search

TritonDataCenter / pkgsrc

NetBSD/pkgsrc fork for our binary package repositories
https://pkgsrc.smartos.org/
131 stars 51 forks source link

openjdk17 is having trouble with SSL #370

Open vkz opened 9 months ago

vkz commented 9 months ago

Affected images:

Likely culprit

openjdk17 but opnejdk11 appears to work just fine

Gist of it:

when Java attempts to transfer artifacts from https://repo1.maven.org/maven2/ getting this error javax.net.ssl.SSLException: Received fatal alert: bad_record_mac

Full Stacktrace ``` Error building classpath. Failed to read artifact descriptor for org.clojure:clojure:jar:1.11.1 org.eclipse.aether.resolution.ArtifactDescriptorException: Failed to read artifact descriptor for org.clojure:clojure:jar:1.11.1 at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:255) at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.readArtifactDescriptor(DefaultArtifactDescriptorReader.java:171) at org.eclipse.aether.internal.impl.DefaultRepositorySystem.readArtifactDescriptor(DefaultRepositorySystem.java:263) at clojure.tools.deps.alpha.extensions.maven$read_descriptor.invokeStatic(maven.clj:115) at clojure.tools.deps.alpha.extensions.maven$fn__1137.invokeStatic(maven.clj:143) at clojure.tools.deps.alpha.extensions.maven$fn__1137.invoke(maven.clj:143) at clojure.lang.MultiFn.invoke(MultiFn.java:244) at clojure.tools.deps.alpha$expand_deps$children_task__773$fn__775$fn__776.invoke(alpha.clj:405) at clojure.tools.deps.alpha.util.concurrent$submit_task$task__481.invoke(concurrent.clj:35) at clojure.lang.AFn.call(AFn.java:18) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:833) Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: Could not transfer artifact org.clojure:clojure:pom:1.11.1 from/to central (https://repo1.maven.org/maven2/): Received fatal alert: bad_record_mac at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:431) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:235) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:212) at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:240) ... 13 more Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not transfer artifact org.clojure:clojure:pom:1.11.1 from/to central (https://repo1.maven.org/maven2/): Received fatal alert: bad_record_mac at org.eclipse.aether.connector.basic.ArtifactTransportListener.transferFailed(ArtifactTransportListener.java:52) at org.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run(BasicRepositoryConnector.java:401) at org.eclipse.aether.util.concurrency.RunnableErrorForwarder.lambda$wrap$0(RunnableErrorForwarder.java:73) at org.eclipse.aether.connector.basic.BasicRepositoryConnector$DirectExecutor.execute(BasicRepositoryConnector.java:669) at org.eclipse.aether.connector.basic.BasicRepositoryConnector.get(BasicRepositoryConnector.java:290) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads(DefaultArtifactResolver.java:520) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:408) ... 16 more Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_record_mac at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:358) at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) at org.eclipse.aether.transport.http.HttpTransporter.execute(HttpTransporter.java:359) at org.eclipse.aether.transport.http.HttpTransporter.implGet(HttpTransporter.java:294) at org.eclipse.aether.spi.connector.transport.AbstractTransporter.get(AbstractTransporter.java:72) at org.eclipse.aether.connector.basic.BasicRepositoryConnector$GetTaskRunner.runTask(BasicRepositoryConnector.java:496) at org.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run(BasicRepositoryConnector.java:396) ... 21 more ```

Detailed steps

pkgin up
pkgin upgrade
pkgin in clojure
# ^^ depends on openjdk17
# try it
clojure
# or start a repl
clj

and you get the above stacktrace.

What happens? Clojure attempts to build classpath and pull packages it needs from Maven Central. Looks to me like Java blows up during SSL handshake or exchange or establishing a protocol.

Just to be sure I confirmed that Maven responds with TLSv1.2:

curl -vvvv -k https://repo1.maven.org/maven2/  |  head

Tried forcing Java's hand with esoteric nonsense like:

JAVA_OPTS="-Dhttps.protocols=TLSv1.2 -Djavax.net.debug=all -Djdk.tls.client.protocols=TLSv1.2" && clojure

which had no effect whatsoever, so I'm thinking problem is fundamental to openjdk17 build.

openjdk11 works or how to fix clojure package

$ which clojure
/opt/local/bin/clojure

is just a bash script that hardcodes on L181

JAVA_CMD=${JAVA_CMD:-$(type -p /opt/local/java/openjdk17/bin/java)}

which we can change by hand

JAVA_CMD=${JAVA_CMD:-$(type -p /opt/local/java/openjdk11/bin/java)}

now pkgin in openjdk11 and clojure works.

What are the chances of this being fixed?

I'm new here and don't know how active people are fixing and contributing. What are the chances that openjdk17 gets fixed and subsequent versions become available in packages?

Thank you