Skip to content

Updating from 6.0.1 -> 7.0.0: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request #854

Closed
@bmarcj

Description

@bmarcj

On updating from 6.0.1 to 7.0.0, calls to the API appear to trigger exceptions at the OkHTTP layer.

Versions: Java 12, Kubernetes 1.17.1

This was working fine in 6.0.1.

Is there some different or additional configuration/security handling needed in 7.0.0 compared to 6.01?

ApiClient client = ClientBuilder.cluster().build();
BatchV1Api api = new BatchV1Api(apiClient);

api.deleteNamespacedJobAsync(
                        name,
                        namespace,
                        "true",
                        null,
                        null,
                        null,
                        null,
                        null,
                        new Callback<>(...));

Gives the following exception:

Caused by: io.kubernetes.client.openapi.ApiException: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
	at io.kubernetes.client.openapi.ApiClient$1.onFailure(ApiClient.java:927)
	at okhttp3.RealCall$AsyncCall.execute(RealCall.java:180)
	at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:835)
Caused by: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:254)
	at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:90)
	at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestMessage.<init>(CertificateRequest.java:800)
	at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestConsumer.consume(CertificateRequest.java:904)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:441)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:419)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
	at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
	at okhttp3.RealCall$AsyncCall.execute(RealCall.java:172)

Activity

yue9944882

yue9944882 commented on Jan 21, 2020

@yue9944882
Member

golang/go#35722 (comment)

it can be a bug in the openJDK upstream..

bmarcj

bmarcj commented on Jan 21, 2020

@bmarcj
Author

As a workaround, I've launched with "-Djdk.tls.client.protocols=TLSv1.2". This appears to be okay, but I'm not sure of the knock on consequences.

It does look like it relates to this bug in the openJDK:

https://bugs.openjdk.java.net/browse/JDK-8236039

brendandburns

brendandburns commented on Feb 1, 2020

@brendandburns
Contributor

Given that this appears to be an openJDK bug, I'm going to close this issue.

If you need to reopen it, please use the /reopen command.

QusayHe

QusayHe commented on Jun 30, 2020

@QusayHe

I have the same problem in adopt open jdk-14.0.1+7

zvmzaretsky

zvmzaretsky commented on Feb 21, 2021

@zvmzaretsky

use this when building your app -Djdk.tls.client.protocols=TLSv1.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @brendandburns@yue9944882@QusayHe@bmarcj@zvmzaretsky

        Issue actions

          Updating from 6.0.1 -> 7.0.0: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request · Issue #854 · kubernetes-client/java