What Java TLS operation can generate a fatal error on handshake?

Question

I am trying to connect to a new Minecraft server I own (from a client I own as well). This is a brand new Ubuntu 18.04 installation with Java 10 and the latest Minecraft 1.12 server.

During the connection, the JRE is establishing a connection to authentication servers and the whole connection ends (from the Minecraft server perspective) with a

[09:06:57] [User Authenticator #4/ERROR]: Couldn't verify username because servers are unavailable
[09:06:57] [Server thread/INFO]: com.mojang.authlib.GameProfile@949cab4d[id=<null>,name=TheNameOfTheUser,properties={},legacy=false] (/10.1.1.19:                                      41433) lost connection: Authentication servers are down. Please try again later, sorry!

The authentication servers certainly not being down, I traced the connection and see in a network dump

No.     Time           Source                Destination           Protocol Length Info
     98 3.254294       10.200.0.133          54.230.198.91         TCP      74     43370 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1994960819 TSecr=0 WS=128

No.     Time           Source                Destination           Protocol Length Info
     99 3.265065       54.230.198.91         10.200.0.133          TCP      74     443 → 43370 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=1446415026 TSecr=1994960819 WS=256


No.     Time           Source                Destination           Protocol Length Info
    100 3.265079       10.200.0.133          54.230.198.91         TCP      66     43370 → 443 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1994960830 TSecr=1446415026


No.     Time           Source                Destination           Protocol Length Info
    101 3.266259       10.200.0.133          54.230.198.91         TLSv1.2  342    Client Hello


No.     Time           Source                Destination           Protocol Length Info
    102 3.275952       54.230.198.91         10.200.0.133          TCP      66     443 → 43370 [ACK] Seq=1 Ack=277 Win=30208 Len=0 TSval=1446415027 TSecr=1994960831


No.     Time           Source                Destination           Protocol Length Info
    103 3.279589       54.230.198.91         10.200.0.133          TLSv1.2  5538   Server Hello, Certificate, Certificate Status, Server Key Exchange, Server Hello Done

Frame 103: 5538 bytes on wire (44304 bits), 5538 bytes captured (44304 bits)
Ethernet II, Src: 12:5b:d3:1d:51:cf (12:5b:d3:1d:51:cf), Dst: d6:8b:35:0c:a2:f2 (d6:8b:35:0c:a2:f2)
Internet Protocol Version 4, Src: 54.230.198.91, Dst: 10.200.0.133
Transmission Control Protocol, Src Port: 443, Dst Port: 43370, Seq: 1, Ack: 277, Len: 5472
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 65
        Handshake Protocol: Server Hello
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4566
        Handshake Protocol: Certificate
    TLSv1.2 Record Layer: Handshake Protocol: Certificate Status
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 479
        Handshake Protocol: Certificate Status
    TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 333
        Handshake Protocol: Server Key Exchange
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done

No.     Time           Source                Destination           Protocol Length Info
    104 3.279602       10.200.0.133          54.230.198.91         TCP      66     43370 → 443 [ACK] Seq=277 Ack=5473 Win=40192 Len=0 TSval=1994960844 TSecr=1446415028

Frame 104: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: d6:8b:35:0c:a2:f2 (d6:8b:35:0c:a2:f2), Dst: 12:5b:d3:1d:51:cf (12:5b:d3:1d:51:cf)
Internet Protocol Version 4, Src: 10.200.0.133, Dst: 54.230.198.91
Transmission Control Protocol, Src Port: 43370, Dst Port: 443, Seq: 277, Ack: 5473, Len: 0

No.     Time           Source                Destination           Protocol Length Info
    105 3.280246       10.200.0.133          54.230.198.91         TLSv1.2  73     Alert (Level: Fatal, Description: Internal Error)

Frame 105: 73 bytes on wire (584 bits), 73 bytes captured (584 bits)
Ethernet II, Src: d6:8b:35:0c:a2:f2 (d6:8b:35:0c:a2:f2), Dst: 12:5b:d3:1d:51:cf (12:5b:d3:1d:51:cf)
Internet Protocol Version 4, Src: 10.200.0.133, Dst: 54.230.198.91
Transmission Control Protocol, Src Port: 43370, Dst Port: 443, Seq: 277, Ack: 5473, Len: 7
Secure Sockets Layer
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Internal Error (80)

No.     Time           Source                Destination           Protocol Length Info
    106 3.280277       10.200.0.133          54.230.198.91         TCP      66     43370 → 443 [FIN, ACK] Seq=284 Ack=5473 Win=40192 Len=0 TSval=1994960845 TSecr=1446415028

Frame 106: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: d6:8b:35:0c:a2:f2 (d6:8b:35:0c:a2:f2), Dst: 12:5b:d3:1d:51:cf (12:5b:d3:1d:51:cf)
Internet Protocol Version 4, Src: 10.200.0.133, Dst: 54.230.198.91
Transmission Control Protocol, Src Port: 43370, Dst Port: 443, Seq: 284, Ack: 5473, Len: 0

No.     Time           Source                Destination           Protocol Length Info
    112 3.290075       54.230.198.91         10.200.0.133          TCP      66     443 → 43370 [FIN, ACK] Seq=5473 Ack=285 Win=30208 Len=0 TSval=1446415029 TSecr=1994960845

Frame 112: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: 12:5b:d3:1d:51:cf (12:5b:d3:1d:51:cf), Dst: d6:8b:35:0c:a2:f2 (d6:8b:35:0c:a2:f2)
Internet Protocol Version 4, Src: 54.230.198.91, Dst: 10.200.0.133
Transmission Control Protocol, Src Port: 443, Dst Port: 43370, Seq: 5473, Ack: 285, Len: 0

No.     Time           Source                Destination           Protocol Length Info
    113 3.290088       10.200.0.133          54.230.198.91         TCP      66     43370 → 443 [ACK] Seq=285 Ack=5474 Win=40192 Len=0 TSval=1994960855 TSecr=1446415029

Frame 113: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: d6:8b:35:0c:a2:f2 (d6:8b:35:0c:a2:f2), Dst: 12:5b:d3:1d:51:cf (12:5b:d3:1d:51:cf)
Internet Protocol Version 4, Src: 10.200.0.133, Dst: 54.230.198.91
Transmission Control Protocol, Src Port: 43370, Dst Port: 443, Seq: 285, Ack: 5474, Len: 0

Problems are on frame 105, where an Internal Error happens. Since the game is in Java, I assume that this is liked with the Java TLS implementation and this "Internal Error" may actually mean something more?

I reinstalled the Java certificates (update-ca-certificates -f) as one of the possible causes, but no luck.

Answer 1

Thanks @gusto2 for the hint

This ended up being a bug in Ubuntu 18.04. Details are in another SO answer, the TL;DR solution was to run, as root

# /usr/bin/printf '\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\xe2\x68\x6e\x45\xfb\x43\xdf\xa4\xd9\x92\xdd\x41\xce\xb6\xb2\x1c\x63\x30\xd7\x92' > /etc/ssl/certs/java/cacerts

# /var/lib/dpkg/info/ca-certificates-java.postinst configure