I run Quarkus application with MSSQL extension in FIPS-enabled environment with Red Hat OpenJDK 17 and encrypted communication is always forced, even though I disable it. That seems appropriate as official Microsoft SQL Server 2022 docs suggested that encrypted communication should be used in FIPS-enabled environment https://learn.microsoft.com/en-us/sql/connect/jdbc/fips-mode?view=sql-server-ver16. However even when I configure everything according to the SQL Server FIPS docs, SSL handshake timeouts.
I expected issue is in my setup or certs, but I use SHA256WithRSAEncryption signature algorithm and then there is OpenJDK 21. I run the app with the latest Red Hat OpenJDK 21 and both connection that trusts server certificates and stricter setup with PKCS12 truststore and verified hostname works. I've verified logged SSL handshake, certs etc.
I run the tests on RHEL 8.9, therefore FIPS-mode is enabled automatically with the Red Hat OpenJDK 21.
Expected behavior
I am actually confused why this behavior is OpenJDK specific and don't understand why my setup doesn't work with the OpenJDK 17. It works with OpenJDK 21:
13:00:09,036 INFO [app] 13:00:07,236 TDSChannel (ConnectionID:1) Enabling SSL...
13:00:09,036 INFO [app] 13:00:07,237 TDSChannel (ConnectionID:1) SSL handshake will validate server certificate
13:00:09,036 INFO [app] 13:00:07,270 X509Certificate: Alg:SHA256withRSA, Serial:f0daa261c60, Subject:CN=localhost, Issuer:CN=localhost, Key type:RSA, Length:2048, Cert Id:3076419420, Valid from:5/20/24, 12:59 PM, Valid until:5/24/24, 12:59 PM
13:00:09,036 INFO [app] 13:00:07,328 TDSChannel (ConnectionID:1) Starting SSL handshake
13:00:09,036 INFO [app] 13:00:07,374 X509Certificate: Alg:SHA256withRSA, Serial:f0daa261c60, Subject:CN=localhost, Issuer:CN=localhost, Key type:RSA, Length:2048, Cert Id:3076419420, Valid from:5/20/24, 12:59 PM, Valid until:5/24/24, 12:59 PM
13:00:09,036 INFO [app] 13:00:07,401 TLSHandshake: localhost:32788, TLSv1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 3076419420
13:00:09,036 INFO [app] 13:00:07,402 TDSChannel (ConnectionID:1) SSL enabled
13:00:09,036 INFO [app] 13:00:07,418 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Network packet size is 8000 bytes
13:00:09,036 INFO [app] 13:00:07,418 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Received feature extension acknowledgement for AE.
13:00:09,036 INFO [app] 13:00:07,418 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Received feature extension acknowledgement for Data Classification.
13:00:09,036 INFO [app] 13:00:07,418 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Received feature extension acknowledgement for UTF8 support.
13:00:09,036 INFO [app] 13:00:07,419 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Received feature extension acknowledgement for Azure SQL DNS Caching.
13:00:09,036 INFO [app] 13:00:07,419 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Received feature extension acknowledgement for Idle Connection Resiliency.
13:00:09,036 INFO [app] 13:00:07,420 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 End of connect
13:00:09,036 INFO [app] 13:00:07,420 RETURN ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1
13:00:09,036 INFO [app] 13:00:07,420 ENTRY true
Actual behavior
Connection timeouts and app startup fails:
14:05:06,597 INFO [app] 14:05:04,365 TDSChannel (ConnectionID:1) Enabling SSL...
