jdk8u ssl connection issue
Wan, Thomas
xwan at mtb.com
Tue Sep 21 11:39:59 UTC 2021
Hi Bernd,
It does work with TLS1.1.
But in jdk8u202, it works with 1.2 as well.
All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1, but that is not as secure as TLS1.2 any more.
From: Bernd Eckenfels <ecki at zusammenkunft.net>
Sent: Tuesday, September 21, 2021 7:32 AM
To: Wan, Thomas <xwan at mtb.com>; jdk8u-dev at openjdk.java.net
Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode)
External Email: Use caution & trust the source before clicking links or opening attachments.
Hello,
You cannot see the reason on your side. You need to check the other side.
However seeing that your client only propose TLSv1.2 that's a likely candidate, maybe you need to re-enable TLS 1.1. that,,happened with 8u291 in Oracle according to this: https://java.com/en/jre-jdk-cryptoroadmap.html<https://urldefense.com/v3/__https:/java.com/en/jre-jdk-cryptoroadmap.html__;!!BqwCqLE!d-dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$>
https://java.com/en/configure_crypto.html#DisableTLS<https://urldefense.com/v3/__https:/java.com/en/configure_crypto.html*DisableTLS__;Iw!!BqwCqLE!d-dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$>
Gruss
Bernd
--
http://bernd.eckenfels.net<https://urldefense.com/v3/__http:/bernd.eckenfels.net__;!!BqwCqLE!d-dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$>
________________________________
Von: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>
Gesendet: Tuesday, September 21, 2021 1:14:35 PM
An: Bernd Eckenfels <ecki at zusammenkunft.net<mailto:ecki at zusammenkunft.net>>; jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net> <jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>>
Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode)
Here is my debug log
javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|ClientHello.java:633|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0",
"session id" : "",
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=unbale.mandtbank.com
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2]
}
]
}
)
javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 311
javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:255|Raw write (
0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c..
0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&.....
0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V.,
0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../
0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.=
0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5..
0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.)
0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 .g. at ...../.....3<mailto:.g. at ...../.....3>
0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2..............
0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban
00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com...........
00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . ..............
00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................
00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". ..
00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................
00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2
0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............
0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................
0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................
0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+.....
)
javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketInputRecord.java:451|Raw read: EOF
javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960 EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942)
at xxxx.main(SSLPoke.java:53)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
... 6 more}
)
javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(handshake_failure), length = 2
javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketOutputRecord.java:85|Raw write (
0000: 15 03 03 00 02 02 28 ......(
)
javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1361|close the underlying socket
javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960 EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942)
at xxx.main(SSLPoke.java:53)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
... 6 more
From: Bernd Eckenfels <ecki at zusammenkunft.net<mailto:ecki at zusammenkunft.net>>
Sent: Tuesday, September 21, 2021 7:07 AM
To: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>; jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>
Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode)
External Email: Use caution & trust the source before clicking links or opening attachments.
It normally means the peer does not like your cipher or protocol selection or maybe the peer has a wrongly configured certificate. The actual reason why the peer shuts down the connection so unclear should be logged on the remote site.
--
http://bernd.eckenfels.net<https://urldefense.com/v3/__http:/bernd.eckenfels.net__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t-vd7fVNT6ajpBkkdQ$>
________________________________
Von: jdk8u-dev <jdk8u-dev-retn at openjdk.java.net<mailto:jdk8u-dev-retn at openjdk.java.net>> im Auftrag von Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>
Gesendet: Tuesday, September 21, 2021 1:02:05 PM
An: jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net> <jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>>
Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode)
It seems jdk8u202 was working well with ldap ssl.
Since then all other jdk 8 release has the same error as below, any idea what is wrong?
I compared the source code, it seems sun.security package has been changed a lot since jdk8u202
javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874 EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative)
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435)
at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813)
at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175)
at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1147)
at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392)
... 7 more
-----Original Message-----
From: jdk8u-dev <jdk8u-dev-retn at openjdk.java.net<mailto:jdk8u-dev-retn at openjdk.java.net>> On Behalf Of jdk8u-dev-request at openjdk.java.net<mailto:jdk8u-dev-request at openjdk.java.net>
Sent: Tuesday, September 21, 2021 6:59 AM
To: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>
Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode)
External Email: Use caution & trust the source before clicking links or opening attachments.
Welcome to the jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net> mailing list!
To post to this list, send your message to:
jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>
General information about the mailing list is at:
https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$<https://urldefense.com/v3/__https:/mail.openjdk.java.net/mailman/listinfo/jdk8u-dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLURaDcAw$>
If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at:
https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$<https://urldefense.com/v3/__https:/mail.openjdk.java.net/mailman/options/jdk8u-dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kowG3GLAPC2SIg$>
You can also make such adjustments via email by sending a message to:
jdk8u-dev-request at openjdk.java.net<mailto:jdk8u-dev-request at openjdk.java.net>
with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions.
You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is:
Grace0208
Normally, Mailman will remind you of your openjdk.java.net mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you.
**********************************************************************
This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission.
More information about the jdk8u-dev
mailing list