jdk8u ssl connection issue
Bernd Eckenfels
ecki at zusammenkunft.net
Tue Sep 21 20:34:33 UTC 2021
I had no time to compare your handshakes, you really should do that.
However as an additional point - I noticed you actually test with 8-versions which have the new tlsv1.3 backport code (with new extensions). I suspect one of them is the reason, did you try 8u252, which is the last version with the old code (you will see a difference in debug logging format). If that still works we know it's not caused by 212 but by the backport.
BTW it's much easier if you contact your commercial java support provider, that's why we pay them. We are kind of abusing the development list with this.
--
http://bernd.eckenfels.net
________________________________
Von: Wan, Thomas <xwan at mtb.com>
Gesendet: Tuesday, September 21, 2021 9:56:20 PM
An: Prasadrao Koppula <prasadarao.koppula at oracle.com>; Bernd Eckenfels <ecki at zusammenkunft.net>; jdk8u-dev at openjdk.java.net <jdk8u-dev at openjdk.java.net>
Betreff: RE: jdk8u ssl connection issue
Hi Prasad/Bernd,
Any other suggestion?
My test code is very simple, same ssl key certificate, connect to the same host and port where there is no logging.
Jdk 8u202 works fine, openjdk-1.8.0.292 And openjdk-1.8.0.302 does not.
With jdk8u202, I can tell Algorithm: [SHA256withRSA] is used.
System.setProperty("javax.net.ssl.keyStore", keyFilename);
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
SSLSocketFactory ssf = null;
// set up key manager to do server authentication
SSLContext ctx;
KeyManagerFactory kmf;
KeyStore ks;
char[] passphrase = passwd.toCharArray();
ctx = SSLContext.getInstance("TLS");
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(System.getProperty(
"javax.net.ssl.keyStore")), passphrase);
kmf.init(ks, passphrase);
ctx.init(kmf.getKeyManagers(), null, null);
ssf = ctx.getSocketFactory();
//SSLSocketFactory sslsocketfactory = (SSLSocketFactory) ssf.
SSLSocket sslsocket = (SSLSocket) ssf.createSocket(args[0], Integer.parseInt(args[1]));
InputStream in = sslsocket.getInputStream();
OutputStream out = sslsocket.getOutputStream();
// Write a test byte to get a reaction :)
out.write(1);
while (in.available() > 0) {
System.out.print(in.read());
}
Tom
-----Original Message-----
From: Prasadrao Koppula <prasadarao.koppula at oracle.com>
Sent: Tuesday, September 21, 2021 10:09 AM
To: Prasadrao Koppula <prasadarao.koppula at oracle.com>; Wan, Thomas <xwan at mtb.com>; Bernd Eckenfels <ecki at zusammenkunft.net>; jdk8u-dev at openjdk.java.net
Subject: RE: jdk8u ssl connection issue
External Email: Use caution & trust the source before clicking links or opening attachments.
To set the client side ciphersuites use: jdk.tls.client.ciphersuites Server side: jdk.tls.server.ciphersuites
>From the TLSv1.2 client debug logs, looks like server not happy with the extensions present in the Client's ClientHello. Which provider and version server has?
To understand issue further, If you are able capture the server side logs, please share.
Thanks,
Prasad.K
>-----Original Message-----
>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of
>Prasadrao Koppula
>Sent: Tuesday, September 21, 2021 7:29 PM
>To: Wan, Thomas <xwan at mtb.com>; Bernd Eckenfels
><ecki at zusammenkunft.net>; jdk8u-dev at openjdk.java.net
>Subject: RE: jdk8u ssl connection issue
>
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933
>>EDT|SSLConfiguration.java:450|System property
>>EDT|jdk.tls.client.SignatureSchemes
>>is set to
>>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES
>_
>>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R
>S
>>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS
>A
>>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_
>>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256'
>
>These are Ciphersuites not signature schemes.
