We have developed a server application in Java 11 that accepts incoming HTTPS connections from clients. All was working fine up to/including Java 11.0.10 (AdoptOpenJDK).
After an upgrade to Java 11.0.11 we are having connection handshake issues (javax.net.ssl.SSLProtocolException: No common named group) with connections from Chrome clients. Firefox clients have no problems.
After enabling SSL logs (-Djavax.net.debug=ssl:handshake) we can see a difference between the 2 versions:
with 11.0.11:
JavaScript
x
Ignore unsupported named group: UNDEFINED-NAMED-GROUP(31354) Ignore unsupported named group: x25519 Consumed extension: key_share with 11.0.10:
JavaScript
Ignore unsupported named group: UNDEFINED-NAMED-GROUP(6682) Consumed extension: key_share The new Java version seems to ignore the request for x25519.
Both Java runtimes are unchanged downloads from AdoptOpenJDK.
Here are some more detailed logs:
Fail from Chrome for Java 11.0.11:
JavaScript
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension ("unknown extension (64,250)": {})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension ("session_ticket (35)": {})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension ("signed_certificate_timestamp (18)": {})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension ("unknown extension (27)": { 0000: 02 00 02 })javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension ("unknown extension (17,513)": { 0000: 00 03 02 68 32 h2})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension ("unknown extension (60,138)": { 0000: 00 .})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension ("client_certificate_type (21)": { 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.399 CEST|null:-1|Consuming ClientHello handshake message ("ClientHello": { "client version" : "TLSv1.2", "random" : "E0 14 47 3E 55 DE 2D 30 FF 5C CE E1 D1 27 3D 4B F4 CB 42 EE 3E 22 14 C7 BE 16 1A FA BF 35 EE DD", "session id" : "D7 59 27 6A 00 46 84 3A AB 32 FD 30 79 AD C4 DE 11 55 52 D5 07 1F 66 B0 7D 7E 80 A6 6F 95 2D 2B", "cipher suites" : "[UNKNOWN-CIPHER-SUITE(0x2A2A)(0x2A2A), TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), UNKNOWN-CIPHER-SUITE(0xCCA9)(0xCCA9), UNKNOWN-CIPHER-SUITE(0xCCA8)(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]", "compression methods" : "00", "extensions" : [ "unknown extension (64,250)": { }, "server_name (0)": { type=host_name (0), value=local.3dmapping.cloud }, "extended_master_secret (23)": { <empty> }, "renegotiation_info (65,281)": { "renegotiated connection": [<no renegotiated connection>] }, "supported_groups (10)": { "versions": [UNDEFINED-NAMED-GROUP(31354), x25519, secp256r1, secp384r1] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "session_ticket (35)": { }, "application_layer_protocol_negotiation (16)": { [h2, http/1.1] }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": <empty> "request extensions": { <empty> } } }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512] }, "signed_certificate_timestamp (18)": { }, "key_share (51)": { "client_shares": [ { "named group": UNDEFINED-NAMED-GROUP(31354) "key_exchange": { 0000: 00 } }, { "named group": x25519 "key_exchange": { 0000: AA F1 CE 3D 91 DD 66 C1 50 6F 5F B6 21 B3 EC 15 =..f.Po_.! 0010: A9 56 23 C7 3C 33 22 7B EC 6C 3F 0C 37 C4 B6 45 .V#.<3"..l?.7..E } }, ] }, "psk_key_exchange_modes (45)": { "ke_modes": [psk_dhe_ke] }, "supported_versions (43)": { "versions": [(D)TLS-10.10, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1] }, "unknown extension (27)": { 0000: 02 00 02 }, "unknown extension (17,513)": { 0000: 00 03 02 68 32 h2 }, "unknown extension (60,138)": { 0000: 00 . }, "client_certificate_type (21)": { 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .. } ]})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.400 CEST|null:-1|Consumed extension: supported_versionsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.401 CEST|null:-1|Negotiated protocol version: TLSv1.3javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.402 CEST|null:-1|Consumed extension: psk_key_exchange_modesjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.403 CEST|null:-1|Handling pre_shared_key absence.javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.404 CEST|null:-1|no server name matchers, ignore server name indicationjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.404 CEST|null:-1|Consumed extension: server_namejavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.406 CEST|null:-1|Ignore unavailable extension: max_fragment_lengthjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.407 CEST|null:-1|Consumed extension: status_requestjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.407 CEST|null:-1|Consumed extension: supported_groupsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.408 CEST|null:-1|Ignore unsupported extension: ec_point_formatsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.409 CEST|null:-1|Consumed extension: signature_algorithmsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.410 CEST|null:-1|Ignore unavailable extension: signature_algorithms_certjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.417 CEST|null:-1|Ignore server unenabled extension: application_layer_protocol_negotiationjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.417 