javax.net.ssl.SSLException: No PSK available. Unable to resume

Question

I am using Jetty client to send outgoing requests. Code that runs perfectly under Java 10 suddenly gets the following exception under Java 11:

javax.net.ssl.SSLException: No PSK available. Unable to resume.
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
    at java.base/sun.security.ssl.ServerHello$T13ServerHelloConsumer.consume(ServerHello.java:1224)
    at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.onServerHello(ServerHello.java:984)
    at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:872)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:511)
    at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:128)
    at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:73)
    at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:133)
    at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:155)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
    at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
    at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)

I filed a bug report with Jetty here but I'm wondering: what does the error message actually mean? Is something wrong in my environment or does the error mean that Jetty is not configuring the connection correctly?

"No PSK Available" means that there was a TLS Session that could be resumed, but there was no Pre-Shared Key present. That will trigger an INTERNAL_ERROR alert in the OpenJDK implementation side. So perhaps you have a server producing an incompatible ServerHello block?? — Joakim Erdfelt, Oct 01 '18 at 12:29

score 83 · Accepted Answer · edited Nov 25 '20 at 23:55

83

there is a bug in JDK 11: https://bugs.openjdk.java.net/browse/JDK-8213202

you have to either:

wait for the release of JDK 12
update to JDK 11.0.3+ that includes backport
or use this command line parameter as a workaround: -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

edited Nov 25 '20 at 23:55

Charlie

8,530
2
55
53

answered Jan 20 '19 at 19:22

Adam from WALCZAK.IT

1,339
12
11

Suggest using TLSv1.2 only here if 1.3 is problematic for your Java version. TLSv1 is deemed dangerous and both 1 and 1.1 are in the process of being "officially" deprecated: https://security.stackexchange.com/questions/237688/when-will-tls-1-2-be-deprecated – James Jan 14 '22 at 16:56
For my case, `-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3` works. – Lebecca Jun 14 '22 at 04:50

score 16 · Answer 2 · answered Jun 09 '20 at 15:50

16

As Adam from WALCZAK.IT's answer didn't work for me, I found out that the final solution is to add TLSv1.3 to the jdk.tls.disabledAlgorithms in java.security file under conf in your java directory.

So, open java.security under %JAVA_HOME%\conf, find jdk.tls.disabledAlgorithms and append , TLSv1.3.

answered Jun 09 '20 at 15:50

balsick

1,099
1
10
23

4

This worked for me for JDK version "jdk-11.0.2.jdk" – KunalMZ Feb 04 '21 at 15:34
1

This worked me for openjdk version "11" 2018-09-25 – Ankit May 26 '22 at 10:08
2

This worked me for open jdk-11.0.1 – chris Feb 07 '23 at 06:34

score 3 · Answer 3 · answered Jan 06 '22 at 02:07

I found a solution that worked for me that add this into your gradle.properties.

Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
JAVA_TOOL_OPTIONS=-Dhttps.protocols=TLSv1.2
systemProp.http.proxyHost=fodev.org
systemProp.http.proxyPort=8118
systemProp.http.nonProxyHosts=*.jitpack.io, *.maven.org
systemProp.https.proxyHost=fodev.org
systemProp.https.proxyPort=8118
systemProp.https.nonProxyHosts=*.jitpack.io, *.maven.org

javax.net.ssl.SSLException: No PSK available. Unable to resume

3 Answers3

Linked