AW: java.net.ConnectException: Received fatal alert:unexpected_message

Bernd Eckenfels ecki at zusammenkunft.net
Sun Nov 12 21:05:56 UTC 2017


The newer the Jetty Server is the more unlikely it Supports the old and unsafe SSL2 handshake. You should not enable the SSL2Hello pseudo protocol on Client side. JDK certainly does not by Default.

Gruss
Bernd
-- 
http://bernd.eckenfels.net

Von: Sean Dawson
Gesendet: Sonntag, 12. November 2017 20:24
An: security-dev at openjdk.java.net
Betreff: Re: java.net.ConnectException: Received fatal alert:unexpected_message


Thanks for the reply. This is one of the latest versions of Jetty so I would hope that it would support that. But I've also tried specifying various other http.protocols on both sides but it hasn't seemed to change the result. Any other flags or things I should try?

On Fri, Nov 10, 2017 at 11:48 PM, Jaikiran Pai <jai.forums2013 at gmail.com> wrote:
> Java 1.8.0_131
> Both servers on same machine, using same Java
> Source server is using async-http-client 1.9.18
> Destination server is using Jetty 9.4.7.v20170914

....

> New I/O worker #10, WRITE: TLSv1.2 Handshake, length = 161
> [write] MD5 and SHA1 hashes:  len = 140
> 0000: 01 03 03 00 63 00 00 00   20 00 C0 23 00 C0 27 00 ....c... ..#..'.
> ...
> 0080: 07 06 BB A0 AB 39 66 80   95 55 14 65 .....9f..U.e
> New I/O worker #10, WRITE: SSLv2 client hello message, length = 140

It looks like the async-http-client is sending a SSLv2 client hello message during the handshake and I'm guessing Jetty doesn't support (or maybe has disabled) SSLv2Hello handshake messages. What SSL protocols have you enabled on both these sides? If you haven't explicitly enabled any, then what do they default to in these libraries/servers?

-Jaikiran


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20171112/08d008e2/attachment.htm>


More information about the security-dev mailing list