javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure inside docker container

Others 2022-04-21 21:07:45 views: 0
Antonio Gomez Alvarado :

I'm running a local test against a remote endpoint with the following code:

        URL url = new URL(remoteEndpointUrl);
        String encoded = Base64.getEncoder().encodeToString((login + ":"+ password).getBytes("UTF-8"));  //Java 8
        conn = (HttpURLConnection) url.openConnection();
        conn.setRequestProperty("Authorization", "Basic "+encoded);
        conn.setRequestMethod("DELETE");
        conn.setRequestProperty("Accept", "application/json");
        conn.setDoOutput(true);
        conn.getResponseCode();

And this works flawlessly on my Mac OS which has the following Java version 

java version "1.8.0_152"
Java(TM) SE Runtime Environment (build 1.8.0_152-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16, 
mixed mode)

Now, if I take this and run it inside a docker container running with an openjdk:8u151 image (which I launched from my Mac OS as well) I end up hitting the following exception:

    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:203)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:162)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
    at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)

Apparently it doesn't seem to be ANY differences between my local TLS default settings and the ones inside the docker container. This is the debug output from running with -Djavax.net.debug=all:

Local output:

    Allow unsafe renegotiation: false
    Allow legacy hello messages: true
    Is initial handshake: true
    Is secure renegotiation: false
    main, setSoTimeout(0) called
    main, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
    %% No cached client session
    *** ClientHello, TLSv1.2
    RandomCookie:  GMT: 1541229707 bytes = { 122, 255, 53, 110, 142, 33, 132, 23, 192, 232, 102, 11, 200, 33, 185, 187, 146, 150, 134, 215, 2, 72, 62, 10, 76, 46, 224, 66 }
    Session ID:  {}
    Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
    Compression Methods:  { 0 }
    Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
    Extension ec_point_formats, formats: [uncompressed]
    Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
    Extension server_name, server_name: [type=host_name (0), value=example.com]
    ***
    [write] MD5 and SHA1 hashes:  len = 198
    0000: 01 00 00 C2 03 03 5C DD   4D 8B 7A FF 35 6E 8E 21  ......\.M.z.5n.!
    0010: 84 17 C0 E8 66 0B C8 21   B9 BB 92 96 86 D7 02 48  ....f..!.......H
    0020: 3E 0A 4C 2E E0 42 00 00   3A C0 23 C0 27 00 3C C0  >.L..B..:.#.'.<.
    0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.).g.@...../...
    0040: 0E 00 33 00 32 C0 2B C0   2F 00 9C C0 2D C0 31 00  ..3.2.+./...-.1.
    0050: 9E 00 A2 C0 08 C0 12 00   0A C0 03 C0 0D 00 16 00  ................
    0060: 13 00 FF 01 00 00 5F 00   0A 00 16 00 14 00 17 00  ......_.........
    0070: 18 00 19 00 09 00 0A 00   0B 00 0C 00 0D 00 0E 00  ................
    0080: 16 00 0B 00 02 01 00 00   0D 00 1C 00 1A 06 03 06  ................
    0090: 01 05 03 05 01 04 03 04   01 04 02 03 03 03 01 03  ................
    00A0: 02 02 03 02 01 02 02 00   00 00 1B 00 19 00 00 16  ................
    00B0: 73 75 6D 69 74 64 65 76   2E 6D 79 73 68 6F 70 69  example.com
    00C0: 66 79 2E 63 6F 6D
    main, WRITE: TLSv1.2 Handshake, length = 198
    [Raw write]: length = 203
    0000: 16 03 03 00 C6 01 00 00   C2 03 03 5C DD 4D 8B 7A  ...........\.M.z
    0010: FF 35 6E 8E 21 84 17 C0   E8 66 0B C8 21 B9 BB 92  .5n.!....f..!...
    0020: 96 86 D7 02 48 3E 0A 4C   2E E0 42 00 00 3A C0 23  ....H>.L..B..:.#
    0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
    0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 2B C0 2F 00 9C  ./.....3.2.+./..
    0050: C0 2D C0 31 00 9E 00 A2   C0 08 C0 12 00 0A C0 03  .-.1............
    0060: C0 0D 00 16 00 13 00 FF   01 00 00 5F 00 0A 00 16  ..........._....
    0070: 00 14 00 17 00 18 00 19   00 09 00 0A 00 0B 00 0C  ................
    0080: 00 0D 00 0E 00 16 00 0B   00 02 01 00 00 0D 00 1C  ................
    0090: 00 1A 06 03 06 01 05 03   05 01 04 03 04 01 04 02  ................
    00A0: 03 03 03 01 03 02 02 03   02 01 02 02 00 00 00 1B  ................
    00B0: 00 19 00 00 16 73 75 6D   69 74 64 65 76 2E 6D 79  .....example.com
    [Raw read]: length = 5
    0000: 16 03 03 00 57                                     ....W
    [Raw read]: length = 87
    0000: 02 00 00 53 03 03 5C DD   4D 8B A2 3C 5D 36 46 82  ...S..\.M..<]6F.
    0010: BE 0E 5E DA 23 05 66 D5   1B AE 13 AA 8F 98 12 30  ..^.#.f........0
    0020: DF 52 9C 28 AA 7B 20 43   4F 5E 40 8C B4 C4 1E 26  .R.(.. CO^@....&
    0030: 4F 5D B8 3D 39 16 D5 56   41 9C B0 F8 D5 F4 2A 55  O].=9..VA.....*U
    0040: B3 0A E9 A2 6F 9D 88 C0   2B 00 00 0B FF 01 00 01  ....o...+.......
    0050: 00 00 0B 00 02 01 00                               .......
    main, READ: TLSv1.2 Handshake, length = 87
    *** ServerHello, TLSv1.2
    RandomCookie:  GMT: 1541229707 bytes = { 162, 60, 93, 54, 70, 130, 190, 14, 94, 218, 35, 5, 102, 213, 27, 174, 19, 170, 143, 152, 18, 48, 223, 82, 156, 40, 170, 123 }
    Session ID:  {67, 79, 94, 64, 140, 180, 196, 30, 38, 79, 93, 184, 61, 57, 22, 213, 86, 65, 156, 176, 248, 213, 244, 42, 85, 179, 10, 233, 162, 111, 157, 136}
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    Compression Method: 0
    Extension renegotiation_info, renegotiated_connection: <empty>
    Extension ec_point_formats, formats: [uncompressed]
    ***
    %% Initialized:  [Session-4, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
    ** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    [read] MD5 and SHA1 hashes:  len = 87ere

