var context = SSLContext.getInstance("TLSv1.3", OpenSSLProvider.INSTANCE);
context.init(null, null, null);
var httpClient = HttpClient.newBuilder()
.sslContext(context)
.build();
httpClient.send(HttpRequest.newBuilder(URI.create("https://www.google.com"))
.GET()
.build(), BodyHandlers.ofString());
Error is thrown:
Caused by: javax.net.ssl.SSLException: error:0A000086:SSL routines::certificate verify failed
at org.wildfly.openssl.OpenSSLEngine.unwrap(OpenSSLEngine.java:626)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
Trace log shows:
sun.security.validator.ValidatorException: KeyUsage does not allow key encipherment
at java.base/sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:273)
at java.base/sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:149)
at java.base/sun.security.validator.Validator.validate(Validator.java:269)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:241)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:113)
at org.wildfly.openssl.OpenSSLContextSPI.lambda$init$0(OpenSSLContextSPI.java:241)
at org.wildfly.openssl.SSLImpl.readFromSSL0(Native Method)
at org.wildfly.openssl.SSLImpl.readFromSSL(SSLImpl.java:153)
at org.wildfly.openssl.OpenSSLEngine.unwrap(OpenSSLEngine.java:613)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
Error seems to be in OpenSSLContextSPI which incorrectly determines google.com certificate to be RSA but it's in fact EC and EC certificates does not require key encipherment for TLS.
The following code (get google.com) fails:
Error is thrown:
Trace log shows:
Error seems to be in OpenSSLContextSPI which incorrectly determines google.com certificate to be RSA but it's in fact EC and EC certificates does not require key encipherment for TLS.