Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS fails with jdk 8u191 #3284

Closed
SammyA opened this issue Oct 17, 2018 · 25 comments · Fixed by #3357
Closed

TLS fails with jdk 8u191 #3284

SammyA opened this issue Oct 17, 2018 · 25 comments · Fixed by #3357
Assignees
Labels
Type: Bug Label issue as a bug defect
Milestone

Comments

@SammyA
Copy link

SammyA commented Oct 17, 2018

TLS connections fail with oracle jdk 8u191


TLS connections (for example: https-listener, jdbc connection pool using tls (mysql/postgresql)) fail using oracle jdk 8u191. No problems when using 8u181.

Expected Outcome

curl --insecure https://localhost:8181

should present the payara index page.

Current Outcome

curl return an error. Payara logs the following stack trace:

[2018-10-17T15:20:32.654+0200] [Payara 5.183] [WARNING] [] [org.glassfish.grizzly.filterchain.DefaultFilterChain] [tid: _ThreadID=94 _ThreadName=http-thread-pool::http-listener-2(1)] [timeMillis: 1539782432654] [levelValue: 900] [[
  GRIZZLY0013: Exception during FilterChain execution
java.lang.NoSuchMethodError: sun.security.ssl.SSLSessionImpl.<init>(Lsun/security/ssl/ProtocolVersion;Lsun/security/ssl/CipherSuite;Ljava/util/Collection;Ljava/security/SecureRandom;Ljava/lang/String;IZ)V
        at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:862)
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:245)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1077)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:1017)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:1014)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1497)
        at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:250)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:683)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:598)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:310)
        at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88)
        at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53)
        at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:524)
        at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:33)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549)
        at java.lang.Thread.run(Thread.java:748)
]]

Steps to reproduce

1 - export JAVA_HOME=/path/to/oracle-jdk8u191
2 - ./asadmin start-domain payaradomain
3 - curl --insecure https://localhost:8181/

Environment

  • Payara Version: 5.183
  • Edition: Full
  • JDK Version: Oracle jdk 8u191
  • Operating System: Linux
@andreasernst
Copy link

andreasernst commented Oct 18, 2018

Also the web interface at port 4848 fails and the redeploy with asadmin:

java.lang.NoSuchMethodError: sun.security.ssl.SSLSessionImpl.(Lsun/security/ssl/ProtocolVersion;Lsun/security/ssl/CipherSuite;Ljava/util/Collection;Ljava/security/SecureRandom;Ljava/lang/String;IZ)V
[....]

/opt/payara/payara-5.183/bin/asadmin redeploy [....]
NCLS-ADMIN-00010
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Command redeploy failed.

This error with Glassfish:
oracle/docker-images#727

@ringmaster217
Copy link

ringmaster217 commented Oct 19, 2018

I am also seeing this error with OpenJDK 8u191. It works fine on 8u181, but throws the above error after upgrading to 8u191. I'm also using Payara Full Server 5.183 on Linux.

@pzygielo
Copy link
Contributor

Perhaps change like that in constructor of SSLSessionImpl has to be cared of in grizzly-npn (again, see javaee/grizzly-npn#5 for previous case) .

@smillidge
Copy link
Contributor

Yes it will be a Grizzly npn error. Grizzly is now part of Jakarta EE at the Eclipse Foundation

@smillidge smillidge added this to the Payara 5.184 milestone Oct 19, 2018
@smillidge
Copy link
Contributor

If you don't care about HTTP/2 the Grizzly npn jar can be removed from the bootclasspath from your Payara startup options as a workaround.

@RejDev
Copy link

RejDev commented Oct 20, 2018

Hello,
the problem is that Glassfish embeds an old version of the SUN implementation (sun.security.ssl.SSLSessionImpl)

I found a solution to solve the problem temporarily.

1) go to path : $JDK_HOME$ /jre/lib/
1.1) copy this file : /jsse.jar

2) go to path : $PAYARA5_INSTALL$/glassfish/lib/
2.1) backup : grizzly-npn-bootstrap.jar

3) open "jsse.jar" with an archive editor
3.1) go to path (in archive) : sun/security/ssl
3.2) extract folder "ssl"

4) open "grizzly-npn-bootstrap.jar" with an archive editor
4.1) merge the "ssl" folder extracted from the "jsse.jar" archive with the "ssl" folder
       into "grizzly-npn-bootstrap.jar", overwriting the files with the same name

5) restart payara.
and normally everything works properly

if you want, I can upload a patched version of the file ("grizzly-npn-bootstrap.jar")

Have a good day..

@smillidge
Copy link
Contributor

Thanks for that. However this will stop HTTP2 from working. What Grizzly npn does is enable alpn for SSL on JDK8. It would be easier just to remove the grizzly npn jar from the bootclasspath.

We will develop a patch before the 184 release

@TeroPihlaja
Copy link

Probably the easiest way to reproduce this issue is to enable secure admin and see if Payara starts. We are also seeing this issue with Jdk 8u191.

