brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark McKenna (JIRA)" <>
Subject [jira] [Commented] (BROOKLYN-456) "SSLException: internal_error" upon trying to connect to site requiring SNI
Date Mon, 27 Mar 2017 17:20:41 GMT


Mark McKenna commented on BROOKLYN-456:

[~geomacy] I just tried the below test code pointing at and it worked
... Although i believe there is something up with the ssl cert as i had to trust all certs

public void testApacheHttpClent() throws IOException, KeyStoreException, NoSuchAlgorithmException,
KeyManagementException {
    final CloseableHttpClient httpclient = HttpClients.custom()
            .setSSLContext(new SSLContextBuilder().loadTrustMaterial((chain, authType) ->
    try {
        final HttpGet httpget = new HttpGet("");
        System.out.println("Executing request " + httpget.getRequestLine());
        // Create a custom response handler
        final ResponseHandler<String> responseHandler = response -> {
            int status = response.getStatusLine().getStatusCode();
            if (status >= 200 && status < 300) {
                final HttpEntity entity = response.getEntity();
                return entity != null ? EntityUtils.toString(entity) : null;
            } else {
                throw new ClientProtocolException("Unexpected response status: " + status);
        String responseBody = httpclient.execute(httpget, responseHandler);
    } finally {

cc []

> "SSLException: internal_error" upon trying to connect to site requiring SNI
> ---------------------------------------------------------------------------
>                 Key: BROOKLYN-456
>                 URL:
>             Project: Brooklyn
>          Issue Type: Bug
>            Reporter: Geoff Macartney
>            Priority: Minor
> On 17th March brooklyn-server builds began failing, such as

> The errors were failures in tests 
> {quote}
> {quote}
> all of which issued requests to "" for test purposes.
> There seems to have been a change in configuration on on the 16h of March,
see [here|].
> However the certificate changes appear not to be the problem, as far as I can tell, as
the certificate chain from the site has root "Let's Encrypt Authority X3" (SHA1 Fingerprint=E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB),
which is signed by CA "DST Root CA X3"  (Certificate fingerprint DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13),
which is in the cacerts file of Java 8 by default.
> I believe the problem lies on the Java SSL client side, specifically that the client
is not including the SNI (Server Naming Indicator) extension in the SSL handshake.  httpbin
requires this, compare 
> {code}
> openssl s_client -showcerts -connect  </dev/null
> CONNECTED(00000003)
> 7944:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/
> {code}
> with the output from 
> {code}
> openssl s_client -servername  -showcerts -connect  </dev/null
> {code}
> The result is that the connection attempt fails with 
> {code}
> SSLException: Received fatal alert: internal_error
> {code}
> Searching around the web there seem to be a number of other people who have encountered
this problem, e.g.  The issue
seems to be fixed only in Java 9, but there may be workarounds on 7 and 8. I haven't tried
these out yet. 
> I will look at adding a test in Brooklyn to record this.

This message was sent by Atlassian JIRA

View raw message