SSL handshake exception

[achill71583]

When pulling latest docker image, our test tools (JMETER) are getting SSLProtocolException below when hitting marathon-lb in front of our application.

I saw some changes go in for haproxy and SSL cert changes. What is the latest docker version for marathon-lb? I tried pulling v1.4.3 with docker and it works properly again. The "latest" image gives the error below. There is no error when manually accessing marathon-lb via the browser.

javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1288)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1904)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1027)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1262)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1289)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1273)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1296)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at java.net.URL.openStream(URL.java:1035)

[brndnmtthws]

What version of the JVM is that? Perhaps it doesn't support modern TLS v1.1+?

SSL3 and TLS v1.0 are deprecated and disabled by default: https://github.com/mesosphere/marathon-lb/blob/master/Longhelp.md#haproxy_head

[achill71583]

The JVM is 1.8 but I'm not sure that's the issue.

http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0

Couple points in here:

1. on the client side: setting jsse.enableSNIExtension
2. Apache configuration to include a ServerName or ServerAlias for the host

[achill71583]

Another article on testing invalid SSL connections:

https://community.qualys.com/thread/13532

Results from docker v1.4.3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
11493:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_lib.c:185:

Results from docker LATEST
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:protocol version
SSL_connect:error in SSLv2/v3 read server hello A
11879:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_clnt.c:593:

Another reference: https://confluence.atlassian.com/confkb/error-handshake-alert-unrecognized_name-when-setting-up-application-links-after-upgrading-confluence-753895174.html

[brndnmtthws]

What does your app configuration look like? As in, what are the MLB labels? Are you using a wildcard cert? Are you sure the domain in your cert matches?

According to this comment it's a problem with Java itself: lightbody/browsermob-proxy#117 (comment)

Or there's this: https://groups.google.com/a/cloudfoundry.org/forum/#!topic/vcap-dev/ta_rx-4enj4

[eliang]

I noticed new in 1.5.0, by default, disables support for TLS 1.1

[achill71583]

HAPROXY_GROUP=external
HAPROXY_0_BACKEND_HEAD=backend {backend} balance {balance} mode {mode} timeout server 30m timeout client 30m
HAPROXY_0_VHOST=hostname

We aren't using any wildcard certs. The domains are the same.

[nadendlaprasad]

@eliang could you please let me know how can we enable TLS v1.1 support ?

[eliang]

I downgraded to 1.4.1

[jkoelker]

Unfortunalty as base os's have been dropping support for tls1.0 and tls1.1 we can't support this anymore