2

I have created a spring-boot backend java application with a React front end, and I am trying to use the GCP.

I got it working on AppEngine and wanted to put a long-running version of the application on a VM in Compute Engine, but when I deploy it on the vm in compute engine and try to connect to the app with HTTPS it gives me "ssl3_get_record:wrong version number". This is even when I am trying to connect to the app inside of the vm itself with 'localhost'.

It is a pretty cut and dry spring boot application that uses the embedded tomcat server. It contains a WebSecurityConfigureAdaptor and a WebMvcConfigurer for CORS mapping.

Has anyone run into this issue or can give me some guidance on what I need to do to fix it?

EDIT:

Adding curl -i -v https://localhost as requested

*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 3001 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Landister
  • 2,194
  • 7
  • 38
  • 56
  • What port are connecting on? Did you enable and setup HTTPS (SSL/TLS). This error can occur if you try to access an HTTP service via a client trying to negotiate HTTPS. – John Hanley May 07 '20 at 05:39
  • Connecting on 3001 and yeah I enabled HTTPS as far as I can tell. I even set the "default-allow-https" to include that port. But what I find strange is would any of that matter if I am ssh'ing into the server and just trying to do a curl command with localhost? – Landister May 07 '20 at 14:00
  • Edit your question and add the debug output: `curl -i -v `. – John Hanley May 07 '20 at 17:05
  • Your problem is caused by using an SSL certificate that you created (self-signed). Let's Encrypt SSL certificates are free and will solve your problem. Depending on the client that you are using, you can set an option to ignore the SSL certificate. For example, curl has the command-line option `-k` and `--insecure`. Another option is to trust the self-signed root certificate. Your question does not have enough details to provide a good answer. – John Hanley May 08 '20 at 07:13

1 Answers1

1

ssl3_get_record:wrong version number means the client can't open a connection to the server because they likely don't support the same TLS versions or settings.

SSLv3 was decommissioned quite a while ago. Either it's old an old java version or they never updated the function name. What java versions are you using?

Logs indicates the app may be running on HTTP/2 (ALPN, offering h2) and with TLSv1.3. These are definitely not supported well in old clients in my experience, like what a java enterprise typically uses. Consider disabling HTTP/2 or TLS1.3 and try again.

The widely used and supported SSL version is TLS 1.2 nowadays. See this other question on forcing TLS versions in a java app. Since OpenJDk Java 11 getting javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

The app may be running on a self-signed certificate. You can get a public certificate from let's encrypt.

user5994461
  • 5,301
  • 1
  • 36
  • 57