I have a proxy servlet based on Jetty's ProxyServlet that is seeing intermittent 502 responses due to SSL renegotiation failures in the proxy's HttpClient when attempting to proxy the request to the remote server. Wireshark traces show that the SSL handshake has completed, but then the HttpClient starts the negotiation over again by sending another Client Hello packet. The remote server (an F5 in this case) is configured to not allow SSL renegotiation and so it shuts down the connection, causing the proxied request to fail.
I tried calling SslContextFactory.setRenegotiationAllowed(false) when configuring the proxy's HttpClient, but this just causes the request to fail internally within the proxy. Debug level logging yields the output shown below. Note the "Renegotiation Denied" message, which causes the stream to be closed, resulting in a Connection Closed exception when subsequently attempting to write the proxied request to the output stream.
So what could be causing the HttpClient to think that it needs to perform SSL renegotiation, and what can I do to work around this issue? Changing the configuration of the F5 to allow SSL renegotiation is not an option. The problem is intermittent and the reproducability is variable, suggesting there may be a timing component.
I'm using Jetty 9.2.13.v20150730 on Java 1.8.0_66.
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=-1/-1,di=-1} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] fill enter
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | ChannelEndPoint | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | filled 1006 SelectChannelEndPoint@57eceb70{mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443<->51386,Open,in,out,-,-,15/30000,SslConnection}{io=0,kio=0,kro=1}
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=1006/-1,di=0} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] filled 1006 encrypted bytes
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=0/-1,di=977} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] unwrap Status = OK HandshakeStatus = NEED_WRAP
bytesConsumed = 1006 bytesProduced = 977
2015-10-26 15:23:04,988 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=0/-1,di=977} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] renegotiation denied
2015-10-26 15:23:04,988 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=-1/-1,di=977} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] fill exit
