Comment 9 for bug 1006776

Revision history for this message
Christoph W (wech) wrote :

Hm. Now I get a java.lang.ClassNotFoundException: sun.security.ec.SunEC even on openjdk7. I was sure this worked before.

It seems the SunEC provider was added in jdk7, so no way to get this to work in jdk6, but it should work on openjdk7 at least.
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunEC

The reason it worked on openjdk-6 yesterday was plainly, that I commented out the pkcs11 provider and the SunEC provider is not available so EllipticCurve was disabled completely when negotiating the used cipher.

So a potential workaround for people affected by this problem would be to comment out the line

#security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg

But of course this has the potential problem that EC is no longer available at all which might affect other java applications too.

In my opinion it would be best to fix sun.security.ssl.HelloExtensions.isSupported() so it returns only true for secp256r1 secp384r1 and secp521r1 when the SunEC Provider is not available.

I guess somebody else knows better than me how to implement this in a generic way. For example I don't know why the SunEC provider is not included in IceadTea. Is this a licensing issue for oss? For libnss3 it seems to be a patent issue with the other curves from what I've read, but I'm also not sure about this. Otherwise the best solution at all would be to add the missing curves - but I guess there is a reason they were removed.

The most-non-generic but easiest working solution would probably be trough a patch to the openjdk sources for IcedTea which does a hard check for all curves ones implemented in libnss3 and only returns true for them.