search

payara / Payara

Payara Server is an open source middleware platform that supports reliable and secure deployments of Java EE (Jakarta EE) and MicroProfile applications in any environment: on premise, in the cloud or hybrid.
http://www.payara.fish
Other
882 stars 306 forks source link

ssl handshake exception /FISH-314 #4807

Closed eduarddrenth closed 3 years ago

eduarddrenth commented 4 years ago

On payara 5.2020.3

I see: javax.net.ssl.SSLHandshakeException: Received fatal alert: illegal_parameter

when I try to post to https://www.google.com/recaptcha/api/siteverify

I use

org.apache.httpcomponents httpclient 4.5.8

On 5.2020.2 this works.

Regards, Eduard

smillidge commented 4 years ago

Could be a duplicate of https://github.com/payara/Payara/issues/4751 which is a JDK bug

eduarddrenth commented 4 years ago

right, I'll just wait for that and in the mean time stick to 520202

smillidge commented 4 years ago

There is a workaround to not use OpenJSSE i.e. TLS 1.3 or reduce the number of CA certs.

rdebusscher commented 4 years ago

Hi Eduard,

When you use Zulu 8.48, the exception also is gone since that version no longer sents the _certificateauthorities extension in the ClientHello message.

For more details, see the comments on #4751.

If the information in that issue doesn't solve your problem, can you give us some more details of your case using a small reproducer and the information around the JDK you are using?

Thanks Best Regards Rudy

eduarddrenth commented 4 years ago

Thanks, I'll just stick to 5.2020.2 until 5.202.4 is out Or will there be a hotfix in payara docker 5.2020.3?

rdebusscher commented 4 years ago

Hi Eduard,

The discussion in issue #4751 is not related to Payara but the JDK. So there will be no hotfix.

Did you just update your version from 5.2020.2 to 5.2020.3? If that is the case, there might be another issue and more information is required to find the cause of it.

Rudy

eduarddrenth commented 4 years ago

After updating to 5.2020.3 from .2 I get this stacktrace:

javax.net.ssl.SSLHandshakeException: Received fatal alert: illegal_parameter at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:131) at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:117) at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:339) at org.openjsse.sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at org.openjsse.sun.security.ssl.TransportContext.dispatch(TransportContext.java:212) at org.openjsse.sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) at org.openjsse.sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1168) at org.openjsse.sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1079) at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:418) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.fryske_akademy.oat.jsf.ContactController.verstuur(ContactController.java:117) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.el.ELUtil.invokeMethod(ELUtil.java:239) at javax.el.BeanELResolver.invoke(BeanELResolver.java:440) at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:198) at com.sun.el.parser.AstValue.invoke(AstValue.java:257) at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:237) at org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) at org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:65) at javax.faces.event.MethodExpressionActionListener.processAction(MethodExpressionActionListener.java:124) at javax.faces.event.ActionEvent.processListener(ActionEvent.java:72) at javax.faces.component.UIComponentBase.broadcast(UIComponentBase.java:490) at javax.faces.component.UICommand.broadcast(UICommand.java:211) at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:847) at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1396) at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:58) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:76) at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:177) at javax.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:707) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:451) at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1636) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:259) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:757) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:577) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:158) at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:371) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:238) at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:520) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:217) at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:182) at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:156) at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:218) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:524) at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:33) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549) at java.lang.Thread.run(Thread.java:748)

From startup log:

