Nidheesh
Reputation: 4562
TLSv1.3 - java.io.EOFException: SSL peer shut down incorrectly
I am trying to connect to a response from a external site
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:975)
... 56 more
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
my code:
CloseableHttpClient httpClient2 = null;
try {
httpClient2 = (CloseableHttpClient) getTLS();
} catch (KeyManagementException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (UnrecoverableKeyException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (NoSuchAlgorithmException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (KeyStoreException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
public HttpClient getTLS() throws KeyManagementException,
UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
SSLContext sSLContext = SSLContext.getInstance("TLS");
sSLContext.init(null, null, null);
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sSLContext,
new String[] { "TLS" },
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
return httpClient;
}
I have added the .pem certificte the keystore
myserverURL.pem /usr/local/openjdk-8/jre/lib/security
I tried to check the following command and see that TLSv1.3 is being used.
curl --insecure -vvI https://myserverURL.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
Client has:
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
This was working fine earlier. I guess the protocol has been changed on the server-side to TLSv1.3. Is it possible to connect from 1.2 to 1.3
Upvotes: 2
Views: 10292
Answers (2)
Ladislav Zitka
Reputation: 1000
In my case there was some issue with maybe new certificates which enforce in our company Zscaler TLS intercepting firewall/proxy. I used following code to scan https endpoint and import one by one whole certificate chain:
/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* Originally from:
* http://blogs.sun.com/andreas/resource/InstallCert.java
* Use:
* java InstallCert hostname
* Example:
*% java InstallCert ecc.fedora.redhat.com
*/
import java.net.Proxy;
import java.net.Socket;
import java.net.InetSocketAddress;
import javax.net.ssl.*;
import java.io.*;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* Class used to add the server's certificate to the KeyStore
* with your trusted certificates.
*/
public class InstallCert {
public static void main(String[] args) throws Exception {
String host = null;
int port = -1;
char[] passphrase = null;
// proxy
boolean useProxy = false;
String proxyHost = null;
int proxyPort = -1;
InetSocketAddress proxyAddr = null;
Socket underlying = null;
int numArg = 0;
int nbArgs = args.length;
boolean invalidArgs = false;
boolean isQuiet = false;
while (numArg < nbArgs) {
String arg = args[numArg++];
if (arg.startsWith("--proxy=")) {
String proxy = arg.substring("--proxy=".length());
useProxy = true;
String[] c = proxy.split(":");
proxyHost = c[0];
proxyPort = Integer.parseInt(c[1]); // proxy port is mandatory (we don't default to 8080)
}
else if (arg.startsWith("--quiet")) {
isQuiet = true;
}
else if (host == null) { // 1st argument is the "host:port"
String[] c = arg.split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
}
else if (passphrase == null) { // 2nd argument is the keystore passphrase
passphrase = arg.toCharArray();
}
else {
invalidArgs = true; // too many args
}
}
if (host == null) {
invalidArgs = true;
}
if (invalidArgs) {
System.out.println("Usage: java InstallCert [--proxy=proxyHost:proxyPort] host[:port] [passphrase] [--quiet]");
return;
}
// default values
if (port == -1 ) { port = 443; }
if (passphrase == null) { passphrase = "changeit".toCharArray(); }
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
if (useProxy) {
proxyAddr = new InetSocketAddress(proxyHost, proxyPort);
underlying = new Socket(new Proxy(Proxy.Type.HTTP, proxyAddr));
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory factory = context.getSocketFactory();
System.out.println("Opening connection to " + host + ":" + port + (useProxy ? (" via proxy "+proxyHost+":"+proxyPort) : "") + " ...");
SSLSocket socket;
if (useProxy) {
underlying.connect(new InetSocketAddress(host, port));
socket = (SSLSocket) factory.createSocket(underlying, host, port, true);
} else {
socket = (SSLSocket) factory.createSocket(host, port);
}
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}
BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println(" " + (i + 1) + " Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println(" md5 " + toHexString(md5.digest()));
System.out.println();
}
int k;
if (isQuiet) {
System.out.println("Adding first certificate to trusted keystore");
k = 0;
}
else {
System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();
System.out.println();
System.out.println(cert);
System.out.println();
System.out.println("Added certificate to keystore 'jssecacerts' using alias '" + alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
// This change has been done due to the following resolution advised for Java 1.7+
// http://infposs.blogspot.kr/2013/06/installcert-and-java-7.html
return new X509Certificate[0];
//throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}
After import those certs into JDK security cacerts file, the error disappeared.
Upvotes: 0
djmonki
Reputation: 3949
If the server is tagged with -tls1_3 then it will "Only ever talk TLSv1.3". The server would need that to be removed to allow TLSv1.2 compatibility from your client. However, it may be a security architectural design for the server to use TLSv1.3
See this article on ssl.com: TLS 1.3 Is Here to Stay
It states the following: "TLS 1.3 abandons backwards compatibility in favor of a proper security design. It has been designed from scratch to provide functionality similar (yet not compatible) to TLS 1.2, but with significantly improved performance, privacy and security."
Various flavours of OpenJDK 8 backported support for TLS 1.3 at different release points, see below for some examples:
| Flavour | Release |
|---|---|
| AdoptOpenJDK | 8u272 |
| Azul Zulu JDK | 8u262/8u272/8u292 |
| Oracle OpenJDK | 8u261 |
| Amazon Corretto | 8u272 |
| Red Hat build of OpenJDK | 8u292 |
What you need to check first is whether the flavour and release of your OpenJDK 8 supports TLS 1.3
You can do that by running the following:
public static void main(String[] args) throws NoSuchAlgorithmException, KeyManagementException {
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, null, null);
String[] supportedProtocols = context.getDefaultSSLParameters().getProtocols();
System.out.println(Arrays.toString(supportedProtocols));
}
This will print something like [TLSv1.3, TLSv1.2]
If the flavour you have does not return TLSv1.3, then you need to check their releases to see if they backported support for TLSv1.3.
If they did, update to that release, if not you may have to go with another flavour of OpenJDK 8 or better still upgrade to OpenJDK 11 (dependent on the circumstances)
Upvotes: 3
Related Questions
- Java 11 and 12 SSL sockets fail on a handshake_failure error with TLSv1.3 enabled
- SSL peer shut down incorrectly in Java
- Java 8 RECV TLSv1.2 ALERT: fatal, handshake_failure
- SSL peer shut down incorrectly
- java.io.EOFException: SSL peer shut down incorrectly
- Handshake Failure with TLS 1.3 under JDK 11
- TLS 1.3 handshake failure when using OpenJDK 14 java module runtime
- SSL : Received fatal alert: handshake_failure
- TLSv1 connection failed with handshake failure
- Why do I get a handshake failure between TLS 1.0 client and SSL 3.0 server?