CEST|null:-1|Consumed extension: application_layer_protocol_negotiationjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.418 CEST|null:-1|Ignore unsupported extension: status_request_v2javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.419 CEST|null:-1|Ignore unsupported extension: extended_master_secretjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.419 CEST|null:-1|Ignore unavailable extension: cookiejavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.420 CEST|null:-1|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(31354)javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.421 CEST|null:-1|Ignore unsupported named group: x25519javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.422 CEST|null:-1|Consumed extension: key_sharejavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.422 CEST|null:-1|Ignore unsupported extension: renegotiation_infojavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.423 CEST|null:-1|use cipher suite TLS_AES_128_GCM_SHA256javax.net.ssl|ERROR|19|PortServer:Http1111|2021-07-14 10:00:46.426 CEST|null:-1|Fatal (UNEXPECTED_MESSAGE): No common named group ("throwable" : { javax.net.ssl.SSLProtocolException: No common named group at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) at java.base/sun.security.ssl.KeyShareExtension$HRRKeyShareProducer.produce(Unknown Source) at java.base/sun.security.ssl.SSLExtension.produce(Unknown Source) at java.base/sun.security.ssl.SSLExtensions.produce(Unknown Source) at java.base/sun.security.ssl.ServerHello$T13HelloRetryRequestProducer.produce(Unknown Source) at java.base/sun.security.ssl.SSLHandshake.produce(Unknown Source) at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goHelloRetryRequest(Unknown Source) at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(Unknown Source) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown Source) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown Source) at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source) at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source) at core.toolx/com.orbitgis.toolx.network.server.server2.SSLSocketChannel.a(SourceFile:1505) at core.toolx/com.orbitgis.toolx.network.server.server2.SSLSocketChannel.read(SourceFile:653) at core.toolx/com.orbitgis.toolx.network.server.server2.PortServer2.e(SourceFile:502) at core.toolx/com.orbitgis.toolx.network.server.server2.PortServer2.run(SourceFile:951) at java.base/java.lang.Thread.run(Unknown Source)})Success from Chrome for Java 11.0.10:
JavaScript
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.904 CEST|null:-1|Ignore unknown or unsupported extension ("unknown extension (31,354)": {})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.904 CEST|null:-1|Ignore unknown or unsupported extension ("session_ticket (35)": {})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.905 CEST|null:-1|Ignore unknown or unsupported extension ("signed_certificate_timestamp (18)": {})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.906 CEST|null:-1|Ignore unknown or unsupported extension ("unknown extension (27)": { 0000: 02 00 02 })javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.907 CEST|null:-1|Ignore unknown or unsupported extension ("unknown extension (17,513)": { 0000: 00 03 02 68 32 h2})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.907 CEST|null:-1|Ignore unknown or unsupported extension ("unknown extension (10,794)": { 0000: 00 .})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.908 CEST|null:-1|Ignore unknown or unsupported extension ("client_certificate_type (21)": { 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.916 CEST|null:-1|Consuming ClientHello handshake message ("ClientHello": { "client version" : "TLSv1.2", "random" : "F0 2C 2D B7 E0 B2 5C 59 20 66 E7 61 53 6A F5 3F AC FB 8B 14 22 51 D2 8E 7D 1D 52 17 A4 C1 33 E3", "session id" : "12 91 36 9A BD 16 00 CA 84 5D 3D 40 61 5C A1 1F 65 2C DD 91 96 D5 E8 B8 21 09 31 76 DC B2 11 CB", "cipher suites" : "[UNKNOWN-CIPHER-SUITE(0xCACA)(0xCACA), TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), UNKNOWN-CIPHER-SUITE(0xCCA9)(0xCCA9), UNKNOWN-CIPHER-SUITE(0xCCA8)(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]", "compression methods" : "00", "extensions" : [ "unknown extension (31,354)": { }, "server_name (0)": { type=host_name (0), value=local.3dmapping.cloud }, "extended_master_secret (23)": { <empty> }, "renegotiation_info (65,281)": { "renegotiated connection": [<no renegotiated connection>] }, "supported_groups (10)": { "versions": [UNDEFINED-NAMED-GROUP(6682), x25519, secp256r1, secp384r1] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "session_ticket (35)": { }, "application_layer_protocol_negotiation (16)": { [h2, http/1.1] }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": <empty> "request extensions": { <empty> } } }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512] }, "signed_certificate_timestamp (18)": { }, "key_share (51)": { "client_shares": [ { "named group": UNDEFINED-NAMED-GROUP(6682) "key_exchange": { 0000: 00 } }, { "named group": x25519 "key_exchange": { 0000: D8 DB B4 6D 69 D4 44 C2 21 7C 59 8C 3F EB 18 20 mi.D.!.Y.?.. 0010: B5 13 73 41 2C 57 18 2E 1C DB 03 64 50 57 0B 6B ..sA,W..dPW.k } }, ] }, "psk_key_exchange_modes (45)": { "ke_modes": [psk_dhe_ke] }, "supported_versions (43)": { "versions": [(D)TLS--6.