Oracle JVM and BouncyCastle connection to web site using ECDH ciphers fails

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Oracle JVM and BouncyCastle connection to web site using ECDH ciphers fails

Ian Marsden
We have a Java class loaded into our Oracle Database that connects to an external web site API. A recent server upgrade on the external web site means we are no longer able to connect due to their removal of weak algorithms. I have loaded (loadjava) BouncyCastle libraries into the database but still cannot connect.
The Java class can connect when tested using Eclipse.

We are on Oracle Standard Edition 11.2.0.2 (Java 1.5.0_10) but I have also tried 11.2.0.4 (Java 1.6.0_43) and 12.2.0.1.0 (Java 1.8.0_121).
 
bcprov-ext-jdk15on-160.jar
bctls-jdk15on-160.jar (slightly modified when loaded into Oracle 11.2 to remove Java 1.7 and 1.8 classes that cause loadjava to fail)
 
BouncyCastle JCE and JSSE Providers are added programmatically at run time.
Java policies have been updated to unlimited.
  
17/08/2018 2:14:30 PM org.bouncycastle.jsse.provider.ProvTlsClient notifyAlertRaised
WARNING: Client raised fatal(2) internal_error(80) alert: Failed to read record
org.bouncycastle.tls.crypto.TlsCryptoException: cannot calculate secret at org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDomain.calculateECDHAgreement(JceTlsECDomain.java:73)
at org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDH.calculateSecret(JceTlsECDH.java:41)
       ...
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURL
Caused by: java.security.NoSuchAlgorithmException: Algorithm ECDH not available at javax.crypto.KeyAgreement.getInstance(DashoA13*..)
at org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createKeyAgreement(Unknown Source) at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.calculateKeyAgreement(JcaTlsCrypto.java:122)
at org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDomain.calculateECDHAgreement(JceTlsECDomain.java:65)
... 17 more
org.bouncycastle.tls.crypto.TlsCryptoException: cannot calculate secret
 
Any suggestions much appreciated.

Thanks
Ian
Please consider the environment before printing this email.

IMPORTANT INFORMATION - PLEASE READ

This message from ORIX New Zealand may contain confidential and/or privileged information (in which case neither is waived or lost by mistaken delivery).  If you are not the intended recipient, any use, disclosure or copying of this message (or of any attachments to it) is not authorised.  If you have received this message in error, please notify the sender immediately and delete the message and any attachments from your system.  Please inform the sender if you do not wish to receive further communications by email.

ORIX has a Privacy Policy which outlines what kinds of personal information we collect and hold, how we may collect and handle it, and your rights regarding personal information.  Please let us know if you would like a copy.  The Privacy Policy is also available on our website.

Our liability in connection with transmitting, unauthorised access to, or viruses in this message and its attachments, is limited to re-supplying this message and its attachments.  We recommend you carry out your own checks for viruses or defects.

#####################################################################################
Scanned by the Trustwave Secure Email Gateway - Trustwave's comprehensive email content security solution.
Download a free evaluation of Trustwave SEG at www.trustwave.com
#####################################################################################

Reply | Threaded
Open this post in threaded view
|

Re: Oracle JVM and BouncyCastle connection to web site using ECDH ciphers fails

David Hook-3

The stack trace indicates it is not loading the provider. It would be
worth checking it has really ended up on the class path. It would also
be worth checking another one has not been injected somewhere as well.
After that it might be complicated.

Regards,

David

On 12/09/18 06:40, Ian Marsden wrote:

> We have a Java class loaded into our Oracle Database that connects to an external web site API. A recent server upgrade on the external web site means we are no longer able to connect due to their removal of weak algorithms. I have loaded (loadjava) BouncyCastle libraries into the database but still cannot connect.
> The Java class can connect when tested using Eclipse.
>
> We are on Oracle Standard Edition 11.2.0.2 (Java 1.5.0_10) but I have also tried 11.2.0.4 (Java 1.6.0_43) and 12.2.0.1.0 (Java 1.8.0_121).
>  
> bcprov-ext-jdk15on-160.jar
> bctls-jdk15on-160.jar (slightly modified when loaded into Oracle 11.2 to remove Java 1.7 and 1.8 classes that cause loadjava to fail)
>  
> BouncyCastle JCE and JSSE Providers are added programmatically at run time.
> Java policies have been updated to unlimited.
>   
> 17/08/2018 2:14:30 PM org.bouncycastle.jsse.provider.ProvTlsClient notifyAlertRaised
> WARNING: Client raised fatal(2) internal_error(80) alert: Failed to read record
> org.bouncycastle.tls.crypto.TlsCryptoException: cannot calculate secret at org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDomain.calculateECDHAgreement(JceTlsECDomain.java:73)
> at org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDH.calculateSecret(JceTlsECDH.java:41)
>        ...
> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURL
> Caused by: java.security.NoSuchAlgorithmException: Algorithm ECDH not available at javax.crypto.KeyAgreement.getInstance(DashoA13*..)
> at org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createKeyAgreement(Unknown Source) at org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.calculateKeyAgreement(JcaTlsCrypto.java:122)
> at org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDomain.calculateECDHAgreement(JceTlsECDomain.java:65)
> ... 17 more
> org.bouncycastle.tls.crypto.TlsCryptoException: cannot calculate secret
>  
> Any suggestions much appreciated.
>
> Thanks
> Ian
> Please consider the environment before printing this email.
>
> IMPORTANT INFORMATION - PLEASE READ
>
> This message from ORIX New Zealand may contain confidential and/or privileged information (in which case neither is waived or lost by mistaken delivery).  If you are not the intended recipient, any use, disclosure or copying of this message (or of any attachments to it) is not authorised.  If you have received this message in error, please notify the sender immediately and delete the message and any attachments from your system.  Please inform the sender if you do not wish to receive further communications by email.
>
> ORIX has a Privacy Policy which outlines what kinds of personal information we collect and hold, how we may collect and handle it, and your rights regarding personal information.  Please let us know if you would like a copy.  The Privacy Policy is also available on our website.
>
> Our liability in connection with transmitting, unauthorised access to, or viruses in this message and its attachments, is limited to re-supplying this message and its attachments.  We recommend you carry out your own checks for viruses or defects.
>
> #####################################################################################
> Scanned by the Trustwave Secure Email Gateway - Trustwave's comprehensive email content security solution.
> Download a free evaluation of Trustwave SEG at www.trustwave.com
> #####################################################################################
>
>