>
>Thanks,
>Prasad.K
>
>>-----Original Message-----
>>From: jdk8u-dev [mailto:jdk8u-dev-retn at openjdk.java.net] On Behalf Of
>>Wan, Thomas
>>Sent: Tuesday, September 21, 2021 6:53 PM
>>To: Bernd Eckenfels <ecki at zusammenkunft.net>;
>>jdk8u-dev at openjdk.java.net
>>Subject: RE: jdk8u ssl connection issue
>>
>>One step further, I added all SignatureSchemes Supported in the server
>>by running nmap, here is the error I got
>>
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.933
>>EDT|SSLConfiguration.java:450|System property
>>EDT|jdk.tls.client.SignatureSchemes
>>is set to
>>'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES
>_
>>128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_R
>S
>>A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RS
>A
>>_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_
>>WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256'
>>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965
>>EDT|SignatureScheme.java:297|Signature algorithm, ed25519, is not
>>EDT|supported
>>by the underlying providers
>>javax.net.ssl|WARNING|01|main|2021-09-21 09:21:53.965
>>EDT|SignatureScheme.java:297|Signature algorithm, ed448, is not
>>EDT|supported by
>>the underlying providers
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_RSA_WITH_AES_128_GCM_SHA256
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_RSA_WITH_AES_128_CBC_SHA256
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA
>>javax.net.ssl|FINE|01|main|2021-09-21 09:21:53.980
>>EDT|SSLConfiguration.java:478|The current installed providers do not
>>EDT|support
>>signature scheme: TLS_RSA_WITH_AES_256_CBC_SHA256
>>
>>From: Bernd Eckenfels <ecki at zusammenkunft.net>
>>Sent: Tuesday, September 21, 2021 7:52 AM
>>To: Wan, Thomas <xwan at mtb.com>; jdk8u-dev at openjdk.java.net
>>Subject: Re: jdk8u ssl connection issue
>>
>>External Email: Use caution & trust the source before clicking links
>>or opening attachments.
>>
>>Hello,
>>
>>I don't see any other changes in 212 besides a PKCS11 change for
>>Tls1.2 which should not be the case, also it looks like this version
>>re-enabled the Renegotiation signaling cipher, that should not be a
>>problem but
>you never know.
>>
>>Can you compare the client Hello of a working 1.2 and a failed 1.2
>>handshake to see which ciphers and extensions differ?
>>
>>Gruss
>>Bernd
>>--
>>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34
>>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$
>><https://urldefense.com/v3/__http:/bernd.eckenfels
>.
>>net__;!!BqwCqLE!bf7MeZ9guvMDJw7EyXt8rMZQl3k3j6Usxq5vpoEbcwAOZWq
>>wP6XhG5TqVg$>
>>________________________________
>>Von: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>
>>Gesendet: Dienstag, September 21, 2021 1:40 PM
>>An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net<mailto:jdk8u-
>>dev at openjdk.java.net>
>>Betreff: jdk8u ssl connection issue
>>
>>Hi Bernd,
>>
>>It does work with TLS1.1.
>>
>>But in jdk8u202, it works with 1.2 as well.
>>
>>All newer jdk8s or jdk 11, it seems I can make it work with TLS 1.1,
>>but that is not as secure as TLS1.2 any more.
>>
>>
>>From: Bernd Eckenfels
>><ecki at zusammenkunft.net<mailto:ecki at zusammenkunft.net>>
>>Sent: Tuesday, September 21, 2021 7:32 AM
>>To: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>; jdk8u-
>>dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>
>>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode)
>>
>>External Email: Use caution & trust the source before clicking links
>>or opening attachments.
>>
>>Hello,
>>
>>You cannot see the reason on your side. You need to check the other side.
