Closed eduarddrenth closed 3 years ago
Could be a duplicate of https://github.com/payara/Payara/issues/4751 which is a JDK bug
right, I'll just wait for that and in the mean time stick to 520202
There is a workaround to not use OpenJSSE i.e. TLS 1.3 or reduce the number of CA certs.
Hi Eduard,
When you use Zulu 8.48, the exception also is gone since that version no longer sents the _certificateauthorities extension in the ClientHello
message.
For more details, see the comments on #4751.
If the information in that issue doesn't solve your problem, can you give us some more details of your case using a small reproducer and the information around the JDK you are using?
Thanks Best Regards Rudy
Thanks, I'll just stick to 5.2020.2 until 5.202.4 is out Or will there be a hotfix in payara docker 5.2020.3?
Hi Eduard,
The discussion in issue #4751 is not related to Payara but the JDK. So there will be no hotfix.
Did you just update your version from 5.2020.2 to 5.2020.3? If that is the case, there might be another issue and more information is required to find the cause of it.
Rudy
After updating to 5.2020.3 from .2 I get this stacktrace:
javax.net.ssl.SSLHandshakeException: Received fatal alert: illegal_parameter at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:131) at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:117) at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:339) at org.openjsse.sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at org.openjsse.sun.security.ssl.TransportContext.dispatch(TransportContext.java:212) at org.openjsse.sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) at org.openjsse.sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1168) at org.openjsse.sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1079) at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:418) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.fryske_akademy.oat.jsf.ContactController.verstuur(ContactController.java:117) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.el.ELUtil.invokeMethod(ELUtil.java:239) at javax.el.BeanELResolver.invoke(BeanELResolver.java:440) at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:198) at com.sun.el.parser.AstValue.invoke(AstValue.java:257) at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:237) at org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) at org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:65) at javax.faces.event.MethodExpressionActionListener.processAction(MethodExpressionActionListener.java:124) at javax.faces.event.ActionEvent.processListener(ActionEvent.java:72) at javax.faces.component.UIComponentBase.broadcast(UIComponentBase.java:490) at javax.faces.component.UICommand.broadcast(UICommand.java:211) at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:847) at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1396) at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:58) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:76) at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:177) at javax.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:707) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:451) at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1636) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:259) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:757) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:577) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:158) at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:371) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:238) at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:520) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:217) at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:182) at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:156) at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:218) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:524) at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:33) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549) at java.lang.Thread.run(Thread.java:748)
From startup log:
[Entrypoint] running /opt/payara/scripts/init_1_generate_deploy_commands.sh
[Entrypoint] ignoring /opt/payara/scripts/init.d/*
