SSL connection from Weblogic to LDAP reports:javax.net.ssl.SSLHandshakeException: Unsupported curveId:21
Last updated on APRIL 13, 2017
Applies to:
Java SE JDK and JRE - Version 8 and laterInformation in this document applies to any platform.
Symptoms
When attempting to use SSL connection from Weblogic servers to LDAP, the following error occurs.
### <> <> <> <[Thread[ConnSetupMgr,5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBuffer[]).
javax.net.ssl.SSLHandshakeException: Unsupported curveId: 21
javax.net.ssl.SSLHandshakeException: Unsupported curveId: 21
From weblogic.log_jdk1.8.0_121 log file :
<BEA-099117> <The LDAP authentication provider named "IPlanet" failed to make connection to ldap server at ldaps://ugdqa.intranet.unicreditgroup.eu:636, the error cause is: Unsupported curveId: 21.>
Handshake message for ServerKeyExchange looks like below:
<<< TLS 1.2 Handshake [length 0145], ServerKeyExchange
0c 00 01 41 03 00 15 39 04 92 0c 11 14 6b 88 5a
3f 52 19 25 c4 5e 75 6e 10 b5 a9 0b d1 c9 a9 54
0c 00 01 41 03 00 15 39 04 92 0c 11 14 6b 88 5a
3f 52 19 25 c4 5e 75 6e 10 b5 a9 0b d1 c9 a9 54
This can be analyzed, using RFC 5246 and RFC 4492 as references. In this case:
0c: this is a ServerKeyExchange message (described in section 5.4 of RFC4492)
00 01 41: of length 0x000141 bytes (321 bytes)
03: the curve type is "named_curve"
00 15: the curve is secp224r1 (curve identifiers are in section 5.1.1,identifier 0x0015 is 21 in decimal).
Changes
Java upgrade to 8U121 from 8U112
Cause
Sign In with your My Oracle Support account |
|
Don't have a My Oracle Support account? Click to get started |
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms