4

My spring boot application could not work with old SSL certificate after upgrading to spring boot 2.6 and Java 17. After debuging, seems there was problem with TLS version or ciphers suite. I don't have experience with this. But, I tried generate the new self signed SSL certificate, and it works fine.

Debugging with javax.net.debug, and got unclear message. It's different btw using Firefox and Chrome. Here is debug log with Firefox:

    2022-09-20 15:26:33.448 [WARN]  o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3


2022-09-21 09:46:48.214 [WARN]  o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|ERROR|F6|https-jsse-nio-5151-exec-1|2022-09-21 09:46:48.215 BST|TransportContext.java:363|Fatal (INTERNAL_ERROR): problem unwrapping net record (
"throwable" : {
  javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
    at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
    at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
    at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:215)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1764)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:833)}

)

Does anyone have experience with this?

Vu Huynh
  • 51
  • 2
  • maybe related to this: `sniExtractor.clientHelloTooBig` https://github.com/apache/tomcat/blob/main/java/org/apache/tomcat/util/net/LocalStrings.properties#L131 – Tilo Feb 09 '23 at 23:18

1 Answers1

0

JDK 17 now uses TLS 1.3 as default for security handshakes as stated in https://blogs.oracle.com/javamagazine/post/java-jdk-17-generally-available

The default for security handshakes in JDK 17 is TLS 1.3.

The cert has to be checked in order to understand if it supports TLS 1.3. According to The Transport Layer Security (TLS) Protocol Version 1.3 TLS 1.3 doesn't support RSA or Diffie-Helman cipher suites

Static RSA and Diffie-Hellman cipher suites have been removed.

If it doesn't support all the requirements, one has to request the issuance of a new SSL certificate to a certificate Certificate Authority (CA) that fulfills these requirements, and use it in the application.

hugoalexandremf
  • 166
  • 1
  • 1
  • 9