Debian
openjdk-7 package

  1. Bug #1006776
  2. Comment #18

Comment 18 for bug 1006776

Revision history for this message
In , jesusr (jesusr-redhat-bugs) wrote :

Created attachment 815006
SSL debug from tomcat6's catalina.out

Description of problem:
Using RHEL 6.5, tomcat6 and java-1.7.0-openjdk, I get the following exception in the catalina.out:

%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
matching alias: tomcat
http-8443-1, handling exception: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]

The client gets an SSL error. If I use java-1.6.0 the problem goes away. If I used the java.security and nss.cfg from java-1.60 with java-1.7.0 it works fine as well.

This is *not* a problem with java-1.7.0-1.7.0.60 on Fedora 18 or 19. Looking in dist-git we enabled nss for RHEL 6.5:

%global enable_nss 1

That is the only difference I have found between the JREs.

Version-Release number of selected component (if applicable):

I have tried both version of the jdk with no success.

java-1.7.0-openjdk-1.7.0.40-2.4.2.5.el6.x86_64
java-1.7.0-openjdk-1.7.0.45-2.4.3.0.el6.x86_64
nss-softokn-freebl-3.14.3-9.el6.x86_64
nss-util-3.15.1-3.el6.x86_64
mod_dnssd-0.6-2.el6.x86_64
python-nss-0.13-1.el6.x86_64
openssl-1.0.1e-15.el6.x86_64
openssh-askpass-5.3p1-94.el6.x86_64
openssl-devel-1.0.1e-15.el6.x86_64
openssh-server-5.3p1-94.el6.x86_64
openssh-clients-5.3p1-94.el6.x86_64
nss-3.15.1-15.el6.x86_64
nss-tools-3.15.1-15.el6.x86_64
openssh-5.3p1-94.el6.x86_64
nss-softokn-3.14.3-9.el6.x86_64
nss-sysinit-3.15.1-15.el6.x86_64

How reproducible:
On my RHEL 6.5 guest with the above rpm versions, I can recreate it at will.

Steps to Reproduce:
1. Installed RHEL 6.5
2. Ensure java-1.7.0-openjdk is installed
3. Install Subscription Asset Manager (SAM) 1.3
4. try to connect using rest-client
4a. scl enable ruby193 'irb'
4b. > require 'rest-client'
4c. > RestClient.get("https://localhost:8443/candlepin/status")

Actual results:
client gets an error.

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
        from /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:800:in `connect'

Tomcat spews out:
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
http-8443-1, handling exception: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]

Expected results:
The JSON output from the Candlepin java app. Like I said above if I switch to java-1.6 or use the configs from 1.6 with java-1.7, it works fine.

Additional info: