Cannot make HTTPS request with 8u232-b09-jdk-hotspot on armhf

[tomaszszewczyk-silvair]

Platform & architecture:
Debian stable (Buster) inside Docker version 18.06.3-ce, build d7080c1 on Linux arm 4.0.3-armv7-x2 AdoptOpenJDK/openjdk-build#1 SMP Thu May 14 14:30:32 CST 2015 armv7l GNU/Linux.

Having set up adoptopenjdk image with following Dockerfile:

FROM debian:stable
RUN apt update && apt install -y wget curl unzip zip apt-transport-https ca-certificates gnupg2 software-properties-common
RUN wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add - \
    && mkdir -p /usr/share/man/man1 \
    && add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ \
    && apt update && apt install -y adoptopenjdk-8-hotspot

I have created simple example of HTTPS request:

import java.net.URL;
import java.io.*;
import javax.net.ssl.HttpsURLConnection;

public class Test 
{
    public static void main(String[] args) throws Exception {
        String httpsURL = "https://www.google.com/";
	URL myUrl = new URL(httpsURL);
        HttpsURLConnection conn = (HttpsURLConnection)myUrl.openConnection();
        InputStream is = conn.getInputStream();
        InputStreamReader isr = new InputStreamReader(is);
        BufferedReader br = new BufferedReader(isr);

        String inputLine;

        while ((inputLine = br.readLine()) != null) {
            System.out.println(inputLine);
        }

        br.close();
    }
}

Which compiles fine, but fails with following error:

root@5f7479f5e708:/app# javac Test.java
root@5f7479f5e708:/app# java Test
Exception in thread "main" javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message
	at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:1121)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:300)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
	at Test.main(Test.java:13)
root@5f7479f5e708:/app#

This exact same Test.java file works fine with default-jdk (openjdk version "11.0.5" 2019-10-15) installation from debian repository. What is more interesting above example works just fine on amd64 machine.

Cacert file looks fine for me:

root@5f7479f5e708:/app# keytool -list -keystore /usr/lib/jvm/adoptopenjdk-8-hotspot-armhf/jre/lib/security/cacerts 
Enter keystore password:  

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: jks
Keystore provider: SUN

