'SSLHandshakeException: Received fatal alert: record_overflow
I am receiving the following error. Not sure what is causing this and how to fix this. This is happening on the server side which is using Netscalar for Load Balancing.
javax.net.ssl.SSLHandshakeException: Received fatal alert: record_overflow
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:804)
at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:322)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:231)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:289)
at org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:149)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128)
at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:673)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:591)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Received fatal alert: record_overflow
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:653)
Tried, openssl s_client -connect HOST:443
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=test.test.com/OU=management:idms.group.822007/O=Test Inc./ST=California/C=US
i:/CN=Test Corporate Server CA 1/OU=Certification Authority/O=Test Inc./C=US
1 s:/CN=Test Corporate Server CA 1/OU=Certification Authority/O=Test Inc./C=US
i:/CN=Test Corporate Root CA/OU=Certification Authority/O=Test Inc./C=US
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGJDCCBQygAwIBAgIICBjpC86GaGwwDQYJKoZIhvcNAQELBQAwajEkMCIGA1UE
AwwbQXBwbGUgQ29ycG9yYXRlIFNlcnZlciBDQSAxMSAwHgYDVQQLDBdDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMC
VVMwHhcNMTkwMTA3MjM1MjE2WhcNMjEwMjA1MjM1MjE2WjCBmzE7MDkGA1UEAwwy
Y2NhZG1pbi11YXQuY3MtYWxsb3lkLmluZy5sYi51c3JubzMuYWNpby5hcHBsZS5j
b20xJTAjBgNVBAsMHG1hbmFnZW1lbnQ6aWRtcy5ncm91cC44MjIwMDcxEzARBgNV
BAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3JuaWExCzAJBgNVBAYTAlVT
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgAYtLHZPfxkRWNXbpJL
OnaMH2uJWqK8x/ub87SHmTJ6C4lhxRlwFM2Rd1Z6/UF8HTctGfyk+WmXsKQ1FaG6
syekMVjbjMRf98TlcjwkGxrXbtkLOa2zH2jnzed1jW/2U/pFmK3a2LiCYWaSaOYl
h8+kA59KE4fZDNUytOFmDAkAAkUClFEvLvg4OKVKQRqMA0P3vY0iECOtUKP+16m2
bZpncPwgip6J8UpA4qF6R9HPLf5fuAKdhz1TFC5s2ictgMguZYHMhcDvrsBhYy6X
y19Je0V2OHEdNLk+AZzos6I9/6sp5n8k6snWcl4WOTyFJj6Qn7JC6hZuDL7TamFj
DwIDAQABo4ICmjCCApYwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBS2I7Va637r
tvMoHgTQrVyTqaSabTCBgwYIKwYBBQUHAQEEdzB1MDkGCCsGAQUFBzAChi1odHRw
Oi8vY2VydHMuYXBwbGUuY29tL2FwcGxlY29ycHNlcnZlcmNhMS5kZXIwOAYIKwYB
BQUHMAGGLGh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtY29ycHNlcnZlcmNh
MTA0MD0GA1UdEQQ2MDSCMmNjYWRtaW4tdWF0LmNzLWFsbG95ZC5pbmcubGIudXNy
bm8zLmFjaW8uYXBwbGUuY29tMIIBEgYDVR0gBIIBCTCCAQUwggEBBgoqhkiG92Nk
BQ8CMIHyMIGkBggrBgEFBQcCAjCBlwyBlFJlbGlhbmNlIG9uIHRoaXMgY2VydGlm
aWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiBhbnkgYXBw
bGljYWJsZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UgYW5kL29yIGNlcnRp
ZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wSQYIKwYBBQUHAgEWPWh0dHBz
Oi8vY2VydGlmaWNhdGVtYW5hZ2VyLmFwcGxlLmNvbS8jaGVscC9wb2xpY2llcy9j
b3Jwb3JhdGUwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDwGA1UdHwQ1
MDMw\j+pGT/ZYsOqhHHIngas0nm+IWzZgyCp
vDBgPmuVMBCvRv2N02fBXcAahzq3xJ247EhgcB7y2Ub2hFeHx2dFdVmzFTXLkTQB
R/FSBFxpiDueL5ovp8rK5S65rx37yPKix9xUm8FjQeDvzS8+au+lOg==
-----END CERTIFICATE-----
subject=/CN=test.test.com/OU=management:idms.group.822007/O=Test Inc./ST=California/C=US
issuer=/CN=Test Corporate Server CA 1/OU=Certification Authority/O=Test Inc./C=US
---
Acceptable client certificate CA names
/CN=Test Corporate Root CA/OU=Certification Authority/O=Test Inc./C=US
Client Certificate Types: RSA sign, ECDSA sign, DSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256:RSA+SHA224:ECDS:RSA+SHA1:ECDSA+SHA1:RSA+MD5
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256:RSA+SHA224:ECDS:RSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 2918 bytes and written 330 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-GCM-SHA256
Session-ID: 5B211E74689750F234F57C34ED7FE61FCE21CED8EF2E0C8DD7A20B71AE5D6140
Session-ID-ctx:
Master-Key: 1136D67890BCFC70B50CB0D20A96F62A90DDBF59BB4A102FDC3EBF4844C3482DACC31EB37EC92466FBA5927640A17A26
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1547074698
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
Solution 1:[1]
If you're on Java 11 or 12, then the reason is probably a TLSv1.3 bug in the JDK.
The workaround is to disable TLSv1.3:
-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"
You can also try the latest JDK 13 early access to see whether the issue has been solved.
Update Like Long Nguyen said, this is fixed in:
Solution 2:[2]
Fixed in:
- JDK 13 (https://bugs.openjdk.java.net/browse/JDK-8221253)
- JDK 11.0.5 (Release Oct 2019, https://bugs.openjdk.java.net/browse/JDK-8225714)
There is no patch for JDK 12
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | |
Solution 2 | Long Nguyen |