'Re: [dev-crypto] Oracle JVM and BouncyCastle connection to web site using ECDH ciphers fails'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bouncycastle-crypto-dev
Subject:    Re: [dev-crypto] Oracle JVM and BouncyCastle connection to web site using ECDH ciphers fails
From:       David Hook <dgh () cryptoworkshop ! com>
Date:       2018-09-12 11:01:05
Message-ID: f76e936d-4108-2091-9e14-f2e9a67f9ccd () cryptoworkshop ! com
[Download RAW message or body]


The stack trace indicates it is not loading the provider. It would be
worth checking it has really ended up on the class path. It would also
be worth checking another one has not been injected somewhere as well.
After that it might be complicated.

Regards,

David

On 12/09/18 06:40, Ian Marsden wrote:
> We have a Java class loaded into our Oracle Database that connects to an external \
> web site API. A recent server upgrade on the external web site means we are no \
> longer able to connect due to their removal of weak algorithms. I have loaded \
> (loadjava) BouncyCastle libraries into the database but still cannot connect. The \
> Java class can connect when tested using Eclipse. 
> We are on Oracle Standard Edition 11.2.0.2 (Java 1.5.0_10) but I have also tried \
> 11.2.0.4 (Java 1.6.0_43) and 12.2.0.1.0 (Java 1.8.0_121). 
> bcprov-ext-jdk15on-160.jar
> bctls-jdk15on-160.jar (slightly modified when loaded into Oracle 11.2 to remove \
> Java 1.7 and 1.8 classes that cause loadjava to fail) 
> BouncyCastle JCE and JSSE Providers are added programmatically at run time.
> Java policies have been updated to unlimited.
> 
> 17/08/2018 2:14:30 PM org.bouncycastle.jsse.provider.ProvTlsClient \
>                 notifyAlertRaised
> WARNING: Client raised fatal(2) internal_error(80) alert: Failed to read record
> org.bouncycastle.tls.crypto.TlsCryptoException: cannot calculate secret at \
> org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDomain.calculateECDHAgreement(JceTlsECDomain.java:73)
>  at org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDH.calculateSecret(JceTlsECDH.java:41)
>                 
> ...
> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURL
> Caused by: java.security.NoSuchAlgorithmException: Algorithm ECDH not available at \
> javax.crypto.KeyAgreement.getInstance(DashoA13*..) at \
> org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createKeyAgreement(Unknown Source) \
> at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.calculateKeyAgreement(JcaTlsCrypto.java:122)
>  at org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDomain.calculateECDHAgreement(JceTlsECDomain.java:65)
>                 
> ... 17 more
> org.bouncycastle.tls.crypto.TlsCryptoException: cannot calculate secret
> 
> Any suggestions much appreciated.
> 
> Thanks
> Ian
> Please consider the environment before printing this email.
> 
> IMPORTANT INFORMATION - PLEASE READ
> 
> This message from ORIX New Zealand may contain confidential and/or privileged \
> information (in which case neither is waived or lost by mistaken delivery).  If you \
> are not the intended recipient, any use, disclosure or copying of this message (or \
> of any attachments to it) is not authorised.  If you have received this message in \
> error, please notify the sender immediately and delete the message and any \
> attachments from your system.  Please inform the sender if you do not wish to \
> receive further communications by email. 
> ORIX has a Privacy Policy which outlines what kinds of personal information we \
> collect and hold, how we may collect and handle it, and your rights regarding \
> personal information.  Please let us know if you would like a copy.  The Privacy \
> Policy is also available on our website. 
> Our liability in connection with transmitting, unauthorised access to, or viruses \
> in this message and its attachments, is limited to re-supplying this message and \
> its attachments.  We recommend you carry out your own checks for viruses or \
> defects.  
> #####################################################################################
>  Scanned by the Trustwave Secure Email Gateway - Trustwave's comprehensive email \
> content security solution.  Download a free evaluation of Trustwave SEG at \
> www.trustwave.com #####################################################################################
>  
> 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic