TLS fails with jdk 8u191

[SammyA]

TLS connections fail with oracle jdk 8u191

---

TLS connections (for example: https-listener, jdbc connection pool using tls (mysql/postgresql)) fail using oracle jdk 8u191. No problems when using 8u181.

Expected Outcome

curl --insecure https://localhost:8181

should present the payara index page.

Current Outcome

curl return an error. Payara logs the following stack trace:

[2018-10-17T15:20:32.654+0200] [Payara 5.183] [WARNING] [] [org.glassfish.grizzly.filterchain.DefaultFilterChain] [tid: _ThreadID=94 _ThreadName=http-thread-pool::http-listener-2(1)] [timeMillis: 1539782432654] [levelValue: 900] [[
  GRIZZLY0013: Exception during FilterChain execution
java.lang.NoSuchMethodError: sun.security.ssl.SSLSessionImpl.<init>(Lsun/security/ssl/ProtocolVersion;Lsun/security/ssl/CipherSuite;Ljava/util/Collection;Ljava/security/SecureRandom;Ljava/lang/String;IZ)V
        at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:862)
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:245)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1077)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:1017)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:1014)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1497)
        at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:250)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:683)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:598)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:310)
        at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88)
        at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53)
        at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:524)
        at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:33)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549)
        at java.lang.Thread.run(Thread.java:748)
]]

Steps to reproduce

1 - export JAVA_HOME=/path/to/oracle-jdk8u191
2 - ./asadmin start-domain payaradomain
3 - curl --insecure https://localhost:8181/

Environment

• Payara Version: 5.183
• Edition: Full
• JDK Version: Oracle jdk 8u191
• Operating System: Linux

[andreasernst]

Also the web interface at port 4848 fails and the redeploy with asadmin:

java.lang.NoSuchMethodError: sun.security.ssl.SSLSessionImpl.(Lsun/security/ssl/ProtocolVersion;Lsun/security/ssl/CipherSuite;Ljava/util/Collection;Ljava/security/SecureRandom;Ljava/lang/String;IZ)V
[....]

/opt/payara/payara-5.183/bin/asadmin redeploy [....]
NCLS-ADMIN-00010
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Command redeploy failed.

This error with Glassfish:
oracle/docker-images#727

[ringmaster217]

I am also seeing this error with OpenJDK 8u191. It works fine on 8u181, but throws the above error after upgrading to 8u191. I'm also using Payara Full Server 5.183 on Linux.

[pzygielo]

Perhaps change like that in constructor of SSLSessionImpl has to be cared of in grizzly-npn (again, see javaee/grizzly-npn#5 for previous case) .

[smillidge]

Yes it will be a Grizzly npn error. Grizzly is now part of Jakarta EE at the Eclipse Foundation

[smillidge]

If you don't care about HTTP/2 the Grizzly npn jar can be removed from the bootclasspath from your Payara startup options as a workaround.

[RejDev]

Hello,
the problem is that Glassfish embeds an old version of the SUN implementation (sun.security.ssl.SSLSessionImpl)

I found a solution to solve the problem temporarily.

1) go to path : $JDK_HOME$ /jre/lib/
1.1) copy this file : /jsse.jar

2) go to path : $PAYARA5_INSTALL$/glassfish/lib/
2.1) backup : grizzly-npn-bootstrap.jar

3) open "jsse.jar" with an archive editor
3.1) go to path (in archive) : sun/security/ssl
3.2) extract folder "ssl"

4) open "grizzly-npn-bootstrap.jar" with an archive editor
4.1) merge the "ssl" folder extracted from the "jsse.jar" archive with the "ssl" folder
       into "grizzly-npn-bootstrap.jar", overwriting the files with the same name

5) restart payara.
and normally everything works properly

if you want, I can upload a patched version of the file ("grizzly-npn-bootstrap.jar")

Have a good day..

[smillidge]

Thanks for that. However this will stop HTTP2 from working. What Grizzly npn does is enable alpn for SSL on JDK8. It would be easier just to remove the grizzly npn jar from the bootclasspath.

We will develop a patch before the 184 release

[TeroPihlaja]

Probably the easiest way to reproduce this issue is to enable secure admin and see if Payara starts. We are also seeing this issue with Jdk 8u191.

