4

Trying to move my app from java 8 to java 11 faced with exception "javax.net.ssl.SSLHandshakeException: extension (10) should not be presented in server_hello"

I found that this issue will be fixed in 11.0.3 (eta Q2+ 2019) JDK 11 SSL Error on valid certificate (working in previous versions)

But, is there fast workaround right now? Maybe I can adjust some settings to get rid of this problem?

PS. I use Spring RestTemplate

Mikhail Kholodkov
  • 23,642
  • 17
  • 61
  • 78
nahab
  • 1,308
  • 17
  • 38
  • How about using ApacheHttpClient? – Mikhail Kholodkov Nov 28 '18 at 14:30
  • 1
    Isn't this a server configuration issue rather than a JDK issue? – Alan Bateman Nov 28 '18 at 14:33
  • @Mikhail The problem occurs on SSL/TLS level, not on HTTP level. ApacheHttpClient does not have it's own SSL/TLS implementation, it is just a HTTP implementation. – Robert Nov 28 '18 at 14:56
  • @Robert Yes, but if it's an option, as a workaround, SSL/TLS handshake can be ignored/suppressed with it? – Mikhail Kholodkov Nov 28 '18 at 14:58
  • @Mikhail If the handshake fails because of an exception it is incomplete -> no HTTPS tunnel -> can't be used. The problematic check is not located in the certificate checking but in the SSL protocol implementation. Therefore any other http client will not help at all. – Robert Nov 28 '18 at 15:11
  • @Robert Thanks for explanation. I've thought ApacheHttpClient has its own SSL/TLS implementation. – Mikhail Kholodkov Nov 28 '18 at 15:52
  • 2
    Okay, so looks like the workaround would be either to wait for JDK 11.0.2 or to switch to JDK 12 ea. Or to use any other SSL client implementation. For example I've found this library WolfSSL written in C. They have a JNI wrapper to call it from Java - https://www.wolfssl.com/using-wolfssl-wolfcrypt-from-java/. Maybe it'll help – Mikhail Kholodkov Nov 28 '18 at 17:31
  • @MikhailKholodkov yeah, for now I used jdk12-ea for my purposes, it resolve this problem but create other troubles, because many tools still not support java12. Seams only solution with jdk11 is to use another SSL provider – nahab Nov 29 '18 at 08:43
  • 2
    @nahab fix is actually scheduled for JDK 11.0.3. [11.0.2 was released](https://jdk.java.net/11/release-notes) TLS 1.3 issue is still exists. – Mikhail Kholodkov Jan 16 '19 at 17:04
  • @MikhailKholodkov thanks for informing. this is not so good ( – nahab Jan 28 '19 at 08:25
  • java 11.0.3 released today – erickdeoliveiraleal Apr 16 '19 at 22:59

0 Answers0