>>
>>However seeing that your client only propose TLSv1.2 that's a likely
>>candidate, maybe you need to re-enable TLS 1.1. that,,happened with
>>8u291 in Oracle according to this:
>>https://urldefense.com/v3/__https://java.com/en/jre-jdk-__;!!BqwCqLE!b
>>34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7EEMiCyHw$
>>cryptoroadmap.html<https://urldefense.com/v3/__https:/java.com/en/jre-
>>j
>>dk-
>>cryptoroadmap.html__;!!BqwCqLE!d-
>>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wuZCetGA$>
>>
>>https://urldefense.com/v3/__https://java.com/en/configure_crypto.html*
>>DisableTLS__;Iw!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpn
>>Ia6h7FCRFj2Eg$
>><https://urldefense.com/v3/__https://urldefense__;!!BqwCqLE!b34kJiJErp
>>O5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Ff98ppRg$
>>.com/
>>v3/__https://urldefense.com/v3/__https://java.com/en/configure_crypto.
>>html*DisableTLS__;Iw!!BqwCqLE!__;Kg!!BqwCqLE!b34kJiJErpO5iSf1KYuNQbBgk
>>89qZDdMaJK7p6W0lZFpnIa6h7Elp5RtnA$
>>d- dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_wqm3xAAQ$>
>>
>>Gruss
>>Bernd
>>
>>
>>--
>>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34
>>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$
>><https://urldefense.com/v3/__http:/bernd.eckenfels
>.
>>net__;!!BqwCqLE!d-
>>dTl_HcI0nyzMPCZv64BZsMVyqJ2KoLDnij_FJM_sh3iXEJB_zOzicwQw$>
>>________________________________
>>Von: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>
>>Gesendet: Tuesday, September 21, 2021 1:14:35 PM
>>An: Bernd Eckenfels
>><ecki at zusammenkunft.net<mailto:ecki at zusammenkunft.net>>; jdk8u-
>>dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net> <jdk8u-
>>dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>>
>>Betreff: RE: Welcome to the "jdk8u-dev" mailing list (Digest mode)
>>
>>
>>Here is my debug log
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|ClientHello.java:633|Produced ClientHello handshake message (
>>
>>"ClientHello": {
>>
>> "client version" : "TLSv1.2",
>>
>> "random" : "B5 DF 63 90 04 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF
>DB
>>B0 AC CF AE D8 3E 4E DF 1C 82 DB 01 D0",
>>
>> "session id" : "",
>>
>> "cipher suites" :
>>"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
>>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),
>>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),
>>TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),
>>TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E),
>>TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032),
>>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),
>>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),
>>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),
>>TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
>>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D),
>>TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),
>>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),
>>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),
>>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),
>>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028),
>>TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D),
>>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026),
>>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A),
>>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),
>>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),
>>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A),
>>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),
>>TLS_RSA_WITH_AES_256_CBC_SHA(0x0035),
>>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005),
>>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F),
>>TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),
>>TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),
>>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
>>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
>>TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
>>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025),
>>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
>>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),
>>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),
>>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009),
>>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),
>>TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),
>>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004),
>>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E),
>>TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),
>>TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),
>>TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
>>
>> "compression methods" : "00",
>>
>> "extensions" : [
>>
>> "server_name (0)": {
>>
>> type=host_name (0), value=unbale.mandtbank.com
>>
>> },
>>
>> "status_request (5)": {
>>
>> "certificate status type": ocsp
>>
>> "OCSP status request": {
>>
>> "responder_id": <empty>
>>
>> "request extensions": {
>>
>> <empty>
>>
>> }
>>
>> }
>>
>> },
>>
>> "supported_groups (10)": {
>>
>> "versions": [secp256r1, secp384r1, secp521r1, sect283k1,
>>sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1,
>>ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
>>
>> },
>>
>> "ec_point_formats (11)": {
>>
>> "formats": [uncompressed]
>>
>> },
>>
>> "signature_algorithms (13)": {
>>
>> "signature schemes": [ecdsa_secp256r1_sha256,
>>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
>>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
>>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
>>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1,
>>rsa_pkcs1_sha1, dsa_sha1]
>>
>> },
>>
>> "signature_algorithms_cert (50)": {
>>
>> "signature schemes": [ecdsa_secp256r1_sha256,
>>ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
>>rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
>>rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
>>rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1,
>>rsa_pkcs1_sha1, dsa_sha1]
>>
>> },
>>
>> "status_request_v2 (17)": {
>>
>> "cert status request": {
>>
>> "certificate status type": ocsp_multi
>>
>> "OCSP status request": {
>>
>> "responder_id": <empty>
>>
>> "request extensions": {
>>
>> <empty>
>>
>> }
>>
>> }
>>
>> }
>>
>> },
>>
>> "extended_master_secret (23)": {
>>
>> <empty>
>>
>> },
>>
>> "supported_versions (43)": {
>>
>> "versions": [TLSv1.2]
>>
>> }
>>
>> ]
>>
>>}
>>
>>)
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length =
>>EDT|311
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketOutputRecord.java:255|Raw write (
>>
>> 0000: 16 03 03 01 37 01 00 01 33 03 03 B5 DF 63 90 04 ....7...3....c..
