-
Notifications
You must be signed in to change notification settings - Fork 300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL handshake exception #407
Comments
What version of the JVM is that? Perhaps it doesn't support modern TLS v1.1+? SSL3 and TLS v1.0 are deprecated and disabled by default: https://github.com/mesosphere/marathon-lb/blob/master/Longhelp.md#haproxy_head |
The JVM is 1.8 but I'm not sure that's the issue. Couple points in here:
|
Another article on testing invalid SSL connections: https://community.qualys.com/thread/13532 Results from docker v1.4.3 Results from docker LATEST Another reference: https://confluence.atlassian.com/confkb/error-handshake-alert-unrecognized_name-when-setting-up-application-links-after-upgrading-confluence-753895174.html |
What does your app configuration look like? As in, what are the MLB labels? Are you using a wildcard cert? Are you sure the domain in your cert matches? According to this comment it's a problem with Java itself: lightbody/browsermob-proxy#117 (comment) Or there's this: https://groups.google.com/a/cloudfoundry.org/forum/#!topic/vcap-dev/ta_rx-4enj4 |
I noticed new in 1.5.0, by default, disables support for TLS 1.1 |
HAPROXY_GROUP=external We aren't using any wildcard certs. The domains are the same. |
@eliang could you please let me know how can we enable TLS v1.1 support ? |
I downgraded to 1.4.1 |
Unfortunalty as base os's have been dropping support for tls1.0 and tls1.1 we can't support this anymore |
When pulling latest docker image, our test tools (JMETER) are getting SSLProtocolException below when hitting marathon-lb in front of our application.
I saw some changes go in for haproxy and SSL cert changes. What is the latest docker version for marathon-lb? I tried pulling v1.4.3 with docker and it works properly again. The "latest" image gives the error below. There is no error when manually accessing marathon-lb via the browser.
javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1288)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1904)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1027)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1262)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1289)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1273)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1296)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at java.net.URL.openStream(URL.java:1035)
The text was updated successfully, but these errors were encountered: