Hi, There
we use Http11Nio2Protocol, and configure TLSv1.2 for our services, and
encountered Handshake failure intermittently when posting big chunk of data
from HttpClient via HTTP POST with following exception:
https-jsse-nio2-15443-exec-9, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLException: Unsupported record version Unknown-152.152
%% Invalidated: [Session-5, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
https-jsse-nio2-15443-exec-9, SEND TLSv1.2 ALERT: fatal, description =
internal_error
Padded plaintext before ENCRYPTION: len = 80
0000: 0E B4 29 73 84 93 21 64 30 2D 90 D4 99 E4 67 2E ..)s..!d0-....g.
0010: 02 50 50 C3 E0 45 C2 70 5D 09 E7 EC 1D 03 1F CE .PP..E.p].......
0020: CC 25 05 97 23 88 AA 17 FC D3 41 B6 1B 53 68 A6 .%..#.....A..Sh.
0030: 1F BF 53 4D 78 F3 D2 24 D4 09 E1 D4 42 B8 3F 34 ..SMx..$....B.?4
0040: 2C BD 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D ,...............
https-jsse-nio2-15443-exec-9, WRITE: TLSv1.2 Alert, length = 80
03-Jan-2018 16:45:36.987 FINE [https-jsse-nio2-15443-exec-9]
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Handshake failed
javax.net.ssl.SSLException: Unsupported record version Unknown-152.152
at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552)
at
sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:113)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at
org.apache.tomcat.util.net.SecureNio2Channel.handshakeUnwrap(SecureNio2Channel.java:495)
at
org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:289)
at
org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:204)
at
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1675)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:946)
at
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:98)
at
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:91)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
at sun.nio.ch.Invoker$2.run(Invoker.java:218)
at
sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
If we switched to Http11NioProtocol, it worked ok.
And if we modify the SecurityNio2Channel.handshakeUnwrap() by commenting out
the following lines,
protected SSLEngineResult handshakeUnwrap() throws IOException {
// if (netInBuffer.position() == netInBuffer.limit()) {
// //clear the buffer if we have emptied it out on data
// netInBuffer.clear();
// }
SSLEngineResult result;
We tried both HttpClient Post and browser post with the changes, it seemed to
work.
Looks like our http client tried to close the socket every time from the log
message (not sure though)
Do the changes make sense, and what would be the side effect ? In our case, the
"netInBuffer" could be full, i.e., postion = limit for large data. Maybe the
"netInBuffer" should not be cleared since "compact" would reset the
"netInBuffer", should it?
Please advise.
Thanks,
Michael