Your keystore contains 88 entries

verisignclass2g2ca [jdk], Jun 13, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
digicertassuredidg3 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): F5:17:A2:4F:9A:48:C6:C9:F8:A2:00:26:9F:DC:0F:48:2C:AB:30:89
verisignuniversalrootca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54
digicerttrustedrootg4 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): DD:FB:16:CD:49:31:C9:73:A2:03:7D:3F:C8:3A:4D:7D:77:5D:05:E4
identrustpublicca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD
utnuserfirstobjectca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46
geotrustuniversalca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): E6:21:F3:35:43:79:05:9A:4B:68:30:9D:8A:2F:74:22:15:87:EC:79
digicertglobalrootg3 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E
entrustrootcaec1 [jdk], Jun 27, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47
secomscrootca1 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7
globalsignr2ca [jdk], Aug 14, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
identrustdstx3 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
comodoeccca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11
globalsignrootcar6 [jdk], Apr 30, 2019, trustedCertEntry, 
Certificate fingerprint (SHA1): 80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1
entrust2048ca [jdk], Jun 27, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31
addtrustexternalca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
globalsigneccrootcar4 [jdk], Aug 14, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB
usertrustrsaca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
digicertassuredidrootca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
digicertglobalrootg2 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
actalisauthenticationrootca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): F3:73:B3:87:06:5A:28:84:8A:F2:F3:4A:CE:19:2B:DD:C7:8E:9C:AC
digicertassuredidg2 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): A1:4B:48:D9:43:EE:0A:0E:40:90:4F:3C:E0:A4:C0:91:93:51:5D:3F
swisssigngoldg2ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61
entrustrootcag2 [jdk], Jun 27, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
quovadisrootca2g3 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 09:3C:61:F3:8B:8B:DC:7D:55:DF:75:38:02:05:00:E1:25:F5:C8:36
securetrustca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11
camerfirmachambersca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 78:6A:74:AC:76:AB:14:7F:9C:6A:30:50:BA:9E:A8:7E:FE:9A:CE:3C
geotrustprimaryca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96
identrustcommercial [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25
thawteprimaryrootcag3 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2
buypassclass3ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): DA:FA:F7:FA:66:84:EC:06:8F:14:50:BD:C7:C2:81:A5:BC:A9:64:57
verisigntsaca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 20:CE:B1:F0:F5:1C:0E:19:A9:F3:8D:B1:AA:8E:03:8C:AA:7A:C7:01
verisignclass3g4ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A
baltimorecybertrustca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
luxtrustglobalrootca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): C9:3C:34:EA:90:D9:13:0C:0F:03:00:4B:98:BD:8B:35:70:91:56:11
verisignclass3g2ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
camerfirmachamberscommerceca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 6E:3A:55:A4:19:0C:19:5C:93:84:3C:C0:DB:72:2E:31:30:61:F0:B1
soneraclass2ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27
affirmtrustnetworkingca [jdk], Jun 27, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F
ttelesecglobalrootclass3ca [jdk], Jul 12, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 55:A6:72:3E:CB:F2:EC:CD:C3:23:74:70:19:9D:2A:BE:11:E3:81:D1
xrampglobalca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6
geotrustprimarycag3 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD
camerfirmachambersignca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 4A:BD:EE:EC:95:0D:35:9C:89:AE:C7:52:A1:2C:5B:29:F6:D6:AA:0C
thawteprimaryrootcag2 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): AA:DB:BC:22:23:8F:C4:01:A1:27:BB:38:DD:F4:1D:DB:08:9E:F0:12
usertrusteccca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0
swisssignsilverg2ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB
affirmtrustpremiumca [jdk], Jun 27, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27
globalsignca [jdk], Jul 12, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
dtrustclass3ca2 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 58:E8:AB:B0:36:15:33:FB:80:F7:9B:1B:6D:29:D3:FF:8D:5F:00:F0
affirmtrustcommercialca [jdk], Jun 27, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7
letsencryptisrgx1 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
thawtepremiumserverca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66
comodoaaaca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
geotrustprimarycag2 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 8D:17:84:D5:37:F3:03:7D:EC:70:FE:57:8B:51:9A:99:E6:10:D7:B0
globalsignr3ca [jdk], Jul 12, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD
thawteprimaryrootca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
quovadisrootca3 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 1F:49:14:F7:D8:74:95:1D:DD:AE:02:C0:BE:FD:3A:2D:82:75:51:85
starfieldclass2ca [jdk], Jun 1, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
starfieldrootg2ca [jdk], Jun 1, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E
verisignclass3ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B
affirmtrustpremiumeccca [jdk], Jun 27, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB
geotrustglobalca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
godaddyclass2ca [jdk], Jun 1, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4
godaddyrootg2ca [jdk], Jun 1, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
verisignclass3g5ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
certumca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
quovadisrootca2 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7
swisssignplatinumg2ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 56:E0:FA:C0:3B:8F:18:23:55:18:E5:D3:11:CA:E8:C2:43:31:AB:66
chunghwaepkirootca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0
quovadisrootca3g3 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D
quovadisrootca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
addtrustclass1ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D
digicerthighassuranceevrootca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25
quovadisrootca1g3 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 1B:8E:EA:57:96:29:1A:C9:39:EA:B8:0A:81:1A:73:73:C0:93:79:67
comodorsaca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
keynectisrootca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 9C:61:5C:4D:4D:85:10:3A:53:26:C2:4D:BA:EA:E4:A2:D2:D5:CC:97
buypassclass2ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 49:0A:75:74:DE:87:0A:47:FE:58:EE:F6:C7:6B:EB:C6:0B:12:40:99
secomscrootca2 [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 5F:3B:8C:F2:F8:10:B3:7D:78:B4:CE:EC:19:19:C3:73:34:B9:C7:74
entrustevca [jdk], Jun 27, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9
certumtrustednetworkca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 07:E0:32:E0:20:B7:2C:3F:19:2F:06:28:A2:59:3A:19:A7:0F:06:9E
verisignclass3g3ca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6
teliasonerarootcav1 [jdk], Sep 5, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 43:13:BB:96:F1:D5:86:9B:C1:4E:6A:92:F6:CF:F6:34:69:87:82:37
dtrustclass3ca2ev [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83
globalsigneccrootcar5 [jdk], Jul 12, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA
starfieldservicesrootg2ca [jdk], Jul 12, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F
ttelesecglobalrootclass2ca [jdk], Jul 12, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9
addtrustqualifiedca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF
digicertglobalrootca [jdk], Dec 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36

