b867bf4fc84aa00d1237b264bcf503b1ed5f34735e14b0b747a728953fe0051a5af69ed058d377fbf65d8be1ed9e38fe5fc6edb2d50b31f34bf3ba91dc icedtea-jdk-includes.patch |
288 | 7e6fa46b10c630517bfa46943858aea1d032c12d32ba3fcb7a2143ae1e896c34fa4cb8f925af80cb19f8e29149b835aa054adfd30ebb00539f6c78588d6f5211 icedtea-jdk-getmntent-buffer.patch | 289 | 7e6fa46b10c630517bfa46943858aea1d032c12d32ba3fcb7a2143ae1e896c34fa4cb8f925af80cb19f8e29149b835aa054adfd30ebb00539f6c78588d6f5211 icedtea-jdk-getmntent-buffer.patch |
289 | 662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167 icedtea-autoconf-config.patch" | 290 | 662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167 icedtea-autoconf-config.patch |
291 | 313ba3467efad73120d307c16be8e793fa39de92d6c28c2faed11c14dd6f60e0f1a290f330d4dc849ae8f97c7bea84eec2d0be02c70bc9903664e22497dd2d22 icedtea-jdk-tls-nist-curves.patch" | ||
diff --git a/community/openjdk8/icedtea-jdk-tls-nist-curves.patch b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch new file mode 100644 index 0000000000..24c4c44a53 --- /dev/null +++ b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | Bug #7404 TLS negotiation error in OpenJDK 8 u131 | ||
2 | |||
3 | Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115 | ||
4 | on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation | ||
5 | errors for some clients. | ||
6 | |||
7 | Root cause appears to be OpenJDK announcing support for NIST curves the | ||
8 | underlying NSS library does doesn't. This patch limits OpenJDK's | ||
9 | announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25 | ||
10 | (secp521r1). | ||
11 | |||
12 | Related issues: | ||
13 | |||
14 | * https://github.com/docker-library/openjdk/issues/115 | ||
15 | * https://bugs.alpinelinux.org/issues/7404 | ||
16 | * https://access.redhat.com/discussions/2339811 | ||
17 | * https://bugzilla.redhat.com/show_bug.cgi?id=1022017 | ||
18 | * https://bugzilla.redhat.com/show_bug.cgi?id=1348525 | ||
19 | |||
20 | --- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java 2017-05-08 20:03:50.000000000 -0700 | ||
21 | +++ openjdk/jdk/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java 2017-06-14 13:37:00.000000000 -0700 | ||
22 | @@ -168,21 +168,10 @@ | ||
23 | "contains no supported elliptic curves"); | ||
24 | } | ||
25 | } else { // default curves | ||
26 | - int[] ids; | ||
27 | - if (requireFips) { | ||
28 | - ids = new int[] { | ||
29 | - // only NIST curves in FIPS mode | ||
30 | - 23, 24, 25, 9, 10, 11, 12, 13, 14, | ||
31 | - }; | ||
32 | - } else { | ||
33 | - ids = new int[] { | ||
34 | - // NIST curves first | ||
35 | - 23, 24, 25, 9, 10, 11, 12, 13, 14, | ||
36 | - // non-NIST curves | ||
37 | - 22, | ||
38 | - }; | ||
39 | - } | ||
40 | - | ||
41 | + int[] ids = new int[] { | ||
42 | + // NSS currently only supports these three NIST curves | ||
43 | + 23, 24, 25 | ||
44 | + }; | ||
45 | idList = new ArrayList<>(ids.length); | ||
46 | for (int curveId : ids) { | ||
47 | if (isAvailableCurve(curveId)) { | ||