NotSslRecordException with Java 11 JDK SSLProvider
See original GitHub issueExpected behavior
SSL handshake succeeds.
Actual behavior
When using Java 11+ with TLS 1.3, SSL negotiation fails with:
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 8ec407d00e000000
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.r2dbc.mssql.client.ssl.TdsSslHandler.channelRead(TdsSslHandler.java:363)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
... 18 more
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: db34cbdf0e000000
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1206)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
... 21 more
The reported byte sequence is always different, but always the last 8 byte of the first received SSL handshake packet.
Full traffic (LoggingHandler
): https://gist.github.com/mp911de/33e9d19332ac77b5b73e7d7d3f56c5f8
Full traffic (Wireshark): r2dbc-mssql-tls.pcapng.zip
Steps to reproduce
Connect to Azure SQL server via R2DBC MSSQL using Java 11:
SQL Server driver: https://github.com/r2dbc/r2dbc-mssql
MssqlConnectionConfiguration config = MssqlConnectionConfiguration.builder()
.host("abcbookstore.database.windows.net")
.database("foo")
.username("foo")
.password("foo")
.build();
MssqlConnectionFactory cf = new MssqlConnectionFactory(config);
cf.create().block();
Minimal yet complete reproducer code (or URL to code)
https://gist.github.com/mp911de/3421fa37f71f2032239b3fa60507ebeb
Netty version
4.1.36.Final
JVM version (e.g. java -version
)
Oracle JDK 11.0.1
OS version (e.g. uname -a
)
18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64
Related issue: r2dbc/r2dbc-mssql#77
Issue Analytics
- State:
- Created 4 years ago
- Comments:10 (4 by maintainers)
Top Results From Across the Web
Uses of Package javax.net.ssl (Java SE 11 & JDK 11 )
Instances of this class represent a secure socket protocol implementation which acts as a factory for secure socket factories or SSLEngine s.
Read more >Java 11 internal ssl security provider compilation failure
ssl.internal.ssl.Provider" as the SunJSSE provider name. For compatibility, the name is still supported in the JDK. The actual implementation ...
Read more >TLS/SSL - GitHub Pages
By default the Java driver supports TLS/SSL connections to MongoDB servers using the underlying support for TLS/SSL provided by the JDK.
Read more >JDK Releases - Java
Date Type Version Other Information
2024‑10‑15 CPU 23.0.1, 21.0.5, 17.0.13, 11.0.25, 8u431
2024‑09‑17 Feature 23
2024‑07‑16 CPU 22.0.2, 21.0.4, 17.0.12, 11.0.24, 8u421
Read more >Native SSL provider not available; will use JDK SSL provider
JdkSslClientContext.<init>(JdkSslClientContext.java:261). at io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:751).
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thanks @normanmaurer for your help and your time.
The problem happens entirely in the library, not an netty issue. The actual cause is packet fragmentation and improper packet aggregation.
For some reason, it kept working in most Java 8 scenarios, therefore, I was blinded by a relation to the used Java runtime version.