Looks like a problem with adoptopenjdk-8-hotspot-armhf build :/

[aahlenst]

To help track this down: The packages provided by Debian use the cacerts file in /etc/ssl/certs/java, the AdoptOpenJDK packages still come with their own. Can you test AdoptOpenJDK with /etc/ssl/certs/java/cacerts and see whether the problem goes away?

[tomaszszewczyk-silvair]

No luck:

root@5f7479f5e708:/app# mv /usr/lib/jvm/adoptopenjdk-8-hotspot-armhf/jre/lib/security/cacerts /usr/lib/jvm/adoptopenjdk-8-hotspot-armhf/jre/lib/security/cacerts.bak
root@5f7479f5e708:/app# cp /etc/ssl/certs/java/cacerts /usr/lib/jvm/adoptopenjdk-8-hotspot-armhf/jre/lib/security/cacerts
root@5f7479f5e708:/app# java Test
Exception in thread "main" javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message
	at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:1121)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:300)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
	at Test.main(Test.java:13)

[aahlenst]

Sorry for the delay. It took me a while to dust of my Raspberry Pi.

The problem isn't with the cacerts file, but rather with our build. Works flawlessly with Azul Zulu, both 8 and 11.

$ java -version
openjdk version "1.8.0_252"
OpenJDK Runtime Environment (Zulu 8.46.0.225-CA-linux_aarch32hf) (build 1.8.0_252-b225)
OpenJDK Client VM (Zulu 8.46.0.225-CA-linux_aarch32hf) (build 25.252-b225, mixed mode, Evaluation)
$ java -version
openjdk version "11.0.7" 2020-04-14 LTS
OpenJDK Runtime Environment Zulu11.39+61-CA (build 11.0.7+10-LTS)
OpenJDK Client VM Zulu11.39+61-CA (build 11.0.7+10-LTS, mixed mode)

Somehow, they even managed to get 8 to build with a client VM.

Does not work with both AdoptOpenJDK 8 and 11. I tested with our binary builds directly, not with the Debian packages.

$ uname -a
Linux raspberrypi 4.19.57-v7+ #1244 SMP Thu Jul 4 18:45:25 BST 2019 armv7l GNU/Linux
$ java -version
openjdk version "1.8.0_252"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_252-b09)
OpenJDK Zero VM (AdoptOpenJDK)(build 25.252-b09, interpreted mode)
$ java -version
openjdk version "11.0.7" 2020-04-14
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.7+10)
OpenJDK Server VM AdoptOpenJDK (build 11.0.7+10, mixed mode)

@sxa Any idea what we're doing wrong?

[sxa]

Interesting ... Particularly for 11 there should be no differences between arm32 and all the other platforms. Will aim to take a look during the week ...

[MarcelCoding]

I have the same problem, with the jdk 14, when gradle is downloading the wrapper.
Used Docker image: adoptopenjdk:14-jdk-hotspot and adoptopenjdk:14-jre-hotspot
and the repository like described in this issue, but with the jdk 14.

[aahlenst]

I built OpenJDK 14.0.1 myself on my Raspberry Pi 4 with a 32 bit Raspbian and the problem is gone.

$ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

I ran https://github.com/aahlenst/cacert-test which should produce 1 passing and 1 failing test with the current set of CA certificates bundled with OpenJDK:

$ java -version
openjdk version "14.0.1" 2020-04-14
OpenJDK Runtime Environment AdoptOpenJDK (build 14.0.1+7-202006291331)
OpenJDK Server VM AdoptOpenJDK (build 14.0.1+7-202006291331, mixed mode, sharing)
./gradlew check
Downloading https://services.gradle.org/distributions/gradle-6.4-all.zip
.............10%..............20%..............30%..............40%..............50%..............60%..............70%..
............80%..............90%.............100%

Welcome to Gradle 6.4!