@MattGill98 MattGill98 added Type: Bug Label issue as a bug defect v:Payara-5 and removed try to reproduce labels Nov 1, 2018
@MattGill98 MattGill98 self-assigned this Nov 1, 2018
@MattGill98
Copy link
Contributor

Hi all,

Thank you for the discussion on this issue. Just to clarify the status of this to the best of my understanding, there's an upstream issue (eclipse-ee4j/grizzly-npn#8) to track this issue, as well as internal issue PAYARA-3196 to fix it. This will most likely involve pulling in the upstream changes linked in that issue when they are made.

Kind regards,

Matt

@MattGill98
Copy link
Contributor

Hi all,

An update to this issue: it has been fixed in the referenced PR above. I'll close this issue, although feel free to reopen it if you find any issues with the fix.

Kind regards,

Matt

@pioneer2k
Copy link

Looks like this fix is only working for JDK 8u191, so the Payara Docker Image is not working anymore, because it comes with JDK 8u181. See: https://github.com/payara/docker-payaraserver-full/issues/56

@rpdeadly
Copy link

rpdeadly commented Nov 8, 2018

I'm running the latest Payara 5.184-SNAPSHOT with Java version 1.8.0_191-b12 and I still see this error.

@MattGill98
Copy link
Contributor

Hi,

We're working internally on this to find the best solution. I'll update you when the status of this issue changes.

Kind regards,

Matt

@MattGill98 MattGill98 reopened this Nov 8, 2018
@deratzmann
Copy link

Hi. We have the same issue.
We figured out (maybe you already know that) that this commit from openjdk8:
docker-library/openjdk@7a33416#diff-e29295585240d6f18a944f2a83a10505
leads to this problem.

We are using openjdk:8-jdk-slim with a extracted payara-5.182.

@lipnitsk
Copy link

Seems related also: jetty-project/jetty-alpn#22

@MattGill98
Copy link
Contributor

Hi all,

This should have been fixed by #3414. I'll close this issue, but let me know if any other issues are caused by it and I'll be happy to reopen it.

Cheers,

Matt

@fabide
Copy link

fabide commented Nov 27, 2018

hey there,
I just tried to install payara 5.184 on debian 9.6 with openjdk 1.8.0_181 and run in the same issue when tried to curl --insecure https://localhost:8181.

[2018-11-27T16:44:58.692+0100] [Payara 5.184] [WARNING] [] [org.glassfish.grizzly.filterchain.DefaultFilterChain] [tid: _ThreadID=34 _ThreadName=http-thread-pool::http-listener-2(1)] [timeMillis: 1543333498692] [levelValue: 900] [[
  GRIZZLY0013: Exception during FilterChain execution
java.lang.NoSuchMethodError: sun.security.ssl.SSLSessionImpl.<init>(Lsun/security/ssl/ProtocolVersion;Lsun/security/ssl/CipherSuite;Ljava/util/Collection;Ljava/security/SecureRandom;Ljava/lang/String;IZ)V
        at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:862)
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:245)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1077)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:1017)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:1014)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1497)
        at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:250)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:683)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:598)
        at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:310)
        at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88)
        at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53)
        at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:524)
        at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:33)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569)
        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549)
        at java.lang.Thread.run(Thread.java:748)
]]

after enabling DAS it is not starting as well like discribed in #2661

@MattGill98
Copy link
Contributor

Hi @fabide,

This is caused by using an old domain.xml with the 5.184 release. The new release contains domain.xml flags to avoid this issue. See this PR for the JVM arguments required to address this error.

Kind regards,

Matt

@IchBin
Copy link

IchBin commented Dec 14, 2018

Just downloaded 5.184 yesterday and ran into this error. I verified that the lines in the PR request listed here were there. I was still getting the error until I removed all the version numbers and only left in the line for the version that I was using.
-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar

Not sure why this wasn't working for me.

-- added Dec 17 --
Seems to have broken SSL for debug
Exception during FilterChain execution
java.lang.NoClassDefFoundError: sun/security/ssl/HandshakeStateManager

@the-antz
Copy link

the-antz commented Dec 17, 2018

I have the same issue with the docker image of 5.184. The image only works because it's based on an old java version (openjdk:8u171-jdk instead of openjdk:8-jdk as in 5.183). Not sure if this change was supposed to make it into the release or if it was just a temporary workaround.

Only way I was able to fix it was by deleting all the grizzly-npn-bootstrap* libs.

@banifou
Copy link

banifou commented May 15, 2020

I have the same problem with openjdk version "1.8.0_252" and payara 5201.
Incredible that this issue still haven't been fixed.

@smillidge
Copy link
Contributor

The issue has been fixed. Especially the one you have commented on.

@banifou
Copy link

banifou commented May 15, 2020

Should I open a new issue? And just change the version number?

@smillidge
Copy link
Contributor

No because there already has been issues here #4623 #4625 #4642 and #4649 and was fixed in #4656

@banifou
Copy link

banifou commented May 15, 2020

Yes, it is working! Thank you so much for leading me to the solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Type: Bug Label issue as a bug defect
Projects
None yet
Development

Successfully merging a pull request may close this issue.