Inside docker container output:

    Allow unsafe renegotiation: false
    Allow legacy hello messages: true
    Is initial handshake: true
    Is secure renegotiation: false
    Test worker, setSoTimeout(0) called
    Test worker, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
    %% No cached client session
    *** ClientHello, TLSv1.2
    RandomCookie:  GMT: 1541242532 bytes = { 118, 119, 70, 101, 0, 69, 160, 231, 254, 159, 164, 222, 99, 67, 81, 99, 102, 20, 11, 71, 1, 162, 231, 238, 141, 93, 75, 42 }
    Session ID:  {}
    Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
    Compression Methods:  { 0 }
    Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
    Extension server_name, server_name: [type=host_name (0), value=example.com]
    ***
    [write] MD5 and SHA1 hashes:  len = 208
    0000: 01 00 00 CC 03 03 5C DD   7F A4 76 77 46 65 00 45  ......\...vwFe.E
    0010: A0 E7 FE 9F A4 DE 63 43   51 63 66 14 0B 47 01 A2  ......cCQcf..G..
    0020: E7 EE 8D 5D 4B 2A 00 00   64 C0 24 C0 28 00 3D C0  ...]K*..d.$.(.=.
    0030: 26 C0 2A 00 6B 00 6A C0   0A C0 14 00 35 C0 05 C0  &.*.k.j.....5...
    0040: 0F 00 39 00 38 C0 23 C0   27 00 3C C0 25 C0 29 00  ..9.8.#.'.<.%.).
    0050: 67 00 40 C0 09 C0 13 00   2F C0 04 C0 0E 00 33 00  g.@...../.....3.
    0060: 32 C0 2C C0 2B C0 30 00   9D C0 2E C0 32 00 9F 00  2.,.+.0.....2...
    0070: A3 C0 2F 00 9C C0 2D C0   31 00 9E 00 A2 C0 08 C0  ../...-.1.......
    0080: 12 00 0A C0 03 C0 0D 00   16 00 13 00 FF 01 00 00  ................
    0090: 3F 00 0D 00 1C 00 1A 06   03 06 01 05 03 05 01 04  ?...............
    00A0: 03 04 01 04 02 03 03 03   01 03 02 02 03 02 01 02  ................
    00B0: 02 00 00 00 1B 00 19 00   00 16 73 75 6D 69 74 64  ..........
    00C0: 65 76 2E 6D 79 73 68 6F   70 69 66 79 2E 63 6F 6D  example.com
    Test worker, WRITE: TLSv1.2 Handshake, length = 208
    [Raw write]: length = 213
    0000: 16 03 03 00 D0 01 00 00   CC 03 03 5C DD 7F A4 76  ...........\...v
    0010: 77 46 65 00 45 A0 E7 FE   9F A4 DE 63 43 51 63 66  wFe.E......cCQcf
    0020: 14 0B 47 01 A2 E7 EE 8D   5D 4B 2A 00 00 64 C0 24  ..G.....]K*..d.$
    0030: C0 28 00 3D C0 26 C0 2A   00 6B 00 6A C0 0A C0 14  .(.=.&.*.k.j....
    0040: 00 35 C0 05 C0 0F 00 39   00 38 C0 23 C0 27 00 3C  .5.....9.8.#.'.<
    0050: C0 25 C0 29 00 67 00 40   C0 09 C0 13 00 2F C0 04  .%.).g.@...../..
    0060: C0 0E 00 33 00 32 C0 2C   C0 2B C0 30 00 9D C0 2E  ...3.2.,.+.0....
    0070: C0 32 00 9F 00 A3 C0 2F   00 9C C0 2D C0 31 00 9E  .2...../...-.1..
    0080: 00 A2 C0 08 C0 12 00 0A   C0 03 C0 0D 00 16 00 13  ................
    0090: 00 FF 01 00 00 3F 00 0D   00 1C 00 1A 06 03 06 01  .....?..........
    00A0: 05 03 05 01 04 03 04 01   04 02 03 03 03 01 03 02  ................
    00B0: 02 03 02 01 02 02 00 00   00 1B 00 19 00 00 16 73  ...............s
    00C0: 75 6D 69 74 64 65 76 2E   6D 79 73 68 6F 70 69 66  example.com
    00D0: 79 2E 63 6F 6D                                     
    [Raw read]: length = 5
    0000: 15 03 03 00 02                                     .....
    [Raw read]: length = 2
    0000: 02 28                                              .(
    Test worker, READ: TLSv1.2 Alert, length = 2
    Test worker, RECV TLSv1.2 ALERT:  fatal, handshake_failure
    Test worker, called closeSocket()
    Test worker, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failureere