Executing Payara Server with the following command line: /usr/lib/jvm/zulu-8-amd64/bin/java -cp /opt/payara/appserver/glassfish/modules/glassfish.jar -DLDAPHOST=..... -Dtoken1= -Dtoken2= -Dtoken3= -XX:+UnlockDiagnosticVMOptions -XX:MetaspaceSize=256m -XX:+UseStringDeduplication -XX:MaxMetaspaceSize=2g -XX:+UseContainerSupport -XX:MaxRAMPercentage=70.0 -XX:+UseG1GC -XX:MaxGCPauseMillis=500 -XX:+UseOpenJSSE -Xbootclasspath/a:/opt/payara/appserver/glassfish/lib/grizzly-npn-api.jar -Xss512k -javaagent:/opt/payara/appserver/glassfish/lib/monitor/flashlight-agent.jar -Djavax.xml.accessExternalSchema=all -Djava.security.auth.login.config=/opt/payara/appserver/glassfish/domains/production/config/login.conf -Djavax.net.ssl.trustStore=/opt/payara/appserver/glassfish/domains/production/config/cacerts.jks -Dorg.glassfish.grizzly.DEFAULT_MEMORY_MANAGER=org.glassfish.grizzly.memory.HeapMemoryManager -Djdk.tls.rejectClientInitiatedRenegotiation=true -Djdk.corba.allowOutputStreamSubclass=true -Dcom.sun.aas.instanceRoot=/opt/payara/appserver/glassfish/domains/production -Dcom.sun.aas.installRoot=/opt/payara/appserver/glassfish -Djava.security.policy=/opt/payara/appserver/glassfish/domains/production/config/server.policy -Dorg.jboss.weld.serialization.beanIdentifierIndexOptimization=false -Djava.endorsed.dirs=/opt/payara/appserver/glassfish/modules/endorsed:/opt/payara/appserver/glassfish/lib/endorsed -Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory -DANTLR_USE_DIRECT_CLASS_LOADING=true -Djava.awt.headless=true -Djava.ext.dirs=/usr/lib/jvm/zulu-8-amd64/lib/ext:/usr/lib/jvm/zulu-8-amd64/jre/lib/ext:/opt/payara/appserver/glassfish/domains/production/lib/ext -Djdbc.drivers=org.h2.Driver -Dorg.glassfish.grizzly.nio.DefaultSelectorHandler.force-selector-spin-detection=true -Djavax.net.ssl.keyStore=/opt/payara/appserver/glassfish/domains/production/config/keystore.jks -Djava.library.path=/opt/payara/appserver/glassfish/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib com.sun.enterprise.glassfish.bootstrap.ASMain -prebootcommandfile /opt/payara/config/pre-boot-commands.asadmin -upgrade false -read-stdin true -postbootcommandfile /opt/payara/config/post-boot-commands.asadmin -domainname production -domaindir /opt/payara/appserver/glassfish/domains/production -asadmin-args --host,,,localhost,,,--port,,,4848,,,--user,,,admin,,,--passwordfile,,,/run/secrets/master,,,--secure=false,,,--terse=false,,,--extraterse=false,,,--echo=false,,,--interactive=false,,,--autoname=false,,,start-domain,,,--verbose=false,,,--watchdog=false,,,--debug=false,,,--domaindir,,,/opt/payara/appserver/glassfish/domains,,,production -instancename server -type DAS -verbose false -asadmin-classpath /opt/payara/appserver/glassfish/lib/client/appserver-cli.jar -debug false -asadmin-classname com.sun.enterprise.admin.cli.AdminMain -watchdog false
Launching Payara Server on Felix platform
From JVM report:
Operating System Information: Name of the Operating System: Linux Binary Architecture name of the Operating System: amd64, Version: 4.18.0-1024-azure Number of processors available on the Operating System: 8 System load on the available processors for the last minute: 0.61. (Sum of running and queued runnable entities per minute)
General Java Runtime Environment Information for the VM: 7@07db51065766 JRE ClassPath: /opt/payara/appserver/glassfish/modules/glassfish.jar:/opt/payara/appserver/glassfish/lib/monitor/flashlight-agent.jar JRE Native Library Path: /opt/payara/appserver/glassfish/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib JRE name: OpenJDK 64-Bit Server VM Vendor: Azul Systems, Inc. Version: 25.252-b14
Not sure what your JDK version is but from #4751 you need Zulu 8u262,
JDK version is from docker payara full 5.2020.3:
openjdk version "1.8.0_252" OpenJDK Runtime Environment (Zulu 8.46.0.19-CA-linux64) (build 1.8.0_252-b14) OpenJDK 64-Bit Server VM (Zulu 8.46.0.19-CA-linux64) (build 25.252-b14, mixed mode)
I now about #4751 and already decided to postpone updating until 2020.4 is out, which will use a higher jdk version I assume. This issue was reopened because apparently jdk might not be the cause, see https://github.com/payara/Payara/issues/4807#issuecomment-665053298. I do think jdk from docker 2020.3 is the cause.
For me it is perfectly ok to close this issue.
ah OK. I will leave open until we upgrade the docker JDK version
Hi Eduard,
I could reproduce the problem and we are making sure this will be fixed in the next release 5.2020.4.
Thanks for the information and for reporting this.
Regards Rudy
way to go! Prachtig
Fixed as part of release 5.2020.4
Thanks, 5.2020.4 runs fine!
On payara 5.2020.3
I see: javax.net.ssl.SSLHandshakeException: Received fatal alert: illegal_parameter
when I try to post to https://www.google.com/recaptcha/api/siteverify
I use
On 5.2020.2 this works.
Regards, Eduard