SSLHandshakeException when using HashiCorp Vault with Spring cloud vault dependency on TLS 1.3

[pavankjadda]

Describe the bug I am using HashiCorp Vault on my Spring Boot project. I configured my bootstrap.yml file to use app role and secret id to get passwords from the vault. During the application startup I get the following exception

org.springframework.vault.authentication.VaultLoginException: Cannot login using org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://hostname:8200/v1/auth/approle/login": extension (5) should not be presented in certificate_request; nested exception is javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request

Sample bootstrap.yml

spring:
  application:
    name: pres
  cloud:
    vault:
      authentication: APPROLE
      app-role:
        role-id: ${role-id}
        secret-id: ${secret-id}
        role: pres-read
        app-role-path: approle
      uri: https://hostname:8200
      kv:
        enabled: true
        backend: secret
        application-name: pres

I am using spring-cloud-starter-vault-config dependency to access the vault

<dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-vault-config</artifactId>
            <version> 2.2.2.RELEASE</version>
 </dependency>

[mp911de]

Can you share the full stack trace? Which version of Java are you using?

Looking in the Java bug tracker, there's a bug report for the Java runtime that was fixed with Java 12: https://bugs.openjdk.java.net/browse/JDK-8209965

[pavankjadda]

Java Version:

java 11.0.7 2020-04-14 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.7+8-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.7+8-LTS, mixed mode)

Stack Trace:

2020-05-20 10:07:30.051  INFO 93020 --- [  restartedMain] o.s.v.c.e.LeaseAwareVaultPropertySource  : Vault location [secret/application/dev] not resolvable: Cannot login using org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://hostname:8200/v1/auth/approle/login": extension (5) should not be presented in certificate_request; nested exception is javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
2020-05-20 10:07:30.191  WARN 93020 --- [  restartedMain] LeaseEventPublisher$LoggingErrorListener : [RequestedSecret [path='secret/application', mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Cannot login using org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://hostname:8200/v1/auth/approle/login": extension (5) should not be presented in certificate_request; nested exception is javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request

org.springframework.vault.authentication.VaultLoginException: Cannot login using org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://hostname:8200/v1/auth/approle/login": extension (5) should not be presented in certificate_request; nested exception is javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
    at org.springframework.vault.authentication.VaultLoginException.create(VaultLoginException.java:68)
    at org.springframework.vault.authentication.AppRoleAuthentication.createTokenUsingAppRole(AppRoleAuthentication.java:216)
    at org.springframework.vault.authentication.AppRoleAuthentication.login(AppRoleAuthentication.java:191)
    at org.springframework.vault.authentication.LifecycleAwareSessionManager.doGetSessionToken(LifecycleAwareSessionManager.java:291)
    at org.springframework.vault.authentication.LifecycleAwareSessionManager.getSessionToken(LifecycleAwareSessionManager.java:277)
    at org.springframework.vault.core.VaultTemplate.lambda$getSessionInterceptor$1(VaultTemplate.java:198)
    at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:93)
    at org.springframework.vault.client.VaultClients.lambda$createRestTemplate$0(VaultClients.java:128)
    at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:93)
    at org.springframework.http.client.InterceptingClientHttpRequest.executeInternal(InterceptingClientHttpRequest.java:77)
    at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
    at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:739)
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:674)
    at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:315)
    at org.springframework.vault.core.VaultTemplate.lambda$doRead$5(VaultTemplate.java:401)
    at org.springframework.vault.core.VaultTemplate.doWithSession(VaultTemplate.java:388)
    at org.springframework.vault.core.VaultTemplate.doRead(VaultTemplate.java:398)
    at org.springframework.vault.core.VaultTemplate.read(VaultTemplate.java:290)
    at org.springframework.vault.core.lease.SecretLeaseContainer.doGetSecrets(SecretLeaseContainer.java:662)
    at org.springframework.vault.core.lease.SecretLeaseContainer.start(SecretLeaseContainer.java:396)
    at org.springframework.vault.core.lease.SecretLeaseContainer.addRequestedSecret(SecretLeaseContainer.java:355)
    at org.springframework.vault.core.env.LeaseAwareVaultPropertySource.loadProperties(LeaseAwareVaultPropertySource.java:184)
    at org.springframework.vault.core.env.LeaseAwareVaultPropertySource.<init>(LeaseAwareVaultPropertySource.java:169)
    at org.springframework.vault.core.env.LeaseAwareVaultPropertySource.<init>(LeaseAwareVaultPropertySource.java:122)
    at org.springframework.cloud.vault.config.LeasingVaultPropertySourceLocator.createVaultPropertySource(LeasingVaultPropertySourceLocator.java:151)
    at org.springframework.cloud.vault.config.LeasingVaultPropertySourceLocator.createVaultPropertySource(LeasingVaultPropertySourceLocator.java:89)
    at org.springframework.cloud.vault.config.VaultPropertySourceLocatorSupport.doCreatePropertySources(VaultPropertySourceLocatorSupport.java:162)
    at org.springframework.cloud.vault.config.VaultPropertySourceLocatorSupport.createCompositePropertySource(VaultPropertySourceLocatorSupport.java:138)
    at org.springframework.cloud.vault.config.VaultPropertySourceLocatorSupport.locate(VaultPropertySourceLocatorSupport.java:111)
    at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:52)
    at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:47)
    at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:97)
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:626)
    at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:370)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226)
    at test.PresApplication.main(PresApplication.java:11)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49)

[mp911de]

Thanks a lot. Java 11 is affected by the TLS bug which is fixed with Java 12. Closing since we cannot do anything here.

[Inego]

Java Version:

java 11.0.7 2020-04-14 LTS

We have updated Java to 11.0.10 and the error is gone.

[ppathard]

Is it the same case with openjdk 13 @mp911de