Now, i've tried to set the security property crypto.policy to unlimited according to https://www.petefreitag.com/item/844.cfm which is supposed to easy-enable JCE (Java Cryptographic Extension) which I got the lead from: https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https but it still fails.

I've been long battled this and have no clue what to check anymore as both executions are using TLSv1.2 as the https protocol and both are using the same cipher suites so any idea why is it failing inside the docker?

Any help is much appreciated, Thanks in advance

Edit : Running with -Dcom.sun.net.ssl.enableECC=false on my Mac OS 

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
main, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1541432023 bytes = { 91, 55, 180, 242, 51, 13, 227, 239, 109, 218, 210, 217, 65, 181, 16, 146, 251, 182, 30, 23, 156, 83, 207, 5, 80, 0, 133, 88 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=example.com]
***
[write] MD5 and SHA1 hashes:  len = 134
0000: 01 00 00 82 03 03 5C E0   63 D7 5B 37 B4 F2 33 0D  ......\.c.[7..3.
0010: E3 EF 6D DA D2 D9 41 B5   10 92 FB B6 1E 17 9C 53  ..m...A........S
0020: CF 05 50 00 85 58 00 00   1A 00 3C 00 67 00 40 00  ..P..X....<.g.@.
0030: 2F 00 33 00 32 00 9C 00   9E 00 A2 00 0A 00 16 00  /.3.2...........
0040: 13 00 FF 01 00 00 3F 00   0D 00 1C 00 1A 06 03 06  ......?.........
0050: 01 05 03 05 01 04 03 04   01 04 02 03 03 03 01 03  ................
0060: 02 02 03 02 01 02 02 00   00 00 1B 00 19 00 00 16  ................
0070: 73 75 6D 69 74 64 65 76   2E 6D 79 73 68 6F 70 69  example.com
0080: 66 79 2E 63 6F 6D                                  
main, WRITE: TLSv1.2 Handshake, length = 134
[Raw write]: length = 139
0000: 16 03 03 00 86 01 00 00   82 03 03 5C E0 63 D7 5B  ...........\.c.[
0010: 37 B4 F2 33 0D E3 EF 6D   DA D2 D9 41 B5 10 92 FB  7..3...m...A....
0020: B6 1E 17 9C 53 CF 05 50   00 85 58 00 00 1A 00 3C  ....S..P..X....<
0030: 00 67 00 40 00 2F 00 33   00 32 00 9C 00 9E 00 A2  .g.@./.3.2......
0040: 00 0A 00 16 00 13 00 FF   01 00 00 3F 00 0D 00 1C  ...........?....
0050: 00 1A 06 03 06 01 05 03   05 01 04 03 04 01 04 02  ................
0060: 03 03 03 01 03 02 02 03   02 01 02 02 00 00 00 1B  ................
0070: 00 19 00 00 16 73 75 6D   69 74 64 65 76 2E 6D 79  .....example.com
0080: 73 68 6F 70 69 66 79 2E   63 6F 6D                 
[Raw read]: length = 5 
0000: 16 03 03 00 51                                     ....Q
[Raw read]: length = 81
0000: 02 00 00 4D 03 03 5C E0   63 DA 99 74 67 FF 71 48  ...M..\.c..tg.qH
0010: B5 9B 8F 63 A4 06 15 AE   1D E6 1B CA 27 C6 9C 85  ...c........'...
0020: B8 E8 40 03 89 54 20 29   3F 81 6A E8 E4 54 39 D7  [email protected] )?.j..T9.
0030: 5A 95 5B DD 7C 59 18 28   05 C2 49 75 22 2E 69 78  Z.[..Y.(..Iu".ix
0040: E1 1B 11 62 03 62 C0 00   9C 00 00 05 FF 01 00 01  ...b.b..........
0050: 00                                                 .
main, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1541432026 bytes = { 153, 116, 103, 255, 113, 72, 181, 155, 143, 99, 164, 6, 21, 174, 29, 230, 27, 202, 39, 198, 156, 133, 184, 232, 64, 3, 137, 84 }
Session ID:  {41, 63, 129, 106, 232, 228, 84, 57, 215, 90, 149, 91, 221, 124, 89, 24, 40, 5, 194, 73, 117, 34, 46, 105, 120, 225, 27, 17, 98, 3, 98, 192}
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-4, TLS_RSA_WITH_AES_128_GCM_SHA256]
** TLS_RSA_WITH_AES_128_GCM_SHA256
[read] MD5 and SHA1 hashes: len = 81
Eugène Adell :

