2

Server: Payara 5.192 JDK: 8 update 121

Hello, I am trying to connect third-party URLs from my web application and getting an SSL Exception.

As per few forums, I tried to apply wild-card certificates on the server but the issue remained the same.

I also checked ssl logs and observed that both third-party URLs initiating communication on tls1.2 hello. Could you please suggest what else I can check? Also if there is any way I can stop "hostnameVerification" for payara until this issue is resolved.

Adding server logs and an exception stack below.

  %% Resuming [Session-9, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  *** ServerHello, TLSv1.2
  RandomCookie:  
  GMT: 1628019948 
  bytes = { 
  146
  ,
  79
  ,
  72
  , 
  18
  , 
  248
  ,
  233
  ,
  164
  , 
  27
  , 
  130
  ,
  143
  , 
  184
  ,
  162
  ,
  63
  ,
  152
  ,
  73
  , 
  109
  , 
  178
  , 
  84
  , 
  175
  , 
  6
  , 
  68
  , 
  141
  , 
  215
  , 
  48
  , 
  206
  , 
  188
  , 
  54
  , 
  217
   }
  Session ID:  
  {97, 10, 157, 83, 170, 216, 184, 234, 127, 114, 248, 61, 170, 18, 3, 102, 231, 51, 109, 103, 19, 75, 95, 99, 208, 97, 32, 108, 147, 161, 129, 12}
  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  Compression Method: 0
  Extension renegotiation_info, renegotiated_connection: <empty>
  ***
  Cipher suite:  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 
  61 
  0A 
  9D 
  EC 
  D7 
  05 
  0A 
  5C 
  E4 
  B7 
  80 
  8F 
  02 
  3F 
  89 
  55 
  a.
  .
  .
  .
  .
  .
  \.
  .
  .
  .
  .
  ?.
  U

  0010: 
  C4 
  95 
  6E 
  8E 
  DF 
  73 
  42 
  6E 
  E1 
  72 
  07 
  28 
  DE 
  F9 
  56 
  C9 
  .
  .
  n.
  .
  sBn.
  r.
  (.
  .
  V.
  Server Nonce:
  0000: 
  61 
  0A 
  9D 
  EC 
  92 
  4F 
  48 
  12 
  F8 
  E9 
  A4 
  1B 
  82 
  8F 
  B8 
  A2 
  a.
  .
  .
  .
  OH.
  .
  .
  .
  .
  .
  .
  .
  .
  0010: 
  3F 
  98 
  49 
  6D 
  B2 
  54 
  AF 
  06 
  44 
  8D 
  D7 
  30 
  CE 
  BC 
  36 
  D9 
  ?.
  Im.
  T.
  .
  D.
  .
  0.
  .
  6.
  Master Secret:
  0000: 
  BC 
  64 
  7A 
  76 
  57 
  F4 
  D9 
  C9 
  B5 
  8E 
  54 
  01 
  33 
  65 
  55 
  94 
  .
  dzvW.
  .
  .
  .
  .
  T.
  3eU.
  0010: 
  E9 
  AE 
  FF 
  0B 
  7E 
  81 
  CE 
  AE 
  CD 
  40 
  2B 
  51 
  BE 
  11 
  84 
  57 
  .
  .
  .
  .
  .
  .
  .
  .
  .
  @+Q.
  .
  .
  W

  0020: 
  A6 
  0B 
  6D 
  96 
  FD 
  F8 
  91 
  A4 
  55 
  2E 
  23 
  34 
  42 
  10 
  7A 
  74 
  .
  .
  m.
  .
  .
  .
  .
  U.#4B.
  zt

  Client MAC write Secret:

  Ty.
  Mm.
  .
  .
  .
  F.
  0020: 
  1D 
  3F 
  BA 
  ED 
  94 
  C7 
  AC 
  38 
  ED 
  20 
  E1 
  DD 
  14 
  8D 
  C9 
  F4 
  .
  ?.
  .
  .
  .
  .
  8.
   .
  .
  .
  .
  .
  .
  Server MAC write Secret:]]
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA

, RECV TLSv1.2 ALERT: 
fatal,
handshake_failure

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:201)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:163)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at project.path.validateInstanceUrl(InstanceMasterBean.java:359)
Atmaram Dhuri
  • 41
  • 2
  • 1
    The handshake SSL seems down because of an missing common Cipher between your JDK 1.8 version and the SSL server. Try to upgrade your JDK 1.8 version and check again (Try open OpenJDK 8 if you don't have Oracle licence). – jcamsler Aug 13 '21 at 09:30
  • Hello @jcamsler, Thanks for the comment, I will update the JDK 8 to the latest update and let you know. Seems this is the only option I have right now. – Atmaram Dhuri Aug 16 '21 at 10:51
  • Hello, I could resolve this issue with jdk8u251, After updating to this version I faced issue with starting payara and solution for that was found on this link https://github.com/eclipse-ee4j/glassfish/issues/22436#issuecomment-452243277 Changing grizzly files sorted the issue. Thanks! – Atmaram Dhuri Aug 17 '21 at 13:20

1 Answers1

2

I found the resolution to the above issue. Posting here so anyone having similar issue can find it for their reference too.

As per comment from @jcamsler, I updated the JDK8 to 301 but Payara server did not start and gave below error.

Error Logs after JDK8update301 applied

Hence, tried to apply Glassfish error, but did not worked.

Then I downgraded the JDK to JDK8u261 and again used [Glassfish error]grizzly files without having sun folder in it. This resolved my issue.

Atmaram Dhuri
  • 41
  • 2