Dear community,
If you are using temporal Java SDK and SSL to connect to the temporal backend please continue reading.
TL;DR
There is a bug in the openjdk, which may result in `SSLHandshakeException’ while trying to connect to the temporal backend using TLS 1.3. It has been fixed in jdk 11, 13, 14 and 15, but openjdk 12 is still having an issue. We recommend you migrate to newer versions of the jdk, which has this bug fixed, otherwise you might be unable to communicate with temporal backend using client cert/key pair.
What if I must stay on jdk 12?
If changing jdk version is not an option for you, then you can switch from using TLS 1.3 to TLS 1.2 by adding -Djdk.tls.client.protocols=TLSv1.2
flag to your JDK startup uptions. For example in case if you are using gradle application, you could use something like:
application {
mainClass = 'my.company.temporal.worker.Main'
applicationDefaultJvmArgs = ['-Djdk.tls.client.protocols=TLSv1.2']
}
Stack trace that you might see:
Caused by: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:254)
at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:90)
at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestMessage.<init>(CertificateRequest.java:800)
at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestConsumer.consume(CertificateRequest.java:904)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:441)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:688)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1550)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.access$1900(SslHandler.java:167)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler$SslTasksRunner.run(SslHandler.java:1737)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:835)