Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

NotSslRecordException with Java 11 JDK SSLProvider

See original GitHub issue

Expected behavior

SSL handshake succeeds.

Actual behavior

When using Java 11+ with TLS 1.3, SSL negotiation fails with:

io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 8ec407d00e000000
		at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
		at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
		at io.r2dbc.mssql.client.ssl.TdsSslHandler.channelRead(TdsSslHandler.java:363)
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
		... 18 more
	Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: db34cbdf0e000000
		at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1206)
		at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274)
		at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
		at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
		... 21 more

The reported byte sequence is always different, but always the last 8 byte of the first received SSL handshake packet.

Full traffic (LoggingHandler): https://gist.github.com/mp911de/33e9d19332ac77b5b73e7d7d3f56c5f8

Full traffic (Wireshark): r2dbc-mssql-tls.pcapng.zip

Steps to reproduce

Connect to Azure SQL server via R2DBC MSSQL using Java 11:

SQL Server driver: https://github.com/r2dbc/r2dbc-mssql

MssqlConnectionConfiguration config = MssqlConnectionConfiguration.builder()
    .host("abcbookstore.database.windows.net")
    .database("foo")
    .username("foo")
    .password("foo")
    .build();
MssqlConnectionFactory cf = new MssqlConnectionFactory(config);

cf.create().block();

Minimal yet complete reproducer code (or URL to code)

https://gist.github.com/mp911de/3421fa37f71f2032239b3fa60507ebeb

Netty version

4.1.36.Final

JVM version (e.g. `java -version`)

Oracle JDK 11.0.1

OS version (e.g. `uname -a`)

18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64

Related issue: r2dbc/r2dbc-mssql#77

Issue Analytics

State:
Created 4 years ago
Comments:10 (4 by maintainers)

Top GitHub Comments

1reaction

mp911decommented, Jul 18, 2019

Thanks @normanmaurer for your help and your time.

1reaction

mp911decommented, Jul 18, 2019

The problem happens entirely in the library, not an netty issue. The actual cause is packet fragmentation and improper packet aggregation.

For some reason, it kept working in most Java 8 scenarios, therefore, I was blinded by a relation to the used Java runtime version.

Top Results From Across the Web

Uses of Package javax.net.ssl (Java SE 11 & JDK 11 )

Instances of this class represent a secure socket protocol implementation which acts as a factory for secure socket factories or SSLEngine s.

Java 11 internal ssl security provider compilation failure

ssl.internal.ssl.Provider" as the SunJSSE provider name. For compatibility, the name is still supported in the JDK. The actual implementation ...

TLS/SSL - GitHub Pages

By default the Java driver supports TLS/SSL connections to MongoDB servers using the underlying support for TLS/SSL provided by the JDK.

JDK Releases - Java

Date Type Version Other Information 2024‑10‑15 CPU 23.0.1, 21.0.5, 17.0.13, 11.0.25, 8u431 2024‑09‑17 Feature 23 2024‑07‑16 CPU 22.0.2, 21.0.4, 17.0.12, 11.0.24, 8u421

Native SSL provider not available; will use JDK SSL provider

JdkSslClientContext.<init>(JdkSslClientContext.java:261). at io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:751).