jdk8u ssl connection issue
Wan, Thomas
xwan at mtb.com
Tue Sep 21 14:42:09 UTC 2021
HI Prasad,
Thanks for helping.
The main issue is that I have a demising server with end of life. I cannot see anything in server side.
Thanks for pointing out that I set ciphers as SignatureScheme. I corrected it, still have issues
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.331 EDT|SSLConfiguration.java:450|System property jdk.tls.client.SignatureSchemes is set to 'SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA'
javax.net.ssl|WARNING|01|main|2021-09-21 10:39:21.362 EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2021-09-21 10:39:21.362 EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA512withECDSA
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA512withRSA
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA384withECDSA
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA384withRSA
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA256withECDSA
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA256withRSA
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA256withDSA
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA1withECDSA
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA1withRSA
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.362 EDT|SSLConfiguration.java:478|The current installed providers do not support signature scheme: SHA1withDSA
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.565 EDT|SSLExtensions.java:260|Ignore, context unavailable extension: status_request
javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:373|Ignore unsupported signature scheme: ed25519
javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:373|Ignore unsupported signature scheme: ed448
javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:373|Ignore unsupported signature scheme: ecdsa_sha224
javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:373|Ignore unsupported signature scheme: rsa_sha224
javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:373|Ignore unsupported signature scheme: dsa_sha224
javax.net.ssl|ALL|01|main|2021-09-21 10:39:21.565 EDT|SignatureScheme.java:393|Ignore disabled signature scheme: rsa_md5
javax.net.ssl|INFO|01|main|2021-09-21 10:39:21.565 EDT|AlpnExtension.java:178|No available application protocols
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.565 EDT|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.565 EDT|SSLExtensions.java:260|Ignore, context unavailable extension: status_request_v2
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.565 EDT|SSLExtensions.java:260|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|FINE|01|main|2021-09-21 10:39:21.581 EDT|ClientHello.java:575|Produced ClientHello handshake message (
-----Original Message-----
From: Prasadrao Koppula <prasadarao.koppula at oracle.com>
Sent: Tuesday, September 21, 2021 10:09 AM
To: Prasadrao Koppula <prasadarao.koppula at oracle.com>; Wan, Thomas <xwan at mtb.com>; Bernd Eckenfels <ecki at zusammenkunft.net>; jdk8u-dev at openjdk.java.net
Subject: RE: jdk8u ssl connection issue
External Email: Use caution & trust the source before clicking links or opening attachments.
To set the client side ciphersuites use: jdk.tls.client.ciphersuites Server side: jdk.tls.server.ciphersuites
>From the TLSv1.2 client debug logs, looks like server not happy with the extensions present in the Client's ClientHello. Which provider and version server has?
To understand issue further, If you are able capture the server side logs, please share.
Thanks,
Prasad.K
>-----Original Message-----
>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of
>Prasadrao Koppula
>Sent: Tuesday, September 21, 2021 7:29 PM
>To: Wan, Thomas <xwan at mtb.com>; Bernd Eckenfels
><ecki at zusammenkunft.net>; jdk8u-dev at openjdk.java.net
>Subject: RE: jdk8u ssl connection issue
>
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933
>>EDT|SSLConfiguration.java:450|System property
>>EDT|jdk.tls.client.SignatureSchemes
>>is set to
>>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES
>_
>>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R
>S
>>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS
>A
>>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_
>>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256'
>
>These are Ciphersuites not signature schemes.
>
>Thanks,
>Prasad.K
>
>>-----Original Message-----
>>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of
>>Wan, Thomas
>>Sent: Tuesday, September 21, 2021 6:53 PM
>>To: Bernd Eckenfels <ecki at zusammenkunft.net>;
>>jdk8u-dev at openjdk.java.net
>>Subject: RE: jdk8u ssl connection issue
>>
>>One step further, I added all SignatureSchemes Supported in the server
>>by running nmap, here is the error I got
>>
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933
>>EDT|SSLConfiguration.java:450|System property
>>EDT|jdk.tls.client.SignatureSchemes
>>is set to
>>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES
>_
>>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R
>S
>>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS
>A
>>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_
>>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256'
>>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965
>>EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not
>>EDT|supported
>>by the underlying providers
>>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965
>>EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not
>>EDT|supported by
>>the underlying providers
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256
>>
>>From: Bernd Eckenfels <ecki at zusammenkunft.net>
>>Sent: Tuesday, September 21, 2021 7:52 AM
>>To: Wan, Thomas <xwan at mtb.com>; jdk8u-dev at openjdk.java.net
>>Subject: Re: jdk8u ssl connection issue
>>
>>External Email: Use caution & trust the source before clicking links
>>or opening attachments.