Not exactly an answer, but I hope it helps.

In the first case the client sends the two Elliptic Curve extensions, but not in the second. I don't know the reason of this different behaviour, but this probably ends with the server not being able to go further because of the impossibility to find a common cipher suite.

The RFC 4492 gives 2 reasons that you shouldn't have any problem with that extensions missing :

  1. The handshake failure is not mentionned as the default case if they are missing :

If a server does not understand the Supported Elliptic Curves
Extension, does not understand the Supported Point Formats Extension, or is unable to complete the ECC handshake while restricting itself
to the enumerated curves and point formats, it MUST NOT negotiate the use of an ECC cipher suite. Depending on what other cipher suites
are proposed by the client and supported by the server, this may
result in a fatal handshake failure alert due to the lack of common
cipher suites.

  1. Sending them is not exactly mandatory, just a preferable behaviour with the 'SHOULD' word :

A TLS client that proposes ECC cipher suites in its ClientHello
message SHOULD include these extensions.

This leads to a software bug or a wrong install (missing files, wrong permissions,..) either on the client or the server.

What happens on your local test if you run it with -Dcom.sun.net.ssl.enableECC=false ?

You can compare the contents of all directories in jre/lib to find anything missing maybe.

For example does your docker client contain the file libsunec.so ?

What TLS server is on your endpoint ? Is it dockerized too ?

At least the Release Notes for JDK 8 doesn't mention any client side problem that would have been solved. But on the contrary it mentions a jdk.tls.namedGroups(null) problem solved in 8u131, the bug JDK-8173783 which is nicely explained by its duplicate bug - the JDK-8173960 bug. This doesn't explain why you are facing two different behaviors but maybe there's something around it that is not mentionned (another missing file rather sunec.jar said in the bug, leading to the same problem). From my point of view, a missing file on the client side leads to a server side bug (triggered by a missing file too or a simple software bug). Let us know the solution if you find.

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=84259&siteId=1
Recommended
Ranking
Solve the problem that the Chinese display of the drawing using python matplotlib under the Linux system is displayed as a box
[Conference Call for Papers] The 5th International Conference on Civil Engineering, Environmental Resources and Energy Materials (CCESEM 2023)
4-yl Fast Fourier Transform
DataGirdView interlaced display color
[Docker implements test deployment CI/CD----Dingding alarm after the build is successful (7)]
[Asp.net core series] 6 the complete structure of a project in actual combat
The new version of OpenCenterV3 management background
Why can box plots detect outliers and what is the principle?
[Switch] jumbo frame Introduction
C++对象移动(3)——移动构造函数
Daily
More
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)

Code World

© 2018 codetd.com