-6, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1] }, "unknown extension (27)": { 0000: 02 00 02 }, "unknown extension (17,513)": { 0000: 00 03 02 68 32 h2 }, "unknown extension (10,794)": { 0000: 00 . }, "client_certificate_type (21)": { 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . 00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .. } ]})javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.917 CEST|null:-1|Consumed extension: supported_versionsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Negotiated protocol version: TLSv1.3javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: psk_key_exchange_modesjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Handling pre_shared_key absence.javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|no server name matchers, ignore server name indicationjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: server_namejavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: max_fragment_lengthjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: status_requestjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: supported_groupsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: ec_point_formatsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: signature_algorithmsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: signature_algorithms_certjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore server unenabled extension: application_layer_protocol_negotiationjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: application_layer_protocol_negotiationjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: status_request_v2javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: extended_master_secretjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: cookiejavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(6682)javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: key_sharejavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: renegotiation_infojavax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.935 CEST|null:-1|Ignore impact of unsupported extension: server_namejavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.938 CEST|null:-1|Ignore unavailable extension: max_fragment_lengthjavax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.939 CEST|null:-1|Ignore impact of unsupported extension: status_requestjavax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.939 CEST|null:-1|Ignore impact of unsupported extension: supported_groupsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.942 CEST|null:-1|Populated with extension: signature_algorithmsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.942 CEST|null:-1|Ignore unavailable extension: signature_algorithms_certjavax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.943 CEST|null:-1|Ignore impact of unsupported extension: application_layer_protocol_negotiationjavax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.944 CEST|null:-1|Ignore impact of unsupported extension: supported_versionsjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.944 CEST|null:-1|Ignore unavailable extension: cookiejavax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.945 CEST|null:-1|Ignore impact of unsupported extension: psk_key_exchange_modesjavax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.946 CEST|null:-1|Ignore impact of unsupported extension: key_sharejavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.947 CEST|null:-1|use cipher suite TLS_AES_128_GCM_SHA256javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.949 CEST|null:-1|Ignore, context unavailable extension: pre_shared_keyjavax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.950 CEST|null:-1|Produced ServerHello handshake message ("ServerHello": { "server version" : "TLSv1.2", "random" : "59 39 C8 98 37 AF C6 72 50 DF 02 74 43 DF 4C 29 F6 65 CE 97 66 79 E2 69 6F 8C B1 E4 1B B6 65 54", "session id" : "12 91 36 9A BD 16 00 CA 84 5D 3D 40 61 5C A1 1F 65 2C DD 91 96 D5 E8 B8 21 09 31 76 DC B2 11 CB", "cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)", "compression methods" : "00", "extensions" : [ "supported_versions (43)": { "selected version": [TLSv1.3] }, "key_share (51)": { "server_share": { "named group": x25519 "key_exchange": { 0000: 3A 89 E5 8E E2 1E 7D 48 E2 FE 44 92 BD 03 EE BA :H..D.. 0010: 27 08 8E 06 06 86 D8 7D 8E 74 D3 BF A7 55 5D 03 '........t...U]. } }, } ]})Java 11.0.11 seems to have dropped out-of-the-box support for TLSv1 and TLSv1.1, but I am not sure if this is related. Enabling these do not solve the problem.
Any idea why x25519 is not supported anymore? Or how to enable it?
Advertisement
Answer
The cause of the problem was a single jar file in the module path. The jar itself was not related to networking, encryption or security, it was for changing UI look-and-feel. The jar was signed 7 years ago and it has not caused any problems before. Replacing this jar with an unsigned copy resolves all problems and makes Java 11.0.11 fully operational again, presenting the expected list of security providers (13 instead of 4).
Why this problem happened only on Java 11.0.11 remains a mystery. I did not see any error messages from the Java classloaders.