Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

TLSv1 and TLSv1.1 is not supported by Netty

See original GitHub issue

Expected behaviour

With an endpoint that only supports TLSv1 and TLSv1.1, the handshake should be successful

Actual behaviour

With an endpoint that only supports TLSv1 and TLSv1.1, the handshake fails with SSLHandshakeException

Steps to reproduce

Write any dummy app that does handshake using Netty.

Test Code

https://github.com/Sandeep-CodeAcc/NettyClient.git Please clone above git, build and run the App.java

Netty version

4.1.63.Final

JVM version (e.g. java -version)

Java 1.8.0_291 from Oracle. You might need to change java.security file to enable the TLSv1 and TLSv1.1 Handshakes, by default these are disabled.

OS version (e.g. uname -a)

Darwin Kernel Version 20.6.0

Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:10 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
johnoucommented, Oct 12, 2021
0reactions
chrisvestcommented, Oct 22, 2021

@Sandeep-CodeAcc I simplified your test a bit so it looks like this:

            b.handler(new ChannelInitializer<SocketChannel>() {
                @Override
                public void initChannel(SocketChannel ch)
                  throws Exception {
                    ch.pipeline().addLast(ssl().newHandler(ByteBufAllocator.DEFAULT));
                    ch.pipeline().addLast(new HttpClientCodec());
                    handler = new ClientHandler();
                    ch.pipeline().addLast(handler);
                }
            });

When the correct java.security file is updated to allow TLSv1.1, then I do see a TLSv1.1 ClientHello being sent towards the server. You can see this in Wireshark or with -Djavax.net.debug=all.

The server then responds with a handshake failure alert. You’ll need to investigate the server to see why it does that.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Which TLS version does Netty support? TLS 1.0, 1.1 or 1.2?
So the TLS version it supports depends on the JDK version you use. For an example if you sre using JDK 1.6, it...
Read more >
SslProtocols (Netty API Reference (4.1.85.Final))
TLSv1 is no longer secure. Consider using TLS_v1_2 or TLS_v1_3. static String · TLS_v1_1. Deprecated. TLSv1.1 is no longer secure.
Read more >
How to disable TLSv1 when I configure "akka.remote.netty.ssl ...
tls.client.protocols" system property, but it does not achieve the desired effect. I have tried to invoke "setEnabledProtocols" method ...
Read more >
Disable Warnings about TLSv1.0, TLSv1.1 and SSLv3
SSLHandshakeException: Client requested protocol TLSv1 is not enabled or supported in server context at io.netty.handler.codec.
Read more >
How do I change the default SSL/TLS protocol my Java ... - IBM
NOTE: The TLSv1.1 and TLSv1.0 protocols are disabled after installing the Java 8.0 SR6 FP30, 7.1 SR4 FP85, and 7.0 SR10 FP85 or...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

CVE-2021-35940 Issue

Next page

Throwing an exception in case glibc is missing instead of segfaulting the JVM