db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Besosa, Michael" <michael.bes...@pearson.com>
Subject Working around Java 7 issue with DH-based cipher suites
Date Thu, 25 Jun 2015 16:37:51 GMT
I'm in the process of migrating an application that was successfully using
embedded Derby to the Derby Network Server using SSL in basic mode. I've
run into what seems to be an old issue with Java 7 and cipher suites that
use Diffie-Hellman key exchange. The issue is well described here:

        https://community.oracle.com/thread/2506695

I see exactly the described symptoms: TLS connections are successfully
negotiated for a while, then, after an unpredictable number of successful
negotiations as a result of calling DriverManager.getConnection(), one will
sudden fail with an invalid padding length error that causes a negotiation
failure. This can happen on the first connection attempt or after hundreds
of successful connections. It's completely unpredictable.

I'm seeing this running Java 1.7u79. Apparently it has been present in all
releases since 1.7u6.

The two suggested workarounds are to (1) force selection of a cipher suite
that doesn't use DHE. I don't see a way to coerce Derby into doing that. Or
(2) use a different JCE provider, such as BouncyCastle. However, when I try
to do that, either by editing java.security or dynamically inserting the BC
provider ahead of the Oracle provider, attempts to connect to the server
fail immediately ("connection refused").

I'm out of ideas. Suggestions would be appreciated.

Mime
View raw message