What version of JDK 8u are you running with ? There's been a few tweaks
in this code area which might help you.
https://bugs.openjdk.java.net/browse/JDK-8149017
https://bugs.openjdk.java.net/browse/JDK-8158111
If you can reproduce with 8u121, please log an issue via
http://bugreport.java.com/ (or JBS if you have an account) - We need to
be aware of such issues.
Regards,
Sean.
On 07/02/17 21:29, Gardiner Michael wrote:
Hello Java Security Developers
We had a discussion a year and a bit ago about the
TlsRsaPremasterSecretParameterSpec being used in a way that doesn’t
seem to make sense. I’ve attached the email from 2015, but the same
question has arisen.
It seems that the JSSE is expecting RSA Ciphers to be able to handle
TlsRsaPremasterSecretParameterSpec. Is the
TlsRsaPremasterSecretParameterSpec class going to move out of the
status of “@deprecated Sun JDK internal use only --- WILL BE REMOVED
in a future release” towards something that will be expected of RSA
cipher instances to interoperate with the JSSE?
This is a blocking issue currently with at least one large customer.
We could add some code in our provider to inspect if the parameter
spec sent is of the offending type, but I’d really rather not have to
handle a deprecated class that was never intended to be used outside
of the Sun code base.
My current advice to this customer is:
1.Roll back to a previous version of Java that’s not affected by this
behaviour change
2.Ensure the use of PFS cipher suites so the RSA key is used only for
identity and not key exchange
But both of those pieces of advice may not be practical in their
situation.
Regards,
Mike Gardiner
Systems Security Architect
Gemalto
