弁財天

ゴフマン「専門家を信じるのではなく、自分自身で考えて判断せよ」

TomcatのHTTPSポートが原因でOpenJDK-1.8.0_111-b16がSIGSEGV。ECDHEなどEC(elliptic curve/楕円曲線)ロジックが全滅。

Fedora25のTomcatのSSLポートでSIGSEGVでjavaプロセスが落ちるw

C  [libc.so.6+0x1524d0]  __memcpy_ssse3+0x90
C  [libsunec.so+0x139a]  Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair+0x12a

Bug 1411116 - java-1.8.0-openjdk: SIGSEGV (0xb)
バグだ。ECDHEなどのEC(elliptic curve/楕円曲線)のロジックが全滅。

Bug 1415137 - java-1.8.0-openjdk: NSS 3.28 update causes core dump [NEEDINFO]

With the attached differences, and Hubert's detective skills, the following difference in the /usr/lib/jvm/java-*/jre/lib/security/java.security
file triggers (or prevents the problem).

Broken:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

Working:
jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768, EC, ECDHE, ECDH
なんだ?暗号化強度を落とすための工作?しかも回避策がミスリードされてるw

/usr/lib/jvm/java-*/jre/lib/security/java.securityを

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
から
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC, ECDHE, ECDH
に修正してSIGSEGVは回避できるけど暗号化強度は落ちることになるw

javaのhttpsは諦めてhttpdの暗号化に頼るのがよさげ。でも意図的にECアルゴリズムにバグを組み込んだよーにも見えるので、このまま何されるのか待ってるのもいーかもよ。

/var/log/messages

Jan 25 08:44:38 localhost server: #
Jan 25 08:44:38 localhost server: # A fatal error has been detected by the Java Runtime Environment:
Jan 25 08:44:38 localhost server: #
Jan 25 08:44:38 localhost server: #  SIGSEGV (0xb) at pc=0x00007f409bdc34d0, pid=3872, tid=0x00007f3fe76f8700
Jan 25 08:44:38 localhost server: #
Jan 25 08:44:38 localhost server: # JRE version: OpenJDK Runtime Environment (8.0_111-b16) (build 1.8.0_111-b16)
Jan 25 08:44:38 localhost server: # Java VM: OpenJDK 64-Bit Server VM (25.111-b16 mixed mode linux-amd64 compressed oops)
Jan 25 08:44:38 localhost server: # Problematic frame:
Jan 25 08:44:38 localhost server: # C  [libc.so.6+0x1524d0]  __memcpy_ssse3+0x90
Jan 25 08:44:38 localhost server: #
Jan 25 08:44:38 localhost server: # Core dump written. Default location: /usr/share/tomcat/core or core.3872
Jan 25 08:44:38 localhost server: #
Jan 25 08:44:38 localhost server: # An error report file with more information is saved as:
Jan 25 08:44:38 localhost server: # /usr/share/tomcat/hs_err_pid3872.log
Jan 25 08:44:38 localhost audit: ANOM_ABEND auid=4294967295 uid=91 gid=91 ses=4294967295 pid=3872 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-5.b16.fc25.x86_64/jre/bin/java" sig=6
Jan 25 08:44:38 localhost server: #
Jan 25 08:44:38 localhost server: # If you would like to submit a bug report, please visit:
Jan 25 08:44:38 localhost server: #   http://bugreport.java.com/bugreport/crash.jsp
Jan 25 08:44:38 localhost server: #
Jan 25 08:44:38 localhost systemd: Started Process Core Dump (PID 7955/UID 0).

/usr/share/tomcat/hs_err_pid3872.log

[error occurred during error reporting (printing register info), id 0xb]

Stack: [0x00007f3fe75f8000,0x00007f3fe76f9000],  sp=0x00007f3fe76f6eb8,  free space=1019k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [libc.so.6+0x1524d0]  __memcpy_ssse3+0x90
C  [libsunec.so+0x1230]
C  [libsunec.so+0x139a]  Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair+0x12a
j  sun.security.ec.ECKeyPairGenerator.generateECKeyPair(I[B[B)[Ljava/lang/Object;+0
j  sun.security.ec.ECKeyPairGenerator.generateKeyPair()Ljava/security/KeyPair;+56
j  java.security.KeyPairGenerator$Delegate.generateKeyPair()Ljava/security/KeyPair;+23
j  sun.security.ssl.ECDHCrypt.(Ljava/lang/String;Ljava/security/SecureRandom;)V+28
j  sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys()Z+88
j  sun.security.ssl.ServerHandshaker.trySetCipherSuite(Lsun/security/ssl/CipherSuite;)Z+638
j  sun.security.ssl.ServerHandshaker.chooseCipherSuite(Lsun/security/ssl/HandshakeMessage$ClientHello;)V+151
j  sun.security.ssl.ServerHandshaker.clientHello(Lsun/security/ssl/HandshakeMessage$ClientHello;)V+1304
j  sun.security.ssl.ServerHandshaker.processMessage(BI)V+127
j  sun.security.ssl.Handshaker.processLoop()V+96
j  sun.security.ssl.Handshaker.process_record(Lsun/security/ssl/InputRecord;Z)V+24
j  sun.security.ssl.SSLSocketImpl.readRecord(Lsun/security/ssl/InputRecord;Z)V+357
j  sun.security.ssl.SSLSocketImpl.performInitialHandshake()V+84
j  sun.security.ssl.SSLSocketImpl.startHandshake(Z)V+13
j  sun.security.ssl.SSLSocketImpl.getSession()Ljavax/net/ssl/SSLSession;+10
j  org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(Ljava/net/Socket;)V+4

java-1.8.0-openjdk-1.8.0.121-1.b14 で治ったw
速いw

投稿されたコメント:

コメント
コメントは無効になっています。