>>
>>Hello,
>>
>>I don't see any other changes in 212 besides a PKCS11 change for
>>Tls1.2 which should not be the case, also it looks like this version
>>re-enabled the Renegotiation signaling cipher, that should not be a
>>problem but
>you never know.
>>
>>Can you compare the client Hello of a working 1.2 and a failed 1.2
>>handshake to see which ciphers and extensions differ?
>>
>>Gruss
>>Bernd
>>--
>>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34
>>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$
>><https://urldefense.com/v3/__http:/bernd.eckenfels
>.
>>net__;!!BqwCqLE!bf7MeZ9guvMDJw7EyXt8rMZQl3k3j6Usxq5vpoEbcwAOZWq
>>wP6XhG5TqVg$>
>>________________________________
>>Von: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>
>>Gesendet: Dienstag, September 21, 2021 1:40 PM
>>An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net<mailto:jdk8u-
>>dev at openjdk.java.net>
>>Betreff: jdk8u ssl connection issue
>>
>>Hi Bernd,
>>
>>It does work with TLS1.1.
>>
>>But in jdk8u202, it works with 1.2 as well.
>>
>>All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1,
>>but that is not as secure as TLS1.2 any more.
>>
>>
>>From: Bernd Eckenfels
>><ecki at zusammenkunft.net<mailto:ecki at zusammenkunft.net>>
>>Sent: Tuesday, September 21, 2021 7:32 AM
>>To: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>; jdk8u-
>>dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>
>>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode)
>>
>>External Email: Use caution & trust the source before clicking links
>>or opening attachments.
>>
>>Hello,
>>
>>You cannot see the reason on your side. You need to check the other side.
>>
>>However seeing that your client only propose TLSv1.2 that's a likely
>>candidate, maybe you need to re-enable TLS 1.1. that,,happened with
>>8u291 in Oracle according to this:
>>https://urldefense.com/v3/__https://java.com/en/jre-jdk-__;!!BqwCqLE!b
>>34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7EEMiCyHw$
>>cryptoroadmap.html<https://urldefense.com/v3/__https:/java.com/en/jre-
>>j
>>dk-
>>cryptoroadmap.html__;!!BqwCqLE!d-
>>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$>
>>
>>https://urldefense.com/v3/__https://java.com/en/configure_crypto.html*
>>DisableTLS__;Iw!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpn
>>Ia6h7FCRFj2Eg$
>><https://urldefense.com/v3/__https://urldefense__;!!BqwCqLE!b34kJiJErp
>>O5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Ff98ppRg$
>>.com/
>>v3/__https://urldefense.com/v3/__https://java.com/en/configure_crypto.
>>html*DisableTLS__;Iw!!BqwCqLE!__;Kg!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk
>>89qZDdMaJK7p6W0lZFpnIa6h7Elp5RtnA$
>>d- dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$>
>>
>>Gruss
>>Bernd
>>
>>
>>--
>>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34
>>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$
>><https://urldefense.com/v3/__http:/bernd.eckenfels
>.
>>net__;!!BqwCqLE!d-
>>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$>
>>________________________________
>>Von: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>
>>Gesendet: Tuesday, September 21, 2021 1:14:35 PM
>>An: Bernd Eckenfels
>><ecki at zusammenkunft.net<mailto:ecki at zusammenkunft.net>>; jdk8u-
>>dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net> <jdk8u-
>>dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>>
>>Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode)
>>
>>
>>Here is my debug log
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|ClientHello.java:633|Produced ClientHello handshake message (
>>
>>"ClientHello": {
>>
>> "client version" : "TLSv1.2",
>>
>> "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF
>DB
>>B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0",
>>
>> "session id" : "",
>>
>> "cipher suites" :
>>"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
>>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),
>>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),
>>TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),
>>TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E),
>>TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032),
>>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),
>>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),
>>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),
>>TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
>>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D),
>>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),
>>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),
>>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),
>>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),
>>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028),
>>TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D),
>>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026),
>>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A),
>>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),
>>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),
>>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A),
>>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),
>>TLS_RSA_WITH_AES_256_CBC_SHA(0x0035),
>>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005),
>>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F),
>>TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),
>>TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),
>>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
>>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
>>TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
>>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025),
>>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
>>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),
>>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),
>>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009),
>>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),
>>TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),
>>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004),
>>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E),
>>TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),
>>TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),
>>TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
>>
>> "compression methods" : "00",
>>
>> "extensions" : [
>>