14:05:06,597 INFO [app] 14:05:04,366 TDSChannel (ConnectionID:1) SSL handshake will validate server certificate
14:05:06,597 INFO [app] 14:05:04,378 X509Certificate: Alg:SHA256withRSA, Serial:6508f801e10d, Subject:CN=localhost, Issuer:CN=localhost, Key type:RSA, Length:2048, Cert Id:1935473840, Valid from:5/21/24, 2:04 PM, Valid until:5/25/24, 2:04 PM
14:05:06,597 INFO [app] 14:05:04,446 TDSChannel (ConnectionID:1) Starting SSL handshake
14:05:06,597 INFO [app] 14:05:04,585 TDSReader@1 (ConnectionID:1 ClientConnectionId: 121f498d-eccb-4dd8-bbd2-7ccc3b4284c1) Premature EOS in response. packetNum:0 headerBytesRead:0
14:05:06,597 INFO [app] 14:05:04,586 *** SQLException:ConnectionID:1 ClientConnectionId: 121f498d-eccb-4dd8-bbd2-7ccc3b4284c1 com.microsoft.sqlserver.jdbc.SQLServerException: SQL Server did not return a response. The connection has been closed. ClientConnectionId:121f498d-eccb-4dd8-bbd2-7ccc3b4284c1 SQL Server did not return a response. The connection has been closed. ClientConnectionId:121f498d-eccb-4dd8-bbd2-7ccc3b4284c1
14:05:06,597 INFO [app] 14:05:04,586 com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:4266)com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:4255)com.microsoft.sqlserver.jdbc.TDSReader.readPacket(IOBuffer.java:6872)com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.ensureSSLPayload(IOBuffer.java:892)com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.readInternal(IOBuffer.java:949)com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.read(IOBuffer.java:942)com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.readInternal(IOBuffer.java:1206)com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.read(IOBuffer.java:1192)java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:484)java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1854)com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3792)com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:3348)com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:3179)com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1953)com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1263)io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:225)io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:545)io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:526)java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:75)java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1134)java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)java.base/java.lang.Thread.run(Thread.java:840)
14:05:06,597 INFO [app] 14:05:04,586 ENTRY
14:05:06,597 INFO [app] 14:05:04,587 TDSChannel (ConnectionID:1) Disabling SSL...
14:05:06,597 INFO [app] 14:05:04,587 TDSChannel (ConnectionID:1) Closing SSL socket
14:05:06,597 INFO [app] 14:05:04,589 TDSChannel (ConnectionID:1) SSL disabled
14:05:06,597 INFO [app] 14:05:04,589 TDSChannel (ConnectionID:1): Closing TCP socket...
Describe the bug
I run Quarkus application with MSSQL extension in FIPS-enabled environment with Red Hat OpenJDK 17 and encrypted communication is always forced, even though I disable it. That seems appropriate as official Microsoft SQL Server 2022 docs suggested that encrypted communication should be used in FIPS-enabled environment https://learn.microsoft.com/en-us/sql/connect/jdbc/fips-mode?view=sql-server-ver16. However even when I configure everything according to the SQL Server FIPS docs, SSL handshake timeouts.
I expected issue is in my setup or certs, but I use
SHA256WithRSAEncryption
signature algorithm and then there is OpenJDK 21. I run the app with the latest Red Hat OpenJDK 21 and both connection that trusts server certificates and stricter setup with PKCS12 truststore and verified hostname works. I've verified logged SSL handshake, certs etc.I run the tests on RHEL 8.9, therefore FIPS-mode is enabled automatically with the Red Hat OpenJDK 21.
Expected behavior
I am actually confused why this behavior is OpenJDK specific and don't understand why my setup doesn't work with the OpenJDK 17. It works with OpenJDK 21:
Actual behavior
Connection timeouts and app startup fails:
How to Reproduce?
Steps to reproduce the behavior:
git clone git@github.com:quarkus-qe/quarkus-test-suite.git
strict version with verified hostname, server certs:
cd quarkus-test-suite/sql-db/sql-app
mvn clean verify -Dit.test=MssqlDatabaseIT
trusting version:
cd quarkus-test-suite/sql-db/sql-app-compatibility
mvn clean verify -Dit.test=MssqlDatabaseIT
Output of
uname -a
orver
RHEL 8.9 4.18.0-513.24.1.el8_9.x86_64
Output of
java -version
OpenJDK Runtime Environment (Red_Hat-17.0.10.0.7-1.el7openjdkportable) (build 17.0.10+7-LTS)
Quarkus version or git rev
999-SNAPSHOT, 3.8.x + (didn't try older versions)
Build tool (ie. output of
mvnw --version
orgradlew --version
)Apache Maven 3.8.6
Additional information
No response