CKR_DOMAIN_PARAMS_INVALID exception when creating SSL connection and using openjdk

Description

The latest svn version of openfire is unable to process SSL/TLS connection on my server. The symptoms are that a clients (gajim in my case) connection attempt stall, the exception is thrown but the TCP socket is not closed.

2013.02.26 14:06:57 org.jivesoftware.openfire.nio.ConnectionHandler - ConnectionHandler reports unexpected exception for session: (SOCKET, R: /46.244.217.124:34544, L: /78.47.171.60:5222, S: 0.0.0.0/0.0.0.0:5222)
java.lang.RuntimeException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1029)
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:508)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:759)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:727)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
        at org.apache.mina.filter.support.SSLHandler.unwrap0(SSLHandler.java:658)
        at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:614)
        at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:493)
        at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:306)
        at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
        at org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:499)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
        at org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:293)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:228)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:198)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProcessor.java:45)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:485)
        at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:636)
Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
        at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:323)
        at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:673)
        at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:63)
        at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:991)
        at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:872)
        at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:801)
        at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:576)
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:170)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:550)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:548)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:969)
        at org.apache.mina.filter.support.SSLHandler.doTasks(SSLHandler.java:686)
        at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:486)
        ... 16 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
        at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
        at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:314)
        ... 30 more

References:

I'm atm not really sure if it's an openjdk, mina, or JVM problem.

Environment

None

Linked work items

is related to

OF-509

Unable to disable weak ciphers

Activity

Show:

Daryl Herzmann
September 11, 2017 at 8:33 PM

got no responses for requests for current reproducer. Can certainly reopen if somebody can!

Daryl Herzmann
December 19, 2016 at 8:40 PM

Anybody still seeing this with Openfire 4.1?

Daryl Herzmann
October 31, 2015 at 3:18 AM

Anybody wish to comment if this issue still affects Openfire 3.10.2?

Daniel 'f0o' Preussker
July 3, 2014 at 12:26 PM

Also affects Openfire 3.10.0 Alpha

It's very annoying, I cant connect with any commandline XMPP-client :/

LG
February 10, 2014 at 1:09 PM

May be related to http://stackoverflow.com/questions/10687200/java-7-and-could-not-generate-dh-keypair

Resize issue view side panel

Cannot Reproduce

Details

Assignee

Unassigned

Reporter

Florian Schmaus

Priority

Minor

Created February 26, 2013 at 1:16 PM

Updated September 11, 2017 at 8:33 PM

Resolved September 11, 2017 at 8:33 PM

CKR_DOMAIN_PARAMS_INVALID exception when creating SSL connection and using openjdk

Description

Environment

Linked work items

is related to

Activity

Daryl Herzmann
September 11, 2017 at 8:33 PM

Daryl Herzmann
December 19, 2016 at 8:40 PM

Daryl Herzmann
October 31, 2015 at 3:18 AM

Daniel 'f0o' Preussker
July 3, 2014 at 12:26 PM

LG
February 10, 2014 at 1:09 PM

Details

Assignee

Reporter

Labels

Components

Affects versions

Priority

Flag notifications

Something's gone wrong

CKR_DOMAIN_PARAMS_INVALID exception when creating SSL connection and using openjdk

Description

Environment

Linked work items

is related to

Activity

Daryl Herzmann September 11, 2017 at 8:33 PM

Daryl Herzmann December 19, 2016 at 8:40 PM

Daryl Herzmann October 31, 2015 at 3:18 AM

Daniel 'f0o' Preussker July 3, 2014 at 12:26 PM

LG February 10, 2014 at 1:09 PM

Details

Assignee

Reporter

Labels

Components

Affects versions

Priority

Flag notifications

Something's gone wrong

Daryl Herzmann
September 11, 2017 at 8:33 PM

Daryl Herzmann
December 19, 2016 at 8:40 PM

Daryl Herzmann
October 31, 2015 at 3:18 AM

Daniel 'f0o' Preussker
July 3, 2014 at 12:26 PM

LG
February 10, 2014 at 1:09 PM