Skip to content
Advertisement

Java 11.0.11 SSL handshake fails with exception ‘No common named group’

We have developed a server application in Java 11 that accepts incoming HTTPS connections from clients. All was working fine up to/including Java 11.0.10 (AdoptOpenJDK).

After an upgrade to Java 11.0.11 we are having connection handshake issues (javax.net.ssl.SSLProtocolException: No common named group) with connections from Chrome clients. Firefox clients have no problems.
After enabling SSL logs (-Djavax.net.debug=ssl:handshake) we can see a difference between the 2 versions:

with 11.0.11:

Ignore unsupported named group: UNDEFINED-NAMED-GROUP(31354)  
Ignore unsupported named group: x25519  
Consumed extension: key_share  

with 11.0.10:

Ignore unsupported named group: UNDEFINED-NAMED-GROUP(6682)  
Consumed extension: key_share  

The new Java version seems to ignore the request for x25519.
Both Java runtimes are unchanged downloads from AdoptOpenJDK.

Here are some more detailed logs:

Fail from Chrome for Java 11.0.11:

javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (64,250)": {

}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"session_ticket (35)": {

}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"signed_certificate_timestamp (18)": {

}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (27)": {
  0000: 02 00 02                                           ...
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (17,513)": {
  0000: 00 03 02 68 32                                     ...h2
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (60,138)": {
  0000: 00                                                 .
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"client_certificate_type (21)": {
  0000: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0010: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0020: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0030: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0040: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0050: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0060: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0070: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0080: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0090: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  00A0: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  00B0: 00 00 00 00 00 00 00 00   00 00 00 00 00 00        ..............
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.399 CEST|null:-1|Consuming ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "E0 14 47 3E 55 DE 2D 30 FF 5C CE E1 D1 27 3D 4B F4 CB 42 EE 3E 22 14 C7 BE 16 1A FA BF 35 EE DD",
  "session id"          : "D7 59 27 6A 00 46 84 3A AB 32 FD 30 79 AD C4 DE 11 55 52 D5 07 1F 66 B0 7D 7E 80 A6 6F 95 2D 2B",
  "cipher suites"       : "[UNKNOWN-CIPHER-SUITE(0x2A2A)(0x2A2A), TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), UNKNOWN-CIPHER-SUITE(0xCCA9)(0xCCA9), UNKNOWN-CIPHER-SUITE(0xCCA8)(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]",
  "compression methods" : "00",
  "extensions"          : [
    "unknown extension (64,250)": {

    },
    "server_name (0)": {
      type=host_name (0), value=local.3dmapping.cloud
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    },
    "supported_groups (10)": {
      "versions": [UNDEFINED-NAMED-GROUP(31354), x25519, secp256r1, secp384r1]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "session_ticket (35)": {

    },
    "application_layer_protocol_negotiation (16)": {
      [h2, http/1.1]
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512]
    },
    "signed_certificate_timestamp (18)": {

