Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

javax.net.ssl.SSLException: Received fatal alert: bad_record_mac on openj9 0.11.0 #3637

Closed
jsonyu opened this issue Nov 12, 2018 · 13 comments · Fixed by ibmruntimes/openj9-openjdk-jdk8#213
Closed

javax.net.ssl.SSLException: Received fatal alert: bad_record_mac on openj9 0.11.0 #3637

jsonyu opened this issue Nov 12, 2018 · 13 comments · Fixed by ibmruntimes/openj9-openjdk-jdk8#213
Labels
userRaised

Comments

@jsonyu
Copy link

jsonyu commented Nov 12, 2018
edited
Loading

ok my application which connects to an external service via HTTPS using HttpClient is failing when using jdk8u192-b12_openj9-0.11.0 jre:

javax.net.ssl.SSLException: Received fatal alert: bad_record_mac at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)

had to revert to jdk8u181-b13-OpenJ9 jre which does not get this issue. Will try to get a sample code (and target) and post it here. thanks!
@circlespainter
Copy link

Hi, happening to me too. I think I found a simple enough way to reproduce it: https://github.com/circlespainter/openj9-issue-3637

@DanHeidinga
Copy link
Member

@theresa-m Can you take a look at this? It may be related to pulling in OpenSSL for crypto.... If that's the case, then we'll want to pull Nasser, Alon & company in to help.

FYI @pshipton

@theresa-m
Copy link
Contributor

yes. looking into it

@theresa-m
Copy link
Contributor

ibmruntimes/openj9-openjdk-jdk8#145 is the culprit @ashbm5

This build fails the test:

Eclipse OpenJ9 VM (build openj9-0.11.0-rc1, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20181112_000000 (JIT enabled, AOT enabled)
OpenJ9   - 72f731f
OMR      - ea548a6
JCL      - 6eea72c based on jdk8u192-b12)

This build passes:

Eclipse OpenJ9 VM (build openj9-0.11.0-rc1, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20181112_000000 (JIT enabled, AOT enabled)
OpenJ9   - 72f731f
OMR      - ea548a6
JCL      - 3f58849 based on jdk8u192-b12)

@pshipton
Copy link
Member

There is only one change, to enable ssl by default
ibmruntimes/openj9-openjdk-jdk8@3f58849...6eea72c

@ashbm5 @enasser @mbvreddy

@DanHeidinga
Copy link
Member

As a workaround while we resolve this, you should be able to run with -Djdk.nativeCrypto=false to disable openssl crypto.

@jsonyu
Copy link
Author

jsonyu commented Nov 13, 2018

As a workaround while we resolve this, you should be able to run with -Djdk.nativeCrypto=false to disable openssl crypto.

Thanks Dan.. this workaround works!

@DanHeidinga
Copy link
Member

@ashbm5 @enasser @mbvreddy Can you provide an update on this?

@mbvreddy
Copy link

I've started looking into this.

@mbvreddy mbvreddy mentioned this issue Nov 16, 2018
Closed
@charliegracie charliegracie mentioned this issue Nov 17, 2018
Closed
@mbvreddy
Copy link

Failure is observed after client send change_cipher_spec() message and processing server's response to change_cipher_spec(). Server fails to send change_cipher_spec().

I see that internally GCM encrypt & decrypt is always using EVP_aes_128_gcm(). Changing it to EVP_aes_256_gcm() is solving this problem.

Investigating further if we should change GCM cipher based on key length.

@mbvreddy mbvreddy mentioned this issue Nov 19, 2018
Merged
@mbvreddy
Copy link

PR ibmruntimes/openj9-openjdk-jdk8#213 fix this issue.

@charliegracie
Copy link
Contributor

This issue was believed to be resolved via ibmruntimes/openj9-openjdk-jdk8#213. The most recently nightly builds should include the fix.

You can grab a JDK or a JRE from the latest nightly build to test that it resolves your issue. If this does not resolve your issue please re-open. Thanks

@jsonyu
Copy link
Author

jsonyu commented Nov 21, 2018

Yes confirmed as of 1.8.0_192-201811201837-b12 issue is fixed.. many thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
userRaised
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SSL Connection fails in handshake with javax.net.ssl.SSLException mbvreddy/openj9-openjdk-jdk8
7 participants
@jsonyu @circlespainter @DanHeidinga @theresa-m @mbvreddy @charliegracie @pshipton