3

With the latest Java Zulu 8.0.252 and Payara5 Server i cannot read any HTTPS URLs anymore. After downgrading to 8.0.251 everything works fine again.

javax.net.ssl.SSLException
at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:133)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:352)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:295)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:290)
at org.openjsse.sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1330)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:424)
at org.openjsse.sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at org.openjsse.sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at org.openjsse.sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:730)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:705)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:295)
Caused by: java.lang.NullPointerException
at org.openjsse.sun.security.ssl.CertificateAuthorityExtension$CHCertificateAuthoritiesProducer.produce(CertificateAuthorityExtension.java:185)
at org.openjsse.sun.security.ssl.SSLExtension.produce(SSLExtension.java:560)
at org.openjsse.sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:253)
at org.openjsse.sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:649)
at org.openjsse.sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at org.openjsse.sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at org.openjsse.sun.security.ssl.TransportContext.kickstart(TransportContext.java:259)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
... 97 more
tak3shi
  • 2,305
  • 1
  • 20
  • 33
  • This might help https://github.com/square/okhttp/issues/5970 https://github.com/fabric8io/kubernetes-client/issues/2145 –  May 18 '20 at 06:50
  • TLS 1.3 support: https://docs.azul.com/openjsse/Title.htm – tak3shi May 18 '20 at 08:27

2 Answers2

2

It looks like your application or library uses a custom insecure Trust Manager.

This custom Trust Manager implements X509TrustManager class and returns null from the X509TrustManager.getAcceptedIssuers() method.

According to java specification getAcceptedIssuers() must return "non-null (possibly empty) array of acceptable CA issuer certificates" but in the provided stack trace getAcceptedIssuers() returns null. It causes NPE.

See https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509TrustManager.html#getAcceptedIssuers()

Sergey Grinev
  • 34,078
  • 10
  • 128
  • 141
Alexey
  • 36
  • 1
  • 1
    Yes, thats right, i was already thinking about that possibility but had no time to check it out. – tak3shi May 19 '20 at 18:59
0

To avoid this error, i have disabled TLS 1.3 support in Payara.

Disable TLS 1.3 support in domain.xml for Java 1.8.0u252 and later by replacing:

<jvm-options>[Azul-1.8.0u222|1.8.0u500]-XX:+UseOpenJSSE</jvm-options>

with:

<jvm-options>[Azul-1.8.0u222|1.8.0u251]-XX:+UseOpenJSSE</jvm-options>

And use a compatible grizzly library that does not require TLS 1.3 by replacing:

    <jvm-options>[1.8.0u191|1.8.0u500]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar</jvm-options>

with:

    <jvm-options>[1.8.0u191|1.8.0u251]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar</jvm-options>
    <jvm-options>[1.8.0u252|1.8.0u500]-Xbootclasspath/a:${com.sun.aas.installRoot}/lib/grizzly-npn-api.jar</jvm-options>
tak3shi
  • 2,305
  • 1
  • 20
  • 33