>> "server_name (0)": {
>>
>> type=host_name (0), value=unbale.mandtbank.com
>>
>> },
>>
>> "status_request (5)": {
>>
>> "certificate status type": ocsp
>>
>> "OCSP status request": {
>>
>> "responder_id": <empty>
>>
>> "request extensions": {
>>
>> <empty>
>>
>> }
>>
>> }
>>
>> },
>>
>> "supported_groups (10)": {
>>
>> "versions": [secp256r1, secp384r1, secp521r1, sect283k1,
>>sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1,
>>ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
>>
>> },
>>
>> "ec_point_formats (11)": {
>>
>> "formats": [uncompressed]
>>
>> },
>>
>> "signature_algorithms (13)": {
>>
>> "signature schemes": [ecdsa_secp256r1_sha256,
>>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
>>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
>>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
>>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1,
>>rsa_pkcs1_sha1, dsa_sha1]
>>
>> },
>>
>> "signature_algorithms_cert (50)": {
>>
>> "signature schemes": [ecdsa_secp256r1_sha256,
>>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
>>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
>>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
>>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1,
>>rsa_pkcs1_sha1, dsa_sha1]
>>
>> },
>>
>> "status_request_v2 (17)": {
>>
>> "cert status request": {
>>
>> "certificate status type": ocsp_multi
>>
>> "OCSP status request": {
>>
>> "responder_id": <empty>
>>
>> "request extensions": {
>>
>> <empty>
>>
>> }
>>
>> }
>>
>> }
>>
>> },
>>
>> "extended_master_secret (23)": {
>>
>> <empty>
>>
>> },
>>
>> "supported_versions (43)": {
>>
>> "versions": [TLSv1.2]
>>
>> }
>>
>> ]
>>
>>}
>>
>>)
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length =
>>EDT|311
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketOutputRecord.java:255|Raw write (
>>
>> 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c..
>>
>> 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&.....
>>
>> 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V.,
>>
>> 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../
>>
>> 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.=
>>
>> 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5..
>>
>> 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.)
>>
>> 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33
>>.g. at ...../.....3<mailto:.g. at ...../.....3>
>>
>> 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2..............
>>
>> 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban
>>
>> 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com...........
>>
>> 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . ..............
>>
>> 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................
>>
>> 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". ..
>>
>> 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................
>>
>> 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2
>>
>> 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............
>>
>> 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................
>>
>> 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................
>>
>> 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+.....
>>
>>)
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketInputRecord.java:451|Raw read: EOF
>>
>>javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960
>>EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't
>>kickstart handshaking (
>>
>>"throwable" : {
>>
>> javax.net.ssl.SSLHandshakeException: Remote host terminated the
>> handshake
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:
>>1
>>321)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116
>>0
>>)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket
>>I
>>mpl.j
>>ava:1063)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
>>j
>>ava:40
>>2)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp
>>l
>>.java:7
>>16)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock
>>e
>>tImp
>>l.java:970)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock
>>e
>>tImp
>>l.java:942)
>>
>> at xxxx.main(SSLPoke.java:53)
>>
>> Caused by: java.io.EOFException: SSL peer shut down incorrectly
>>
>> at
>>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR
>>e
>>cord.j
>>ava:167)
>>
>> at
>>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115
>>2
>>)
>>
>> ... 6 more}
>>
>>
>>
>>)
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12
>>EDT|alert(handshake_failure),
>>length = 2
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketOutputRecord.java:85|Raw write (
>>
>> 0000: 15 03 03 00 02 02 28 ......(
>>
>>)
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketImpl.java:1361|close the underlying socket
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
>>
>>javax.net.ssl.SSLHandshakeException: Remote host terminated the
>>handshake
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:
>>1
>>321)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116
>>0
>>)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket
>>I
>>mpl.j
>>ava:1063)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
>>j
>>ava:40
>>2)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp
>>l
>>.java:7
>>16)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock
>>e
>>tImp
>>l.java:970)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock
>>e
>>tImp
>>l.java:942)
>>
>> at xxx.main(SSLPoke.java:53)
>>
>>Caused by: java.io.EOFException: SSL peer shut down incorrectly
>>
>> at
>>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR
>>e
>>cord.j
>>ava:167)
>>
>> at
>>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115
>>2
>>)
>>
>> ... 6 more
>>
>>
>>
>>From: Bernd Eckenfels
>><ecki at zusammenkunft.net<mailto:ecki at zusammenkunft.net>>
>>Sent: Tuesday, September 21, 2021 7:07 AM
>>To: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>; jdk8u-
>>dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>
>>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode)
>>
>>
>>
>>External Email: Use caution & trust the source before clicking links
>>or opening attachments.
>>
>>
>>
>>It normally means the peer does not like your cipher or protocol
>>selection or maybe the peer has a wrongly configured certificate. The
>>actual reason why the peer shuts down the connection so unclear should
>>be
>logged on the remote site.
