Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compatibility issue with adoption jdk due to T12KeyAgreement (TLS v1.2) implementation #1126

Open
1 task
pradeep1794 opened this issue Jul 4, 2024 · 3 comments
Open
1 task

Compatibility issue with adoption jdk due to T12KeyAgreement (TLS v1.2) implementation #1126

pradeep1794 opened this issue Jul 4, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@pradeep1794
Copy link

Please provide a brief summary of the bug

Compatibility issue with adoption jdk due to T12KeyAgreement (TLS v1.2) implementation

OpenJDK 1.8:
ECDHE("ecdhe", ECDHKeyExchange.poGenerator, ECDHKeyExchange.ecdheKAGenerator)

Adomptium JDK 11:
ECDHE("ecdhe", ECDHKeyExchange.poGenerator, ECDHKeyExchange.ecdheXdhKAGenerator)

The use of a different SSL key agreement generator might be the cause for JDK 11 calling Luna for key derivation while JDK 1.8 does not.

Due to this our application is failing.

Did you test with the latest update version?

  • Yes

Please provide steps to reproduce where possible

No response

Expected Results

NA

Actual Results

NA

What Java Version are you using?

jdk11.0.23+9 for linux 64

What is your operating system and platform?

RHEL 7.9

How did you install Java?

No response

Did it work before?

No response

Did you test with other Java versions?

No response

Relevant log output

No response
@pradeep1794 pradeep1794 added the bug Something isn't working label Jul 4, 2024
@karianna
Copy link
Contributor

@pradeep1794 What is the exact error your seeing?

@pradeep1794
Copy link
Author

Hi @karianna, below is what we are getting in our PingFederate server:

image

JFI, we are moving from Oracle java8 to open jdk 11 in our Pingfederate servers. There, PingFed's certs/keys (private) are stored in 3rd party HSM tool : safenet Luna. Now when we are trying to use the open jdk 11 , our PF servers is unable to drive the keys from HSM (The key used for server SSL cert , the key used to communicate to user data store(Microsoft AD), and all other private keys store in HSM.

This has been checked by our Ping Vendor and also from HSM provider(Safenet luna), they indicated that its something in the open jdk's java security which is creating the issue.

@karianna
Copy link
Contributor

Hi @karianna, below is what we are getting in our PingFederate server:

image

JFI, we are moving from Oracle java8 to open jdk 11 in our Pingfederate servers. There, PingFed's certs/keys (private) are stored in 3rd party HSM tool : safenet Luna. Now when we are trying to use the open jdk 11 , our PF servers is unable to drive the keys from HSM (The key used for server SSL cert , the key used to communicate to user data store(Microsoft AD), and all other private keys store in HSM.

This has been checked by our Ping Vendor and also from HSM provider(Safenet luna), they indicated that its something in the open jdk's java security which is creating the issue.

What happens when you use Oracle JDK 11?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@karianna @pradeep1794