>>
>> 0010: 66 83 D7 28 D2 8E 01 2B BB 91 26 EA EF DB B0 AC f..(...+..&.....
>>
>> 0020: CF AE D8 3E 4E DF 1C 82 DB 01 D0 00 00 56 C0 2C ...>N........V.,
>>
>> 0030: C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 A3 C0 2F .+.0.....2...../
>>
>> 0040: 00 9C C0 2D C0 31 00 9E 00 A2 C0 24 C0 28 00 3D ...-.1.....$.(.=
>>
>> 0050: C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 .&.*.k.j.....5..
>>
>> 0060: C0 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 ...9.8.#.'.<.%.)
>>
>> 0070: 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33
>>.g. at ...../.....3<mailto:.g. at ...../.....3>
>>
>> 0080: 00 32 00 FF 01 00 00 B4 00 00 00 19 00 17 00 00 .2..............
>>
>> 0090: 14 75 6E 62 61 6C 65 2E 6D 61 6E 64 74 62 61 6E .unbale.mandtban
>>
>> 00A0: 6B 2E 63 6F 6D 00 05 00 05 01 00 00 00 00 00 0A k.com...........
>>
>> 00B0: 00 20 00 1E 00 17 00 18 00 19 00 09 00 0A 00 0B . ..............
>>
>> 00C0: 00 0C 00 0D 00 0E 00 16 01 00 01 01 01 02 01 03 ................
>>
>> 00D0: 01 04 00 0B 00 02 01 00 00 0D 00 22 00 20 04 03 ...........". ..
>>
>> 00E0: 05 03 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B ................
>>
>> 00F0: 04 01 05 01 06 01 04 02 02 03 02 01 02 02 00 32 ...............2
>>
>> 0100: 00 22 00 20 04 03 05 03 06 03 08 04 08 05 08 06 .". ............
>>
>> 0110: 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 02 03 ................
>>
>> 0120: 02 01 02 02 00 11 00 09 00 07 02 00 04 00 00 00 ................
>>
>> 0130: 00 00 17 00 00 00 2B 00 03 02 03 03 ......+.....