>>
>>
>>
>>
>>
>>--
>>
>>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34
>>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$
>><https://urldefense.com/v3/__http:/bernd.eckenfels
>.
>>net__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t-
>>vd7fVNT6ajpBkkdQ$>
>>
>>________________________________
>>
>>Von: jdk8u-dev <jdk8u-dev-retn at openjdk.java.net<mailto:jdk8u-dev-
>>retn at openjdk.java.net>> im Auftrag von Wan, Thomas
>><xwan at mtb.com<mailto:xwan at mtb.com>>
>>Gesendet: Tuesday, September 21, 2021 1:02:05 PM
>>An: jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>
>><jdk8u- dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>>
>>Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode)
>>
>>
>>
>>It seems jdk8u202 was working well with ldap ssl.
>>
>>Since then all other jdk 8 release has the same error as below, any
>>idea what is wrong?
>>I compared the source code, it seems sun.security package has been
>>changed a lot since jdk8u202
>>
>>javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874
>>EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative)
>>javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
>> at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570)
>> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400)
>> at
>>sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:
>>1300
>)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435)
>> at
>sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813)
>> at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
>> at
>>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav
>>a
>>:117
>>5)
>> at
>>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav
>>a
>>:114
>>7)
>> at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53)
>>Caused by: java.io.EOFException: SSL peer shut down incorrectly
>> at
>>sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167)
>> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
>> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392)
>> ... 7 more
>>
>>-----Original Message-----
>>From: jdk8u-dev <jdk8u-dev-retn at openjdk.java.net<mailto:jdk8u-dev-
>>retn at openjdk.java.net>> On Behalf Of jdk8u-dev-
>>request at openjdk.java.net<mailto:jdk8u-dev-request at openjdk.java.net>
>>Sent: Tuesday, September 21, 2021 6:59 AM
>>To: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>
>>Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode)
>>
>>External Email: Use caution & trust the source before clicking links
>>or opening attachments.
>>
>>Welcome to the jdk8u-dev at openjdk.java.net<mailto:jdk8u-
>>dev at openjdk.java.net> mailing list!
>>
>>To post to this list, send your message to:
>>
>> jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>
>>
>>General information about the mailing list is at:
>>
>>
>>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/list
>>i
>>nfo/jdk
>>8u-
>>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow
>G
>>3GLURaDcAw$<https://urldefense.com/v3/__https:/mail.openjdk.java.net/m
>>a
>>il
>>man/listinfo/jdk8u-
>>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow
>G
>>3GLURaDcAw$>
>>
>>If you ever want to unsubscribe or change your options (eg, switch to
>>or from digest mode, change your password, etc.), visit your
>>subscription page
>at:
>>
>>
>>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/opti
>>o
>>ns/jd
>>k8u-
>>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34
>e
>>Hn1NDQe90P94kowG3GLAPC2SIg$<https://urldefense.com/v3/__https:/mail.
>o
>>penjdk.java.net/mailman/options/jdk8u-
>>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34
>e
>>Hn1NDQe90P94kowG3GLAPC2SIg$>
>>
>>
>>You can also make such adjustments via email by sending a message to:
>>
>> jdk8u-dev-request at openjdk.java.net<mailto:jdk8u-dev-
>>request at openjdk.java.net>
>>
>>with the word `help' in the subject or body (don't include the
>>quotes), and you will get back a message with instructions.
>>
>>You must know your password to change your options (including changing
>>the password, itself) or to unsubscribe without confirmation. It is:
>>
>> Grace0208
>>
>>Normally, Mailman will remind you of your openjdk.java.net mailing
>>list passwords once every month, although you can disable this if you
>>prefer. This reminder will also include instructions on how to
>>unsubscribe or change your account options. There is also a button on
>>your options page that will email your current password to you.
>>
>>*************************************************************
>*
>>********
>>This email may contain privileged and/or confidential information that
>>is intended solely for the use of the addressee. If you are not the
>>intended recipient or entity, you are strictly prohibited from
>>disclosing, copying, distributing or using any of the information
>>contained in the transmission. If you received this communication in
>>error, please contact the sender immediately and destroy the material
>>in its entirety, whether electronic or hard copy. This communication
>>may contain nonpublic personal information about consumers subject to
>>the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley
>>Act. You may not directly or indirectly reuse or disclose such
>>information for any purpose other than to provide the services for
>>which you are receiving the information. There are risks associated
>>with the use of electronic transmission. The sender of this
>>information does not control the method of transmittal or service
>>providers and
>assumes no duty or obligation for the security, receipt, or third party
>interception of this transmission.
**********************************************************************
This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission.
More information about the jdk8u-dev
mailing list