Here are the highlights of this release:  
 - Support for building, testing and running Java Modules
 - Precompiled script plugins for Groovy DSL
 - Single dependency lock file per project

For more details see https://docs.gradle.org/6.4/release-notes.html

Starting a Gradle Daemon (subsequent builds will be faster)
> Task :compileJava
> Task :processResources NO-SOURCE
> Task :classes
> Task :compileTestJava
> Task :processTestResources NO-SOURCE
> Task :testClasses

> Task :test

SampleClientTest > callSiteWithKnownCa() PASSED

SampleClientTest > callSiteWithUnknownCa() FAILED
    javax.net.ssl.SSLHandshakeException at SampleClientTest.java:16
        Caused by: javax.net.ssl.SSLHandshakeException at Alert.java:131
            Caused by: sun.security.validator.ValidatorException at PKIXValidator.java:439
                Caused by: sun.security.provider.certpath.SunCertPathBuilderException at SunCertPathBuilder.java:141

2 tests completed, 1 failed

> Task :test FAILED

FAILURE: Build failed with an exception.  

* What went wrong:
Execution failed for task ':test'.
> There were failing tests. See the report at: file:///mnt/samsung/cacert-test/build/reports/tests/test/index.html

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 1m 8s
3 actionable tasks: 3 executed
$ ./gradlew -version

------------------------------------------------------------
Gradle 6.4
------------------------------------------------------------

Build time:   2020-05-05 19:18:55 UTC
Revision:     42f7c3d0c3066b7b38bd0726760d4881e86fd19f

Kotlin:       1.3.71
Groovy:       2.5.10
Ant:          Apache Ant(TM) version 1.10.7 compiled on September 1 2019
JVM:          14.0.1 (AdoptOpenJDK 14.0.1+7-202006291331)
OS:           Linux 4.19.118-v7l+ arm

So, the problem is clearly with our build setup.

OpenSSL bundled with my Raspbian: 1.1.1d-0+deb10u3+rpt1

[sxa]

This appears to be fixed in the nightly builds (between 22nd and 23rd of June which was when the gcc compiler for arm32 was updated adoptium/infrastructure#487 (comment)

Failing build

[tmancill]

I am able to verify that the problem on arm32 is resolved for the nightly builds of jdk 11 and jdk 14 but still exists with the latest 8u262 nightly. I tested the following binaries:

• OpenJDK14U-jdk_arm_linux_hotspot_2020-07-12-08-34.tar.gz: PASS
• OpenJDK11U-jdk_arm_linux_hotspot_2020-07-12-10-27.tar.gz: PASS
• OpenJDK8U-jdk_arm_linux_hotspot_2020-07-12-03-41.tar.gz: FAIL (unexpected)
• OpenJDK8U-jdk_arm_linux_hotspot_8u252b09.tar.gz: FAIL (expected)

Whereas the jdk11u and jdk14u arm32 builds show 7.5.0, the jdk8u nightly build configure.txt shows it still configuring and using gcc 5.4.0:

configure: Using gcc C compiler version 5.4.0 [gcc (Ubuntu/Linaro 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609]
configure: Using gcc C++ compiler version 5.4.0 [g++ (Ubuntu/Linaro 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609]
...
* C Compiler:     Version 5.4.0 (at /usr/bin/gcc)
* C++ Compiler:   Version 5.4.0 (at /usr/bin/g++)

I'm still trying to figure out how everything fits together, but maybe just a dirty workspace for the jdk8u nightly or something else related to the application of adoptium/infrastructure#1406? I didn't see anything else that differed regarding the configuration of the builds.

[sxa]

Thanks @tmancill - I've got a fix in and we're going to aim to build the new quarterly release this week with the later gcc on JDK8 as well - initial test run is happening at https://ci.adoptopenjdk.net/job/build-scripts/job/jobs/job/jdk8u/job/jdk8u-linux-arm-hotspot/324/ - thanks for doing the analysis

[aahlenst]

This has been fixed.