javax.net.ssl.SSLHandshakeException: No available authentication scheme

A google reveals a bug in jdk11.0.2 but I upgraded to jdk11.0.3 and this still exists for me. Steps to reproduce

  1. git clone https://github.com/deanhiller/webpieces.git
  2. add the line "org.gradle.java.home=/Library/Java/JavaVirtualMachines/jdk-11.0.3.jdk/Contents/Home" to ~/.gradle/gradle.properties to set jdk to 11.0.3
  3. run ./gradlew :core:core-asyncserver:test from webpieces directory

The test case hangs and in the logs, it shows

Caused by: javax.net.ssl.SSLHandshakeException: No available authentication scheme
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:945)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:934)
    at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
    at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1224)
    at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1160)
    at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:849)
    at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:810)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999)
    at org.webpieces.ssl.impl.AsyncSSLEngine2Impl.createRunnable(AsyncSSLEngine2Impl.java:94)
    ... 12 common frames omitted

Should I file another JDK bug, or does anyone have any thought?

JDK bug that is resolved/related: https://bugs.openjdk.java.net/browse/JDK-8211426

Note that this fixes it for some reason: System.setProperty("jdk.tls.server.protocols", "TLSv1.2");

hmmm, anyone know how to generate a self-signed certificate that works for TLSv1.2 and TLSv1.3?


Solution 1:

Assuming it is the issue that is linked and not another issue around TLS 1.3.

Your certificate is using the DSA algorithm, which has been deprecated a while ago in favor of RSA and is not supported at all in TLS1.3. Make sure to create RSA certificates instead.

It seems that not-so-old versions of the java keytool might have created DSA certificates by default... an unfortunate default. You can use this command to verify a certificate type.

openssl x509 -in certificate.crt -text

Certificate:
    ...
    Signature Algorithm: dsa_with_SHA256
        ...
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption