<div dir="ltr"><div><div><div><div><br></div>Hello,<br><br></div>We have a server that makes a request to another one using (com.ning) AsyncHttpClient and we're having an issue getting TLS working. I've looked at quite a few Google results but they don't seem to apply; or the suggestions don't make a difference in our case.<br><br></div>Java 1.8.0_131<br>Both servers on same machine, using same Java<br></div>Source server is using async-http-client 1.9.18<br>Destination server is using Jetty 9.4.7.v20170914<br><div><div><br></div><div>Tried...</div><div><br></div><div>Variations of combinations/permutations for https.protocols</div><div>-Dcom.sun.net.ssl.enableECC=false -Djsse.enableSNIExtension=false</div><div><br></div><div>Here's debug output (with a couple small portions manually removed, indicated with ellipses)...</div><div></div><div><br>Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256<br>Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256<br>Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256<br>Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256<br>Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256<br>Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256<br>Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256<br>Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256<br>Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384<br>Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384<br>Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256<br>Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256<br>Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<br>Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br>trustStore is: c:\temp\selfsigned.jks<br>trustStore type is : jks<br>trustStore provider is : <br>init truststore<br>adding as trusted cert:<br>  Subject: CN=localhost, OU=Q, O=I, L=P, ST=M, C=U<br>  Issuer:  CN=localhost, OU=Q, O=I, L=P, ST=M, C=U<br>  Algorithm: RSA; Serial number: 0x5a80280b<br>  Valid from Tue Nov 07 15:53:43 EST 2017 until Mon Feb 05 15:53:43 EST 2018<br><br>trigger seeding of SecureRandom<br>done seeding SecureRandom<br>Using SSLEngineImpl.<br><br>...<br><br>trigger seeding of SecureRandom<br>done seeding SecureRandom<br>trustStore is: c:\temp\selfsigned.jks<br>trustStore type is : jks<br>trustStore provider is : <br>init truststore<br>adding as trusted cert:<br>  Subject: CN=localhost, OU=Q, O=I, L=P, ST=M, C=U<br>  Issuer:  CN=localhost, OU=Q, O=I, L=P, ST=M, C=U<br>  Algorithm: RSA; Serial number: 0x5a80280b<br>  Valid from Tue Nov 07 15:53:43 EST 2017 until Mon Feb 05 15:53:43 EST 2018<br><br>keyStore is : <br>keyStore type is : jks<br>keyStore provider is : <br>init keystore<br>init keymanager of type SunX509<br>trigger seeding of SecureRandom<br>done seeding SecureRandom<br>Using SSLEngineImpl.<br>Allow unsafe renegotiation: false<br>Allow legacy hello messages: true<br>Is initial handshake: true<br>Is secure renegotiation: false<br>Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1<br>Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1<br>Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1<br>Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1<br>Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1<br>Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1<br>Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1<br>Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1<br>Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1<br>Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1<br>Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1<br>Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1<br>Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1<br>Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1<br>%% No cached client session<br>*** ClientHello, TLSv1.2<br>RandomCookie:  GMT: 1510241429 bytes = { ... }<br>Session ID:  {}<br>Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]<br>Compression Methods:  { 0 }<br>Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}<br>Extension ec_point_formats, formats: [uncompressed]<br>Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA<br>***<br>[write] MD5 and SHA1 hashes:  len = 161<br>0000: 01 00 00 9D 03 03 5A 04   75 95 24 2F A6 B1 8C 45  ......Z.u.$/...E<br>...<br>0090: 01 05 03 05 01 04 03 04   01 04 02 02 03 02 01 02  ................<br>00A0: 02                                                 .<br>New I/O worker #10, WRITE: TLSv1.2 Handshake, length = 161<br>[write] MD5 and SHA1 hashes:  len = 140<br>0000: 01 03 03 00 63 00 00 00   20 00 C0 23 00 C0 27 00  ....c... ..#..'.<br>...<br>0080: 07 06 BB A0 AB 39 66 80   95 55 14 65              .....9f..U.e<br>New I/O worker #10, WRITE: SSLv2 client hello message, length = 140<br>[Raw write]: length = 142<br>0000: 80 8C 01 03 03 00 63 00   00 00 20 00 C0 23 00 C0  ......c... ..#..<br>...<br>0080: ED B2 07 06 BB A0 AB 39   66 80 95 55 14 65        .......9f..U.e<br>[Raw read]: length = 5<br>0000: 15 03 03 00 02                                     .....<br>[Raw read]: length = 2<br>0000: 02 0A                                              ..<br>New I/O worker #10, READ: TLSv1.2 Alert, length = 2<br>New I/O worker #10, RECV TLSv1.2 ALERT:  fatal, unexpected_message<br>New I/O worker #10, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: unexpected_message<br>New I/O worker #10, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: unexpected_message<br>New I/O worker #10, called closeOutbound()<br>New I/O worker #10, closeOutboundInternal()<br>New I/O worker #10, SEND TLSv1.2 ALERT:  warning, description = close_notify<br>New I/O worker #10, WRITE: TLSv1.2 Alert, length = 2<br>New I/O worker #10, called closeInbound()<br>New I/O worker #10, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?<br>[Raw write]: length = 7<br>0000: 15 03 03 00 02 01 00                               .......<br>New I/O worker #10, called closeOutbound()<br>New I/O worker #10, closeOutboundInternal()<br>09 Nov 2017 10:34:46.014 25   ERROR                [                        ] java.net.ConnectException: Received fatal alert: unexpected_message <br></div><div><br></div><div>Thanks for any suggestions.</div><div><br></div></div></div>