-
Notifications
You must be signed in to change notification settings - Fork 721
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
javax.net.ssl.SSLException: Received fatal alert: bad_record_mac on openj9 0.11.0 #3637
Comments
Hi, happening to me too. I think I found a simple enough way to reproduce it: https://github.com/circlespainter/openj9-issue-3637 |
@theresa-m Can you take a look at this? It may be related to pulling in OpenSSL for crypto.... If that's the case, then we'll want to pull Nasser, Alon & company in to help. FYI @pshipton |
yes. looking into it |
ibmruntimes/openj9-openjdk-jdk8#145 is the culprit @ashbm5 This build fails the test:
This build passes:
|
There is only one change, to enable ssl by default |
As a workaround while we resolve this, you should be able to run with |
Thanks Dan.. this workaround works! |
I've started looking into this. |
Failure is observed after client send change_cipher_spec() message and processing server's response to change_cipher_spec(). Server fails to send change_cipher_spec(). I see that internally GCM encrypt & decrypt is always using EVP_aes_128_gcm(). Changing it to EVP_aes_256_gcm() is solving this problem. Investigating further if we should change GCM cipher based on key length. |
PR ibmruntimes/openj9-openjdk-jdk8#213 fix this issue. |
This issue was believed to be resolved via ibmruntimes/openj9-openjdk-jdk8#213. The most recently nightly builds should include the fix. You can grab a JDK or a JRE from the latest nightly build to test that it resolves your issue. If this does not resolve your issue please re-open. Thanks |
Yes confirmed as of 1.8.0_192-201811201837-b12 issue is fixed.. many thanks! |
ok my application which connects to an external service via HTTPS using HttpClient is failing when using jdk8u192-b12_openj9-0.11.0 jre:
javax.net.ssl.SSLException: Received fatal alert: bad_record_mac at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
had to revert to jdk8u181-b13-OpenJ9 jre which does not get this issue. Will try to get a sample code (and target) and post it here. thanks!
The text was updated successfully, but these errors were encountered: