Openj9: javax.net.ssl.SSLException: Received fatal alert: bad_record_mac on openj9 0.11.0

Created on 12 Nov 2018  路  13Comments  路  Source: eclipse/openj9

ok my application which connects to an external service via HTTPS using HttpClient is failing when using jdk8u192-b12_openj9-0.11.0 jre:

javax.net.ssl.SSLException: Received fatal alert: bad_record_mac at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)

had to revert to jdk8u181-b13-OpenJ9 jre which does not get this issue. Will try to get a sample code (and target) and post it here. thanks!

userRaised
Source
picture jsonyu

Most helpful comment

yes. looking into it

picture theresa-m on 12 Nov 2018
👍2

All 13 comments

Hi, happening to me too. I think I found a simple enough way to reproduce it: https://github.com/circlespainter/openj9-issue-3637

circlespainter picture circlespainter on 12 Nov 2018
👍1

@theresa-m Can you take a look at this? It may be related to pulling in OpenSSL for crypto.... If that's the case, then we'll want to pull Nasser, Alon & company in to help.

FYI @pshipton

DanHeidinga picture DanHeidinga on 12 Nov 2018
👍2

yes. looking into it

theresa-m picture theresa-m on 12 Nov 2018
👍2

https://github.com/ibmruntimes/openj9-openjdk-jdk8/pull/145 is the culprit @ashbm5

This build fails the test:

Eclipse OpenJ9 VM (build openj9-0.11.0-rc1, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20181112_000000 (JIT enabled, AOT enabled)
OpenJ9   - 72f731f
OMR      - ea548a6
JCL      - 6eea72c based on jdk8u192-b12)

This build passes:

Eclipse OpenJ9 VM (build openj9-0.11.0-rc1, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20181112_000000 (JIT enabled, AOT enabled)
OpenJ9   - 72f731f
OMR      - ea548a6
JCL      - 3f58849 based on jdk8u192-b12)
theresa-m picture theresa-m on 12 Nov 2018

There is only one change, to enable ssl by default
https://github.com/ibmruntimes/openj9-openjdk-jdk8/compare/3f58849...6eea72c

@ashbm5 @enasser @mbvreddy

pshipton picture pshipton on 12 Nov 2018

As a workaround while we resolve this, you should be able to run with -Djdk.nativeCrypto=false to disable openssl crypto.

DanHeidinga picture DanHeidinga on 13 Nov 2018
👍1

As a workaround while we resolve this, you should be able to run with -Djdk.nativeCrypto=false to disable openssl crypto.

Thanks Dan.. this workaround works!

jsonyu picture jsonyu on 13 Nov 2018

@ashbm5 @enasser @mbvreddy Can you provide an update on this?

DanHeidinga picture DanHeidinga on 14 Nov 2018

I've started looking into this.

mbvreddy picture mbvreddy on 14 Nov 2018
👍1

Failure is observed after client send change_cipher_spec() message and processing server's response to change_cipher_spec(). Server fails to send change_cipher_spec().

I see that internally GCM encrypt & decrypt is always using EVP_aes_128_gcm(). Changing it to EVP_aes_256_gcm() is solving this problem.

Investigating further if we should change GCM cipher based on key length.

mbvreddy picture mbvreddy on 19 Nov 2018

PR https://github.com/ibmruntimes/openj9-openjdk-jdk8/pull/213 fix this issue.

mbvreddy picture mbvreddy on 20 Nov 2018
👍1

This issue was believed to be resolved via ibmruntimes/openj9-openjdk-jdk8#213. The most recently nightly builds should include the fix.

You can grab a JDK or a JRE from the latest nightly build to test that it resolves your issue. If this does not resolve your issue please re-open. Thanks

charliegracie picture charliegracie on 20 Nov 2018
👍1

Yes confirmed as of 1.8.0_192-201811201837-b12 issue is fixed.. many thanks!

jsonyu picture jsonyu on 21 Nov 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pshipton picture pshipton  路  3Comments
JamesKingdon picture JamesKingdon  路  5Comments
Mesbah-Alam picture Mesbah-Alam  路  5Comments
mikezhang1234567890 picture mikezhang1234567890  路  5Comments
AdamBrousseau picture AdamBrousseau  路  6Comments