You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are using OkHttp 3.11 with Java 1.8 (8u432), and our program has been running fine for a long time. Recently, however, SSL handshake failures started occurring suddenly, and the issue persists even after a restart.
To investigate, I enabled SSL logging and noticed the following:
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.665 SGT|SSLExtensions.java:260|Ignore, context unavailable extension: status_request
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.665 SGT|SupportedGroupsExtension.java:835|Ignore inactive or disabled named group: ffdhe2048
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 119:1:29.665 SGT|SupportedGroupsExtension.java:835|Ignore inactive or disabled named group: ffdhe3072
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.665 SGT|SupportedGroupsExtension.java:835|Ignore inactive or disabled named group: ffdhe4096
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.665 SGT|SupportedGroupsExtension.java:835|Ignore inactive or disabled named group: ffdhe6144
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.665 SGT|SupportedGroupsExtension.java:835|Ignore inactive or disabled named group: ffdhe8192
javax.net.ssl|WARNING|59|Putdata-Thread-4|2024-12-16 19:11:29.666 SGT|SupportedGroupsExtension.java:842|no available named group
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.666 SGT|SSLExtensions.java:260|Ignore, context unavailable extension: supported_groups
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.666 SGT|ECPointFormatsExtension.java:195|Need no ec_point_formats extension
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.666 SGT|SSLExtensions.java:260|Ignore, context unavailable extension: ec_point_formats
javax.net.ssl|WARNING|59|Putdata-Thread-4|2024-12-16 19:11:29.668 SGT|SignatureScheme.java:297|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|59|Putdata-Thread-4|2024-12-16 19:11:29.668 SGT|SignatureScheme.java:297|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.710 SGT|SSLExtensions.java:260|Ignore, context unavailable extension: status_request_v2
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.713 SGT|ClientHello.java:564|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "C9 64 A2 FE 29 00 1A 97 FD 04 BC 65 74 C0 34 5D 2F 16 03 61 82 FE 9C 8C 79 20 B1 E9 CF 9A 54 00",
"session id" : "",
"cipher suites" : "[TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=api2.appsflyer.com
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"application_layer_protocol_negotiation (16)": {
[h2, http/1.1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2, TLSv1.1, TLSv1]
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
javax.net.ssl|FINE|59|Putdata-Thread-4|2024-12-16 19:11:29.742 SGT|Alert.java:238|Received alert message (
"Alert": {
"level" : "warning",
"description": "close_notify"
}
)
javax.net.ssl|SEVERE|59|Putdata-Thread-4|2024-12-16 19:11:29.743 SGT|TransportContext.java:323|Fatal (UNEXPECTED_MESSAGE): Received close_notify during handshake (
"throwable" : {
javax.net.ssl.SSLProtocolException: Received close_notify during handshake
at sun.security.ssl.Alert.createSSLException(Alert.java:129)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:318)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:274)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:265)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:250)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1401)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:318)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:282)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:167)
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200)
at okhttp3.RealCall.execute(RealCall.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)}
)
The client is offering only 5 cipher suites, which may be causing the handshake to fail.
Steps to reproduce:
Run the program using OkHttp 3.11 with Java 1.8 (8u432).
Encounter SSL handshake failure.
Enable SSL logging and observe the cipher suites in the ClientHello.
Expected behavior:
The handshake should complete successfully with a compatible cipher suite.
Actual behavior:
The handshake fails due to the limited set of cipher suites (5) being offered by the client.
Additional context:
Java Version: 1.8 (8u432)
OkHttp Version: 3.11
Please advise on potential causes or fixes for this issue.
Thank you!
The text was updated successfully, but these errors were encountered:
Hello OkHttp team,
We are using OkHttp 3.11 with Java 1.8 (8u432), and our program has been running fine for a long time. Recently, however, SSL handshake failures started occurring suddenly, and the issue persists even after a restart.
To investigate, I enabled SSL logging and noticed the following:
The client is offering only 5 cipher suites, which may be causing the handshake to fail.
Steps to reproduce:
Run the program using OkHttp 3.11 with Java 1.8 (8u432).
Encounter SSL handshake failure.
Enable SSL logging and observe the cipher suites in the ClientHello.
Expected behavior:
The handshake should complete successfully with a compatible cipher suite.
Actual behavior:
The handshake fails due to the limited set of cipher suites (5) being offered by the client.
Additional context:
Java Version: 1.8 (8u432)
OkHttp Version: 3.11
Please advise on potential causes or fixes for this issue.
Thank you!
The text was updated successfully, but these errors were encountered: