Online refresh with https://www.ssi.gouv.fr/uploads/tl-fr.xml raises [Received fatal alert: protocol_version]

[skribble-freddy]

When deploying and running I got a persistent error in regards to "France" from "EU List of the Trusted Lists"

It seems related to TLS 1.3 (only) at the server side, any hint to fix this?

Here my logs

01-Mar-2023 09:04:25.491 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.72
01-Mar-2023 09:04:25.493 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Feb 18 2023 09:25:13 UTC
01-Mar-2023 09:04:25.493 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.72.0
01-Mar-2023 09:04:25.493 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
01-Mar-2023 09:04:25.493 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            5.15.49-linuxkit
01-Mar-2023 09:04:25.493 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          aarch64
01-Mar-2023 09:04:25.493 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /opt/java/openjdk
01-Mar-2023 09:04:25.493 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           17.0.6+10
01-Mar-2023 09:04:25.494 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Eclipse Adoptium
01-Mar-2023 09:04:25.494 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
01-Mar-2023 09:04:25.494 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
01-Mar-2023 09:04:25.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
01-Mar-2023 09:04:25.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
01-Mar-2023 09:04:25.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED
01-Mar-2023 09:04:25.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dhttps.protocols=TLSv1.1,TLSv1.2,TLSv1.3
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
01-Mar-2023 09:04:25.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
01-Mar-2023 09:04:25.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.36] using APR version [1.7.0].
01-Mar-2023 09:04:25.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
01-Mar-2023 09:04:25.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
01-Mar-2023 09:04:25.502 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.2 15 Mar 2022]
01-Mar-2023 09:04:25.608 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
01-Mar-2023 09:04:25.615 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [191] milliseconds
01-Mar-2023 09:04:25.628 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
01-Mar-2023 09:04:25.628 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.72]
01-Mar-2023 09:04:25.635 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/usr/local/tomcat/webapps/ROOT.war]
....
2023-03-01 09:04:39,494  INFO | pool-2-thread-1 | eu.europa.esig.dss.tsl.job.TLValidationJob              | Online refresh is running... 
2023-03-01 09:04:39,495  INFO | pool-2-thread-1 | eu.europa.esig.dss.tsl.job.TLValidationJob              | Running analysis for 1 LOTLSource(s) 
...
2023-03-01 09:04:41,930  INFO | pool-2-thread-1 | eu.europa.esig.dss.tsl.job.TLValidationJob              | Analysis is DONE for 1 LOTLSource(s) 
2023-03-01 09:04:41,934  INFO | pool-2-thread-1 | eu.europa.esig.dss.tsl.job.TLValidationJob              | Running analysis for 33 TLSource(s) 
2023-03-01 09:04:42,456 ERROR | pool-1-thread-14 | eu.europa.esig.dss.tsl.runnable.AbstractAnalysis        | Unable to process GET call for url [https://www.ssi.gouv.fr/uploads/tl-fr.xml]. Reason : [Received fatal alert: protocol_version] 

[bsanchezb]

Hello,

The issue occurs due to FR TLSO update to the version TLSv1.3 of the SSL protocol. You may either enforce the "TLSv1.3" within CommonsDataLoader used in TLValidationJob for online refresh or you may try to update to the freshly released 5.12.RC1 version of DSS. See also #166, DSS-2949, DSS-2948 and ESIGSD-1044 for more information.

Best regards, Aleksandr.

[skribble-freddy]

Hi, thanks for your quick answer.

I adjusted the CommonsDataLoader with TLSv1.3 but now I raises: 2023-03-01 09:42:20,405 ERROR | pool-1-thread-14 | eu.europa.esig.dss.tsl.runnable.AbstractAnalysis | Unable to process GET call for url [https://www.ssi.gouv.fr/uploads/tl-fr.xml]. Reason : [PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

[bsanchezb]

This error means the Java keystore does not trust the SSL certificate from this URL address. You should add the corresponding certificate to the cacerts file within the used JVM. See 11.1.11.1. Java Keystore Management from the documentation for more information how to resolve the problem.

For your convenience I attach the CA certificate you should add to the keystore (archived).

Best regards, Aleksandr.

Certigna_Services_CA.zip

[skribble-freddy]

Ok thanks for your help ! Now "France" is working; great idea to enforce TLS 1.3 and using a Root CAs not by default in the (current) Java Root Stores.

PS: https://www.digst.dk/TSLDKxml seems (temporary) down

[bsanchezb]

I'm glad it helped!

PS: https://www.digst.dk/TSLDKxml seems (temporary) down

Indeed, we are aware about that. Problem is on DK side.

Best regards, Aleksandr.