8 Replies Latest reply on Oct 17, 2019 7:21 AM by Andreas Mitterdorfer

    Jetty with openjdk issues

    Danut Mosescu
      Share This:

      Hello,

      We have recently upgraded our AR servers/ITSM from version 18.08.001 to 19.02 and using now openjdk 11.0.2. Since the upgrade jetty is working intermittently and because of openjdk it is having issues in recognizing the ssl certificate. We have reverted to the old jdk version on one server(1.8.0.77) and there the issues with the certificate have gone, but jetty is still working intermittently(after AR server restart it either works or not).

       

       

      In order to fix the issue we have modified the following:
      ---java.security : modified to keystore.type=jks

      ---management.properties : added javax.net.ssl.trustStorePassword=<password>

      ---We have also tested with adding the below parameters either in parallel or both at the same time:

      -Djdk.tls.server.protocols=TLSv1.2
      -Djdk.tls.client.protocols=TLSv1.2

      ---removed cacerts file and regenerated it + imported the certificate in a new keystore

       

      SSL Poke error:

      javax.net.ssl|DEBUG|01|main|2019-06-07 14:00:04.749 CEST|SSLCipher.java:437|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472

      javax.net.ssl|ERROR|01|main|2019-06-07 14:00:05.108 CEST|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Invalid ECDH ServerKeyExchange signature

       

      Attached are results from SSLPoke tests with openjdk(with jdk1.8.0.77 test is successful) .

       

       

      Thank you