At the Jetty Project we have been getting reports from the community as well as seeing random failures of load tests and benchmarks that were using TLS, and the failures were only happening with Java 11 (any version up to 11.0.2).

Jetty users also saw TLS failures in their environments and opened issues about these failure, most notably issue #2939. Following that Jetty issue, OpenJDK issue JDK-8213202 was reported by @rraptorr (kudos for that!).

The bad news is that JDK-8213202 is not fixed in Java 11.0.2, but it has been fixed in Java 12 (since jdk-12+21), and it has been backported to the OpenJDK 11 repository (and therefore will eventually be part of a future OpenJDK 11.0.x release – hopefully 11.0.3).

The good news is that the issue can be worked around, while waiting for a Java 11 release that fixes it.

It may be possible that you have been running Java 11 with TLS 1.3 without any problem for months, as JDK-8213202 is difficult to reproduce and we have only seen it trigger under moderate load and even in that case not all the times.

Upgrade to Java 12 Solution

If you can upgrade to Java 12 (at the time of this writing Java 12 is in Release Candidate status), that will solve JDK-8213202. The upgrade to Java 12 should be a drop-in from Java 11, but we recommend you test the upgrade thoroughly.

Stay on Java 11 Solution

If you must/want to stay on Java 11 – it is a long-term supported release – then you can work around JDK-8213202 by disabling TLS 1.3, which is used by default in Java 11 or greater, and use TLS 1.2.

If you are using Jetty embedded you can use this code:

SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setExcludeProtocols("TLSv1.3");

If you are using Jetty standalone, you can create file $JETTY_BASE/etc/disable-tls13.xml as follows:


<!DOCTYPE Configure PUBLIC "-" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Call name="addExcludeProtocols">
    <Arg>
     <Array type="java.lang.String">
       <Item>TLSv1.3
     </Array>
    </Arg>
  </Call>
</Configure>

Then you can start the Jetty standalone server in this way (from directory $JETTY_BASE):

$ java -jar ../start.jar etc/disable-tls13.xml

Alternatively, you can add the XML file to $JETTY_BASE/start.ini:

... # The existing content of your start.ini
etc/disable-tls13.xml

Java 11 Remarks

Java 11.0.3 will hopefully contain the fix for JDK-8213202. It is unclear if Oracle will build a binary of OpenJDK 11.0.3 since OpenJDK 12 is due soon.

If you have a support contract with an OpenJDK vendor, you will be able to obtain OpenJDK 11.0.3 through your vendor.

If you don’t have a support contract with an OpenJDK vendor, you will still be able to obtain OpenJDK 11.0.3, for example through the AdoptOpenJDK Project.

We will keep you up-to-date about the progress of this issue on this blog and on the @JettyProject Twitter account.

 


3 Comments

Michael · 26/02/2019 at 01:30

You miswrote!
sslContextFactory.setExcludeProtocols(“TLSv1.2”);
😉

    simon · 26/02/2019 at 09:21

    Thanks, fixed!

Michael · 17/04/2019 at 02:18

FYI 11.0.3 was released today (4/16/2019) and appears to include all the relevant TLS resumption fixes (this one and a nasty stackoverflow one)

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *