SSL connection from Weblogic to LDAP reports:javax.net.ssl.SSLHandshakeException: Unsupported curveId:21 (Doc ID 2254744.1)

Last updated on APRIL 13, 2017

Applies to:

Java SE JDK and JRE - Version 8 and later
Information in this document applies to any platform.

Symptoms

When attempting to use SSL connection from Weblogic servers to LDAP, the following error occurs.

### <> <> <> <[Thread[ConnSetupMgr,5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBuffer[]).
javax.net.ssl.SSLHandshakeException: Unsupported curveId: 21

From weblogic.log_jdk1.8.0_121 log file :

<BEA-099117> <The LDAP authentication provider named "IPlanet" failed to make connection to ldap server at ldaps://ugdqa.intranet.unicreditgroup.eu:636, the error cause is: Unsupported curveId: 21.>

Handshake message for ServerKeyExchange looks like below:

<<< TLS 1.2 Handshake [length 0145], ServerKeyExchange
0c 00 01 41 03 00 15 39 04 92 0c 11 14 6b 88 5a
3f 52 19 25 c4 5e 75 6e 10 b5 a9 0b d1 c9 a9 54

This can be analyzed, using RFC 5246 and RFC 4492 as references. In this case:

0c: this is a ServerKeyExchange message (described in section 5.4 of RFC4492)
00 01 41: of length 0x000141 bytes (321 bytes)
03: the curve type is "named_curve"
00 15: the curve is secp224r1 (curve identifiers are in section 5.1.1,identifier 0x0015 is 21 in decimal).

Changes

Java upgrade to 8U121 from 8U112 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms