SSLHandshakeException on java 12

Vitaly · March 5, 2021, 3:33am

Dear community,

If you are using temporal Java SDK and SSL to connect to the temporal backend please continue reading.

TL;DR
There is a bug in the openjdk, which may result in `SSLHandshakeException’ while trying to connect to the temporal backend using TLS 1.3. It has been fixed in jdk 11, 13, 14 and 15, but openjdk 12 is still having an issue. We recommend you migrate to newer versions of the jdk, which has this bug fixed, otherwise you might be unable to communicate with temporal backend using client cert/key pair.

What if I must stay on jdk 12?
If changing jdk version is not an option for you, then you can switch from using TLS 1.3 to TLS 1.2 by adding -Djdk.tls.client.protocols=TLSv1.2 flag to your JDK startup uptions. For example in case if you are using gradle application, you could use something like:

application {
    mainClass = 'my.company.temporal.worker.Main'
    applicationDefaultJvmArgs = ['-Djdk.tls.client.protocols=TLSv1.2']
}

Stack trace that you might see:

Caused by: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:254)
	at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:90)
	at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestMessage.<init>(CertificateRequest.java:800)
	at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestConsumer.consume(CertificateRequest.java:904)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:441)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:688)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
	at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1550)
	at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.access$1900(SslHandler.java:167)
	at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler$SslTasksRunner.run(SslHandler.java:1737)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:835)

Topic		Replies	Views
Java client with TLS Community Support java-sdk , tls	8	1551	April 18, 2024
Issue being faced for TLS setup Community Support java-sdk	8	1615	March 2, 2022
Net/http: TLS handshake timeout Server Deployment java-sdk	0	365	August 30, 2023
Error after upgrading from 1.14.4 to 1.15.2 Community Support tls	1	582	March 16, 2022
How to set TLS server for java sdk connection option Community Support java-sdk , general-impl	2	630	November 28, 2022

SSLHandshakeException on java 12

Related Topics