Thursday, November 8, 2012

Addressing OpenJDK bug with SSL on Ubuntu 12.04 Server (javax.net.ssl.SSLException)


Introduction

After countless hours, you finally finished a secure java server ready for deployment.
If you installed clean copy of Ubuntu 12.04 server or updated it, you may face following error during run time.


 javax.net.ssl.SSLException: java.security.ProviderException: 
 sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID


Problem

This is known bug with OpenJDK that has not been resolved yet.

Solution

This can be fixed by editing following file:


 /etc/java-6-openjdk/security/java.security



Find following line:


 security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg


And change to following lines:



 security.provider.9=sun.security.ec.SunEC
 security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg



Now your server will not crash!! or you have another fun problem with deal with!


4 comments:

Marc Knaup said...

Fucking thank you!
That really pointed me to the right direction :)

But I had to disable the sun.security.pkcs11.SunPKCS11 provider completely to make it work again.

Eric Jain said...

Thanks! The full bug report is here: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1006776

Unknown said...

YES! Finally back up and running making external ssl connections again. Thank you for this bit of voodoo.

Jocelyn Demoy said...

Hey, I tried the fix but the problems stil occurs randomly, any idea ?