My Oracle Support Banner

SSL connection from Weblogic to LDAP reports:javax.net.ssl.SSLHandshakeException: Unsupported curveId:21 (Doc ID 2254744.1)

Last updated on FEBRUARY 03, 2019

Applies to:

Java SE JDK and JRE - Version 8 and later
Information in this document applies to any platform.

Symptoms

When attempting to use SSL connection from Weblogic servers to LDAP, the following error occurs.

### <> <> <> <[Thread[ConnSetupMgr,5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBuffer[]).
javax.net.ssl.SSLHandshakeException: Unsupported curveId: 21

From weblogic.log_jdk1.8.0_121 log file :

<BEA-099117> <The LDAP authentication provider named "IPlanet" failed to make connection to ldap server at ldaps://ugdqa.intranet.unicreditgroup.eu:636, the error cause is: Unsupported curveId: 21.>

Handshake message for ServerKeyExchange looks like below:

<<< TLS 1.2 Handshake [length 0145], ServerKeyExchange
0c 00 01 41 03 00 15 39 04 92 0c 11 14 6b 88 5a
3f 52 19 25 c4 5e 75 6e 10 b5 a9 0b d1 c9 a9 54

This can be analyzed, using RFC 5246 and RFC 4492 as references. In this case:

0c: this is a ServerKeyExchange message (described in section 5.4 of RFC4492)
00 01 41: of length 0x000141 bytes (321 bytes)
03: the curve type is "named_curve"
00 15: the curve is secp224r1 (curve identifiers are in section 5.1.1,identifier 0x0015 is 21 in decimal).

Changes

Java upgrade to 8U121 from 8U112 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.