2

While using Okhttp3 to request(get and post) HTTPS urls from Dataflow jobs, the program is throwing SSL handshake Exception and failing. Exact message is "javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"

The same code was working earlier like 3-4 weeks(Before Nov-23) back in Dataflow. Now it's failing with the above exception. Will this be an issue arrise because of some changes in the server (HTTPS URL provider) ? Or is it something to do with the my dataflow/beam setup.

SDK and lib versions -

Apache Beam SDK for Java 2.16.0
com.squareup.okhttp3:okhttp:4.2.2

ted
  • 3,911
  • 3
  • 26
  • 49
  • Have your tried to change the version of the libraries? for example Beam SDK for Java 2.15, you can also explore the workaround of changing the library google-http-java-client as explained in the comments in [this post](https://stackoverflow.com/questions/59128640/sslhandshakeexception-when-running-apache-beam-pipeline-in-dataflow) – rsantiago Dec 18 '19 at 01:34
  • Yes, we started getting same errors since yesterday second half in our dataflow streaming jobs as well. We use 1. Apache Beam SDK for Java 2.12.0 and 2.com.google.api.client.http (1.29.1) – Thasleem Basha Dec 18 '19 at 05:07
  • I have tried using Beam SDK 2.13, but no difference in the outcome. I haven'tr tried changing the http java client lib. – ted Dec 19 '19 at 07:28
  • It will very valuable if you share with us if google-http-java-client makes the difference. – rsantiago Dec 21 '19 at 02:51
  • HI @rsantiago, I haven't tried using the new java client. Instead I went for a quick fix for now. Found the common ciphers between the API providers and our Dataflow runners. And luckily API providers and Runners have common SSL versions. And had common ciphers. So I have collected cipers and add it to the connections specs of Okhttp3. (And put a beautiful warning coment too :P). I have ony 2 API providers so for me it was okay and am hopping the runners will get fixed in the future. – ted Dec 23 '19 at 08:53

2 Answers2

1

Looks like a change in the SSL configuration of your server. Try this site to confirm your server and device are compatible.

https://www.ssllabs.com/ssltest/

Jesse Wilson
  • 39,078
  • 8
  • 121
  • 128
0

Like I explain in my answer here, GCP disables GCM algos by default, and most probably your server only supports GCM and POLY. To re-enable GCM in the pipeline, you need to register a JvmInitializer and change the security settings.

Please look at my other answer on how to do this.

PetrosP
  • 635
  • 6
  • 15