[MattGill98]

Hi all,

Thank you for the discussion on this issue. Just to clarify the status of this to the best of my understanding, there's an upstream issue (eclipse-ee4j/grizzly-npn#8) to track this issue, as well as internal issue PAYARA-3196 to fix it. This will most likely involve pulling in the upstream changes linked in that issue when they are made.

Kind regards,

Matt

[MattGill98]

Hi all,

An update to this issue: it has been fixed in the referenced PR above. I'll close this issue, although feel free to reopen it if you find any issues with the fix.

Kind regards,

Matt

[pioneer2k]

Looks like this fix is only working for JDK 8u191, so the Payara Docker Image is not working anymore, because it comes with JDK 8u181. See: https://github.com/payara/docker-payaraserver-full/issues/56

[rpdeadly]

I'm running the latest Payara 5.184-SNAPSHOT with Java version 1.8.0_191-b12 and I still see this error.

[MattGill98]

Hi,

We're working internally on this to find the best solution. I'll update you when the status of this issue changes.

Kind regards,

Matt

[deratzmann]

Hi. We have the same issue.
We figured out (maybe you already know that) that this commit from openjdk8:
docker-library/openjdk@7a33416#diff-e29295585240d6f18a944f2a83a10505
leads to this problem.

We are using openjdk:8-jdk-slim with a extracted payara-5.182.

[lipnitsk]

Seems related also: jetty-project/jetty-alpn#22

[MattGill98]

Hi all,

This should have been fixed by #3414. I'll close this issue, but let me know if any other issues are caused by it and I'll be happy to reopen it.

Cheers,

Matt

[fabide]

hey there,
I just tried to install payara 5.184 on debian 9.6 with openjdk 1.8.0_181 and run in the same issue when tried to curl --insecure https://localhost:8181.

[2018-11-27T16:44:58.692+0100] [Payara 5.184] [WARNING] [] [org.glassfish.grizzly.filterchain.DefaultFilterChain] [tid: _ThreadID=34 _ThreadName=http-thread-pool::http-listener-2(1)] [timeMillis: 1543333498692] [levelValue: 900] [[
  GRIZZLY0013: Exception during FilterChain execution
java.lang.NoSuchMethodError: sun.security.ssl.SSLSessionImpl.<init>(Lsun/security/ssl/ProtocolVersion;Lsun/security/ssl/CipherSuite;Ljava/util/Collection;Ljava/security/SecureRandom;Ljava/lang/String;IZ)V
        at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:862)
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:245)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1077)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:1017)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:1014)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1497)
        at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:250)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:683)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:598)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:310)
        at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88)
        at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53)
        at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:524)
        at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:33)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549)
        at java.lang.Thread.run(Thread.java:748)
]]

after enabling DAS it is not starting as well like discribed in #2661

[MattGill98]

Hi @fabide,

This is caused by using an old domain.xml with the 5.184 release. The new release contains domain.xml flags to avoid this issue. See this PR for the JVM arguments required to address this error.

Kind regards,

Matt

[IchBin]

Just downloaded 5.184 yesterday and ran into this error. I verified that the lines in the PR request listed here were there. I was still getting the error until I removed all the version numbers and only left in the line for the version that I was using.
-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar

Not sure why this wasn't working for me.

-- added Dec 17 --
Seems to have broken SSL for debug
Exception during FilterChain execution
java.lang.NoClassDefFoundError: sun/security/ssl/HandshakeStateManager

[the-antz]

I have the same issue with the docker image of 5.184. The image only works because it's based on an old java version (openjdk:8u171-jdk instead of openjdk:8-jdk as in 5.183). Not sure if this change was supposed to make it into the release or if it was just a temporary workaround.

Only way I was able to fix it was by deleting all the grizzly-npn-bootstrap* libs.

[banifou]

I have the same problem with openjdk version "1.8.0_252" and payara 5201.
Incredible that this issue still haven't been fixed.

[smillidge]

The issue has been fixed. Especially the one you have commented on.

[banifou]

Should I open a new issue? And just change the version number?

[smillidge]

No because there already has been issues here #4623 #4625 #4642 and #4649 and was fixed in #4656

[banifou]

Yes, it is working! Thank you so much for leading me to the solution.