    },
    "key_share (51)": {
      "client_shares": [
        {
          "named group": UNDEFINED-NAMED-GROUP(31354)
          "key_exchange": {
            0000: 00
          }
        },
        {
          "named group": x25519
          "key_exchange": {
            0000: AA F1 CE 3D 91 DD 66 C1   50 6F 5F B6 21 B3 EC 15  ...=..f.Po_.!...
            0010: A9 56 23 C7 3C 33 22 7B   EC 6C 3F 0C 37 C4 B6 45  .V#.<3"..l?.7..E
          }
        },
      ]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "supported_versions (43)": {
      "versions": [(D)TLS-10.10, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
    },
    "unknown extension (27)": {
      0000: 02 00 02                                           ...
    },
    "unknown extension (17,513)": {
      0000: 00 03 02 68 32                                     ...h2
    },
    "unknown extension (60,138)": {
      0000: 00                                                 .
    },
    "client_certificate_type (21)": {
      0000: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0010: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0020: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0030: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0040: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0050: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0060: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0070: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0080: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0090: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      00A0: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      00B0: 00 00 00 00 00 00 00 00   00 00 00 00 00 00        ..............
    }
  ]
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.400 CEST|null:-1|Consumed extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.401 CEST|null:-1|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.402 CEST|null:-1|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.403 CEST|null:-1|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.404 CEST|null:-1|no server name matchers, ignore server name indication
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.404 CEST|null:-1|Consumed extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.406 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.407 CEST|null:-1|Consumed extension: status_request
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.407 CEST|null:-1|Consumed extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.408 CEST|null:-1|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.409 CEST|null:-1|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.410 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.417 CEST|null:-1|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.417 CEST|null:-1|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.418 CEST|null:-1|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.419 CEST|null:-1|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.419 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.420 CEST|null:-1|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(31354)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.421 CEST|null:-1|Ignore unsupported named group: x25519
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.422 CEST|null:-1|Consumed extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.422 CEST|null:-1|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.423 CEST|null:-1|use cipher suite TLS_AES_128_GCM_SHA256
javax.net.ssl|ERROR|19|PortServer:Http1111|2021-07-14 10:00:46.426 CEST|null:-1|Fatal (UNEXPECTED_MESSAGE): No common named group (
"throwable" : {
  javax.net.ssl.SSLProtocolException: No common named group
        at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
        at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
        at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
        at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
        at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
        at java.base/sun.security.ssl.KeyShareExtension$HRRKeyShareProducer.produce(Unknown Source)
        at java.base/sun.security.ssl.SSLExtension.produce(Unknown Source)
        at java.base/sun.security.ssl.SSLExtensions.produce(Unknown Source)
        at java.base/sun.security.ssl.ServerHello$T13HelloRetryRequestProducer.produce(Unknown Source)
        at java.base/sun.security.ssl.SSLHandshake.produce(Unknown Source)
        at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goHelloRetryRequest(Unknown Source)
        at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(Unknown Source)
        at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown Source)
        at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown Source)
        at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
        at core.toolx/com.orbitgis.toolx.network.server.server2.SSLSocketChannel.a(SourceFile:1505)
        at core.toolx/com.orbitgis.toolx.network.server.server2.SSLSocketChannel.read(SourceFile:653)
        at core.toolx/com.orbitgis.toolx.network.server.server2.PortServer2.e(SourceFile:502)
        at core.toolx/com.orbitgis.toolx.network.server.server2.PortServer2.run(SourceFile:951)
        at java.base/java.lang.Thread.run(Unknown Source)}
)

Success from Chrome for Java 11.0.10:

javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.904 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (31,354)": {

}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.904 CEST|null:-1|Ignore unknown or unsupported extension (
"session_ticket (35)": {

}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.905 CEST|null:-1|Ignore unknown or unsupported extension (
"signed_certificate_timestamp (18)": {

}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.906 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (27)": {
  0000: 02 00 02                                           ...
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.907 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (17,513)": {
  0000: 00 03 02 68 32                                     ...h2
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.907 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (10,794)": {
  0000: 00                                                 .
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.908 CEST|null:-1|Ignore unknown or unsupported extension (
"client_certificate_type (21)": {
  0000: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0010: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0020: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0030: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0040: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0050: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0060: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0070: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0080: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0090: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  00A0: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  00B0: 00 00 00 00 00 00 00 00   00 00 00 00 00 00        ..............
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.916 CEST|null:-1|Consuming ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "F0 2C 2D B7 E0 B2 5C 59 20 66 E7 61 53 6A F5 3F AC FB 8B 14 22 51 D2 8E 7D 1D 52 17 A4 C1 33 E3",
  "session id"          : "12 91 36 9A BD 16 00 CA 84 5D 3D 40 61 5C A1 1F 65 2C DD 91 96 D5 E8 B8 21 09 31 76 DC B2 11 CB",
  "cipher suites"       : "[UNKNOWN-CIPHER-SUITE(0xCACA)(0xCACA), TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), UNKNOWN-CIPHER-SUITE(0xCCA9)(0xCCA9), UNKNOWN-CIPHER-SUITE(0xCCA8)(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]",
  "compression methods" : "00",
  "extensions"          : [
    "unknown extension (31,354)": {