[Entrypoint] running /opt/payara/scripts/init_1_generate_deploy_commands.sh

[Entrypoint] ignoring /opt/payara/scripts/init.d/*

Executing Payara Server with the following command line: /usr/lib/jvm/zulu-8-amd64/bin/java -cp /opt/payara/appserver/glassfish/modules/glassfish.jar -DLDAPHOST=..... -Dtoken1= -Dtoken2= -Dtoken3= -XX:+UnlockDiagnosticVMOptions -XX:MetaspaceSize=256m -XX:+UseStringDeduplication -XX:MaxMetaspaceSize=2g -XX:+UseContainerSupport -XX:MaxRAMPercentage=70.0 -XX:+UseG1GC -XX:MaxGCPauseMillis=500 -XX:+UseOpenJSSE -Xbootclasspath/a:/opt/payara/appserver/glassfish/lib/grizzly-npn-api.jar -Xss512k -javaagent:/opt/payara/appserver/glassfish/lib/monitor/flashlight-agent.jar -Djavax.xml.accessExternalSchema=all -Djava.security.auth.login.config=/opt/payara/appserver/glassfish/domains/production/config/login.conf -Djavax.net.ssl.trustStore=/opt/payara/appserver/glassfish/domains/production/config/cacerts.jks -Dorg.glassfish.grizzly.DEFAULT_MEMORY_MANAGER=org.glassfish.grizzly.memory.HeapMemoryManager -Djdk.tls.rejectClientInitiatedRenegotiation=true -Djdk.corba.allowOutputStreamSubclass=true -Dcom.sun.aas.instanceRoot=/opt/payara/appserver/glassfish/domains/production -Dcom.sun.aas.installRoot=/opt/payara/appserver/glassfish -Djava.security.policy=/opt/payara/appserver/glassfish/domains/production/config/server.policy -Dorg.jboss.weld.serialization.beanIdentifierIndexOptimization=false -Djava.endorsed.dirs=/opt/payara/appserver/glassfish/modules/endorsed:/opt/payara/appserver/glassfish/lib/endorsed -Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory -DANTLR_USE_DIRECT_CLASS_LOADING=true -Djava.awt.headless=true -Djava.ext.dirs=/usr/lib/jvm/zulu-8-amd64/lib/ext:/usr/lib/jvm/zulu-8-amd64/jre/lib/ext:/opt/payara/appserver/glassfish/domains/production/lib/ext -Djdbc.drivers=org.h2.Driver -Dorg.glassfish.grizzly.nio.DefaultSelectorHandler.force-selector-spin-detection=true -Djavax.net.ssl.keyStore=/opt/payara/appserver/glassfish/domains/production/config/keystore.jks -Djava.library.path=/opt/payara/appserver/glassfish/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib com.sun.enterprise.glassfish.bootstrap.ASMain -prebootcommandfile /opt/payara/config/pre-boot-commands.asadmin -upgrade false -read-stdin true -postbootcommandfile /opt/payara/config/post-boot-commands.asadmin -domainname production -domaindir /opt/payara/appserver/glassfish/domains/production -asadmin-args --host,,,localhost,,,--port,,,4848,,,--user,,,admin,,,--passwordfile,,,/run/secrets/master,,,--secure=false,,,--terse=false,,,--extraterse=false,,,--echo=false,,,--interactive=false,,,--autoname=false,,,start-domain,,,--verbose=false,,,--watchdog=false,,,--debug=false,,,--domaindir,,,/opt/payara/appserver/glassfish/domains,,,production -instancename server -type DAS -verbose false -asadmin-classpath /opt/payara/appserver/glassfish/lib/client/appserver-cli.jar -debug false -asadmin-classname com.sun.enterprise.admin.cli.AdminMain -watchdog false

Launching Payara Server on Felix platform

From JVM report:

Operating System Information: Name of the Operating System: Linux Binary Architecture name of the Operating System: amd64, Version: 4.18.0-1024-azure Number of processors available on the Operating System: 8 System load on the available processors for the last minute: 0.61. (Sum of running and queued runnable entities per minute)

General Java Runtime Environment Information for the VM: 7@07db51065766 JRE ClassPath: /opt/payara/appserver/glassfish/modules/glassfish.jar:/opt/payara/appserver/glassfish/lib/monitor/flashlight-agent.jar JRE Native Library Path: /opt/payara/appserver/glassfish/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib JRE name: OpenJDK 64-Bit Server VM Vendor: Azul Systems, Inc. Version: 25.252-b14

smillidge commented 4 years ago

Not sure what your JDK version is but from #4751 you need Zulu 8u262,

eduarddrenth commented 4 years ago

JDK version is from docker payara full 5.2020.3:

openjdk version "1.8.0_252" OpenJDK Runtime Environment (Zulu 8.46.0.19-CA-linux64) (build 1.8.0_252-b14) OpenJDK 64-Bit Server VM (Zulu 8.46.0.19-CA-linux64) (build 25.252-b14, mixed mode)

I now about #4751 and already decided to postpone updating until 2020.4 is out, which will use a higher jdk version I assume. This issue was reopened because apparently jdk might not be the cause, see https://github.com/payara/Payara/issues/4807#issuecomment-665053298. I do think jdk from docker 2020.3 is the cause.

For me it is perfectly ok to close this issue.

smillidge commented 4 years ago

ah OK. I will leave open until we upgrade the docker JDK version

rdebusscher commented 4 years ago

Hi Eduard,

I could reproduce the problem and we are making sure this will be fixed in the next release 5.2020.4.

Thanks for the information and for reporting this.

Regards Rudy

eduarddrenth commented 4 years ago

way to go! Prachtig

fturizo commented 3 years ago

Fixed as part of release 5.2020.4

eduarddrenth commented 3 years ago

Thanks, 5.2020.4 runs fine!