0

I need help / guidance with what can be the possible issue when I am trying to call a rest api on SSL (TLS) connection. I have a private key and signed cert from the data producer, I created the keystore from these to files and with code build a SSLContext, I use this context while making Http connection with the producer's server. Now the issue is, I am able to make connection with Java 8 but handshake fails for Java 17.

What am I missing ? are java 8 certificates compatible with java 17 ? I read a little and found Java 17 introduced TLSv1.3 but my SSL Handshake is failing with this version as well.

I tried using Java 11 and Java 17 but looks like the SSLContext is only working with Java 8, and I am able to fetch the response over REST.

Can someone who has faced similar scenario or aware of what can be the possible issue, help me out here.

Below is the log snippet (masked endpoints) ::

19:06:42.772 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {tls}->http://<proxy_URL>:82->https://<endpoint_URL>:443][total available: 0; route allocated: 0 of 50; total allocated: 0 of 60000]
19:06:42.793 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {tls}->http://<proxy_URL>:82->https://<endpoint_URL>:443][total available: 0; route allocated: 1 of 50; total allocated: 1 of 60000]
19:06:42.795 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {tls}->http://<proxy_URL>:82->https://<endpoint_URL>:443
19:06:42.818 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to <proxy_URL>/10.10.10.11:82
19:06:42.821 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connection established 10.10.10.10:55188<->10.10.10.11:82
19:06:42.823 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> CONNECT <endpoint_URL>:443 HTTP/1.1
19:06:42.823 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: <endpoint_URL>
19:06:42.823 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.13 (Java/17.0.4)
19:06:42.824 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "CONNECT <endpoint_URL>:443 HTTP/1.1[\r][\n]"
19:06:42.824 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: <endpoint_URL>[\r][\n]"
19:06:42.824 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.13 (Java/17.0.4)[\r][\n]"
19:06:42.824 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]"
19:06:42.871 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 403 Forbidden[\r][\n]"'
ishan
  • 1
  • 1
  • Java **11** added TLS1.3, and so did Java 8 update 261 up. Certificates, and privatekeys, are not related to Java versions, but the _keystore files_ in which they are usually stored have changed over time and thus are partially correlated with Java versions; however any problem with the keystore file would throw an exception, so unless your code catches and ignores exceptions it shouldn't, you would already have solved that problem. What exactly is the exception or other error you get? – dave_thompson_085 Nov 23 '22 at 07:53
  • @dave_thompson_085 Added debug log for SSL connection : I am getting 403 Forbidden when trying when the http client is about to make connection with endpoint, with Java17. – ishan Nov 23 '22 at 09:19
  • 2
    That's an error from the proxy before the SSL/TLS handshake even starts, and has nothing at all to do with SSL/TLS. Are both clients using the same proxy? If by name, using the same name resolution? Does the working 8 issue the same request except for user-agent? Especially, does it have any proxy-authorization header? Are both clients on the same machine (proxy could restrict the client IPaddr)? – dave_thompson_085 Nov 24 '22 at 03:27
  • @dave_thompson_085 Java 8 uses the exact same code as Java 17, my client connects with external server via same proxy. Logs states connection is successful with proxy and when proxy connects with external server (where sll comes into affect) 403 is thrown out. is there be a possibility that there are restrictions from the server side ? – ishan Nov 24 '22 at 06:45
  • 2
    No, when you get 403 on the CONNECT request to the proxy, it is NOT connecting to the external server and there is no SSL/TLS yet. I didn't ask if the connection was successful from 8, which we already knew, I asked if the _request to the proxy_ from 8 is the same (except for user-agent). – dave_thompson_085 Nov 25 '22 at 16:04

0 Answers0