>>
>>)
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketInputRecord.java:451|Raw read: EOF
>>
>>javax.net.ssl|ERROR|01|main|2021-09-21 07:12:50.960
>>EDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't
>>kickstart handshaking (
>>
>>"throwable" : {
>>
>> javax.net.ssl.SSLHandshakeException: Remote host terminated the
>> handshake
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:
>>1
>>321)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116
>>0
>>)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket
>>I
>>mpl.j
>>ava:1063)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
>>j
>>ava:40
>>2)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp
>>l
>>.java:7
>>16)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock
>>e
>>tImp
>>l.java:970)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock
>>e
>>tImp
>>l.java:942)
>>
>> at xxxx.main(SSLPoke.java:53)
>>
>> Caused by: java.io.EOFException: SSL peer shut down incorrectly
>>
>> at
>>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR
>>e
>>cord.j
>>ava:167)
>>
>> at
>>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115
>>2
>>)
>>
>> ... 6 more}
>>
>>
>>
>>)
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketOutputRecord.java:71|WRITE: TLS12
>>EDT|alert(handshake_failure),
>>length = 2
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketOutputRecord.java:85|Raw write (
>>
>> 0000: 15 03 03 00 02 02 28 ......(
>>
>>)
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketImpl.java:1361|close the underlying socket
>>
>>javax.net.ssl|DEBUG|01|main|2021-09-21 07:12:50.960
>>EDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
>>
>>javax.net.ssl.SSLHandshakeException: Remote host terminated the
>>handshake
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:
>>1
>>321)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:116
>>0
>>)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocket
>>I
>>mpl.j
>>ava:1063)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
>>j
>>ava:40
>>2)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImp
>>l
>>.java:7
>>16)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock
>>e
>>tImp
>>l.java:970)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSock
>>e
>>tImp
>>l.java:942)
>>
>> at xxx.main(SSLPoke.java:53)
>>
>>Caused by: java.io.EOFException: SSL peer shut down incorrectly
>>
>> at
>>java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputR
>>e
>>cord.j
>>ava:167)
>>
>> at
>>java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
>>
>> at
>>java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:115
>>2
>>)
>>
>> ... 6 more
>>
>>
>>
>>From: Bernd Eckenfels
>><ecki at zusammenkunft.net<mailto:ecki at zusammenkunft.net>>
>>Sent: Tuesday, September 21, 2021 7:07 AM
>>To: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>; jdk8u-
>>dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>
>>Subject: Re: Welcome to the "jdk8u-dev" mailing list (Digest mode)
>>
>>
>>
>>External Email: Use caution & trust the source before clicking links
>>or opening attachments.
>>
>>
>>
>>It normally means the peer does not like your cipher or protocol
>>selection or maybe the peer has a wrongly configured certificate. The
>>actual reason why the peer shuts down the connection so unclear should
>>be
>logged on the remote site.
>>
>>
>>
>>
>>
>>--
>>
>>https://urldefense.com/v3/__http://bernd.eckenfels.net__;!!BqwCqLE!b34
>>kJiJErpO5iSf1KYuNQbBgk89qZDdMaJK7p6W0lZFpnIa6h7Hm3jNXfg$
>><https://urldefense.com/v3/__http:/bernd.eckenfels
>.
>>net__;!!BqwCqLE!Y6RvFBCm67VJZMyI3xEFyrnkbVOMiME93Jmn5Uw9t-
>>vd7fVNT6ajpBkkdQ$>
>>
>>________________________________
>>
>>Von: jdk8u-dev <jdk8u-dev-retn at openjdk.java.net<mailto:jdk8u-dev-
>>retn at openjdk.java.net>> im Auftrag von Wan, Thomas
>><xwan at mtb.com<mailto:xwan at mtb.com>>
>>Gesendet: Tuesday, September 21, 2021 1:02:05 PM
>>An: jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>
>><jdk8u- dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>>
>>Betreff: FW: Welcome to the "jdk8u-dev" mailing list (Digest mode)
>>
>>
>>
>>It seems jdk8u202 was working well with ldap ssl.
>>
>>Since then all other jdk 8 release has the same error as below, any
>>idea what is wrong?