    },
    "server_name (0)": {
      type=host_name (0), value=local.3dmapping.cloud
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    },
    "supported_groups (10)": {
      "versions": [UNDEFINED-NAMED-GROUP(6682), x25519, secp256r1, secp384r1]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "session_ticket (35)": {

    },
    "application_layer_protocol_negotiation (16)": {
      [h2, http/1.1]
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512]
    },
    "signed_certificate_timestamp (18)": {

    },
    "key_share (51)": {
      "client_shares": [
        {
          "named group": UNDEFINED-NAMED-GROUP(6682)
          "key_exchange": {
            0000: 00
          }
        },
        {
          "named group": x25519
          "key_exchange": {
            0000: D8 DB B4 6D 69 D4 44 C2   21 7C 59 8C 3F EB 18 20  ...mi.D.!.Y.?..
            0010: B5 13 73 41 2C 57 18 2E   1C DB 03 64 50 57 0B 6B  ..sA,W.....dPW.k
          }
        },
      ]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "supported_versions (43)": {
      "versions": [(D)TLS--6.-6, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
    },
    "unknown extension (27)": {
      0000: 02 00 02                                           ...
    },
    "unknown extension (17,513)": {
      0000: 00 03 02 68 32                                     ...h2
    },
    "unknown extension (10,794)": {
      0000: 00                                                 .
    },
    "client_certificate_type (21)": {
      0000: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0010: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0020: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0030: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0040: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0050: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0060: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0070: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0080: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0090: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      00A0: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      00B0: 00 00 00 00 00 00 00 00   00 00 00 00 00 00        ..............
    }
  ]
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.917 CEST|null:-1|Consumed extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|no server name matchers, ignore server name indication
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: status_request
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(6682)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: renegotiation_info
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.935 CEST|null:-1|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.938 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.939 CEST|null:-1|Ignore impact of unsupported extension: status_request
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.939 CEST|null:-1|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.942 CEST|null:-1|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.942 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.943 CEST|null:-1|Ignore impact of unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.944 CEST|null:-1|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.944 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.945 CEST|null:-1|Ignore impact of unsupported extension: psk_key_exchange_modes
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.946 CEST|null:-1|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.947 CEST|null:-1|use cipher suite TLS_AES_128_GCM_SHA256
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.949 CEST|null:-1|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.950 CEST|null:-1|Produced ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "59 39 C8 98 37 AF C6 72 50 DF 02 74 43 DF 4C 29 F6 65 CE 97 66 79 E2 69 6F 8C B1 E4 1B B6 65 54",
  "session id"          : "12 91 36 9A BD 16 00 CA 84 5D 3D 40 61 5C A1 1F 65 2C DD 91 96 D5 E8 B8 21 09 31 76 DC B2 11 CB",
  "cipher suite"        : "TLS_AES_128_GCM_SHA256(0x1301)",
  "compression methods" : "00",
  "extensions"          : [
    "supported_versions (43)": {
      "selected version": [TLSv1.3]
    },
    "key_share (51)": {
      "server_share": {
        "named group": x25519
        "key_exchange": {
          0000: 3A 89 E5 8E E2 1E 7D 48   E2 FE 44 92 BD 03 EE BA  :......H..D.....
          0010: 27 08 8E 06 06 86 D8 7D   8E 74 D3 BF A7 55 5D 03  '........t...U].
        }
      },
    }
  ]
}
)

Java 11.0.11 seems to have dropped out-of-the-box support for TLSv1 and TLSv1.1, but I am not sure if this is related. Enabling these do not solve the problem.

Any idea why x25519 is not supported anymore? Or how to enable it?

Advertisement

Answer

The cause of the problem was a single jar file in the module path. The jar itself was not related to networking, encryption or security, it was for changing UI look-and-feel. The jar was signed 7 years ago and it has not caused any problems before. Replacing this jar with an unsigned copy resolves all problems and makes Java 11.0.11 fully operational again, presenting the expected list of security providers (13 instead of 4).

Why this problem happened only on Java 11.0.11 remains a mystery. I did not see any error messages from the Java classloaders.

Advertisement