TLSv1.2 error in Spring boot

Question

Getting error while ssl connection in spring boot.

http-nio-8081-exec-1, WRITE: TLSv1.2 Handshake, length = 193
[Raw write]: length = 198
0000: 16 03 03 00 C1 01 00 00   BD 03 03 59 0F F5 50 BA  ...........Y..P.
0010: AC 01 0A A6 F9 AB 1C C6   B5 50 B1 4E 2A 0E D2 4B  .........P.N*..K
0020: C1 7C 75 7B 90 70 A3 6A   20 30 C1 00 00 3A C0 23  ..u..p.j 0...:.#
0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 2B C0 2F 00 9C  ./.....3.2.+./..
0050: C0 2D C0 31 00 9E 00 A2   C0 08 C0 12 00 0A C0 03  .-.1............
0060: C0 0D 00 16 00 13 00 FF   01 00 00 5A 00 0A 00 34  ...........Z...4
0070: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............
0080: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................
0090: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ................
00A0: 00 08 00 16 00 0B 00 02   01 00 00 0D 00 18 00 16  ................
00B0: 06 03 06 01 05 03 05 01   04 03 04 01 03 03 03 01  ................
00C0: 02 03 02 01 02 02                                  ......
http-nio-8081-exec-1, handling exception: java.net.SocketException: Connection reset
http-nio-8081-exec-1, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
http-nio-8081-exec-1, WRITE: TLSv1.2 Alert, length = 2
http-nio-8081-exec-1, Exception sending alert: java.net.SocketException: Connection reset by peer: socket write error
http-nio-8081-exec-1, called closeSocket()
[2m2017-05-08 14:26:40.714[0;39m [31mERROR [CS Facade,,,][0;39m [35m6360[0;39m [2m---[0;39m [2m[nio-8081-exec-1][0;39m [36mo.a.c.c.C.[.[.[/].[dispatcherServlet]   [0;39m [2m:[0;39m Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.web.client.ResourceAccessException: I/O error on GET request for "<URL>": Connection reset; nested exception is java.net.SocketException: Connection reset] with root cause

java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(Unknown Source)
    at java.net.SocketInputStream.read(Unknown Source)
    at sun.security.ssl.InputRecord.readFully(Unknown Source)
    at sun.security.ssl.InputRecord.read(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
    at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:78)
    at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
    at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:652)    

---

Tried setting in JVM arguments

-Dhttps.protocols="TLSv1.2,TLSv1.1,TLSv1,SSLv3"

Also tried to set in application.properties

server.ssl.protocol=TLS

I have programmatically enabled the ssl

@Bean
  public EmbeddedServletContainerFactory servletContainer() {
      TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory();
      tomcat.addAdditionalTomcatConnectors(createStandardConnector());
      return tomcat;
  }

  private Connector createStandardConnector() {
      Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
      connector.setPort(Integer.valueOf(port));
      return connector;
  }

It is mentioned that the problem is with java version SSL Connection Reset

I am using java version "1.8.0_91" and spring boot: 1.5.2.RELEASE

is it because the server jks file is generated in the old version of java? Please provide some insights on the issue.

Answer 1

Some insights (I hope) but not an answer:

The problem in the Q you link was Java version 6 which was still current in early 2011, and which by default tries to negotiate with SSLv2 format (although even 6 wouldn't actually negotiate SSLv2 protocol). You use 8 which defaults to modern format and max protocol TLSv1.2, and the trace in your Q confirms this (the ClientHello offers wire version 0303 which is TLSv1.2), and no reasonable server will require more since 1.3 is not yet out of draft. Wrong version or format is only one possible cause of a reset during SSL/TLS handshake; there are many others.

Recent Java 8 defaults https.protocols to TLSv1.2,TLSv1.1,TLSv1(.0). Adding SSLv3 is a bad idea; in the years since 2011 (and also since '8u0') it has been broken. Any server that actually negotiates SSLv3 is probably being operated by incompetents, and should not be used.

The Tomcat Connector is about incoming HTTP and/or HTTPS (TLS) connections. It has nothing to do with outgoing connections.

There is no problem with JKS files from older versions of Java, unless an older version used nonstandard cryptoproviders and a newer/current one does not, and in any case server.jks similarly applies to incoming connections not outgoing ones, plus any keystore problem would occur either before sending the ClientHello message or after receiving the server's Certificate message, which your trace and stacktrace both contradict.

Your best bet is to find out from the server -- either directly like logs or via its operator(s) -- what it doesn't like.

However, there is one possibility I see by looking -- your stack is not sending ServerNameIndication aka SNI. This is technically an option in TLS, but in recent years many server programs (and servers) have begun requiring it, although a server that rejects a Hello for this reason should use an alert not a reset. Java 8 should automatically send SNI for HttpsUrlConnection unless someone or something has configured system property jsse.enableSNIExtension to false or the hostname part of the URL is a single 'label' (no dots) or an IP address -- are you doing any of those?