>>I compared the source code, it seems sun.security package has been
>>changed a lot since jdk8u202
>>
>>javax.net.ssl|FINE|01|main|2021-09-21 07:00:24.874
>>EDT|SSLSocketImpl.java:1629|close the SSL connection (initiative)
>>javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
>> at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1570)
>> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1400)
>> at
>>sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:
>>1300
>)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435)
>> at
>sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813)
>> at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
>> at
>>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav
>>a
>>:117
>>5)
>> at
>>sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.jav
>>a
>>:114
>>7)
>> at com.mtb.cwp.SSLPoke.main(SSLPoke.java:53)
>>Caused by: java.io.EOFException: SSL peer shut down incorrectly
>> at
>>sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167)
>> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
>> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392)
>> ... 7 more
>>
>>-----Original Message-----
>>From: jdk8u-dev <jdk8u-dev-retn at openjdk.java.net<mailto:jdk8u-dev-
>>retn at openjdk.java.net>> On Behalf Of jdk8u-dev-
>>request at openjdk.java.net<mailto:jdk8u-dev-request at openjdk.java.net>
>>Sent: Tuesday, September 21, 2021 6:59 AM
>>To: Wan, Thomas <xwan at mtb.com<mailto:xwan at mtb.com>>
>>Subject: Welcome to the "jdk8u-dev" mailing list (Digest mode)
>>
>>External Email: Use caution & trust the source before clicking links
>>or opening attachments.
>>
>>Welcome to the jdk8u-dev at openjdk.java.net<mailto:jdk8u-
>>dev at openjdk.java.net> mailing list!
>>
>>To post to this list, send your message to:
>>
>> jdk8u-dev at openjdk.java.net<mailto:jdk8u-dev at openjdk.java.net>
>>
>>General information about the mailing list is at:
>>
>>
>>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/list
>>i
>>nfo/jdk
>>8u-
>>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow
>G
>>3GLURaDcAw$<https://urldefense.com/v3/__https:/mail.openjdk.java.net/m
>>a
>>il
>>man/listinfo/jdk8u-
>>dev__;!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34eHn1NDQe90P94kow
>G
>>3GLURaDcAw$>
>>
>>If you ever want to unsubscribe or change your options (eg, switch to
>>or from digest mode, change your password, etc.), visit your
>>subscription page
>at:
>>
>>
>>https://urldefense.com/v3/__https://mail.openjdk.java.net/mailman/opti
>>o
>>ns/jd
>>k8u-
>>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34
>e
>>Hn1NDQe90P94kowG3GLAPC2SIg$<https://urldefense.com/v3/__https:/mail.
>o
>>penjdk.java.net/mailman/options/jdk8u-
>>dev/xwan*40mtb.com__;JQ!!BqwCqLE!ZIO_EEHQrFS7E_OnoJLCXeaPg3yGs34
>e
>>Hn1NDQe90P94kowG3GLAPC2SIg$>
>>
>>
>>You can also make such adjustments via email by sending a message to:
>>
>> jdk8u-dev-request at openjdk.java.net<mailto:jdk8u-dev-
>>request at openjdk.java.net>
>>
>>with the word `help' in the subject or body (don't include the
>>quotes), and you will get back a message with instructions.
>>
>>You must know your password to change your options (including changing
>>the password, itself) or to unsubscribe without confirmation. It is:
>>
>> Grace0208
>>
>>Normally, Mailman will remind you of your openjdk.java.net mailing
>>list passwords once every month, although you can disable this if you
>>prefer. This reminder will also include instructions on how to
>>unsubscribe or change your account options. There is also a button on
>>your options page that will email your current password to you.
>>
>>*************************************************************
>*
>>********
>>This email may contain privileged and/or confidential information that
>>is intended solely for the use of the addressee. If you are not the
>>intended recipient or entity, you are strictly prohibited from
>>disclosing, copying, distributing or using any of the information
>>contained in the transmission. If you received this communication in
>>error, please contact the sender immediately and destroy the material
>>in its entirety, whether electronic or hard copy. This communication
>>may contain nonpublic personal information about consumers subject to
>>the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley
>>Act. You may not directly or indirectly reuse or disclose such
>>information for any purpose other than to provide the services for
>>which you are receiving the information. There are risks associated
>>with the use of electronic transmission. The sender of this
>>information does not control the method of transmittal or service
>>providers and
>assumes no duty or obligation for the security, receipt, or third party
>interception of this transmission.
**********************************************************************
This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission.
More information about the jdk8u-dev
mailing list