tyrus icon indicating copy to clipboard operation
tyrus copied to clipboard

Published 20 hours ago verified publisher icon eclipse-ee4j

JDK client cannot connect to secure WebSocket since Java 11

Open dahlinger-simus opened this issue 6 years ago • 4 comments

Since Java 11, when using the JDK standalone client instead of the Grizzly client to connect to a wss:// URL, the connectToServer method hangs for 30 seconds and then throws the following exception:

Exception in thread "main" javax.websocket.DeploymentException: Handshake response not received. at org.glassfish.tyrus.client.ClientManager$3$1.run(ClientManager.java:676) at org.glassfish.tyrus.client.ClientManager$3.run(ClientManager.java:694) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at org.glassfish.tyrus.client.ClientManager$SameThreadExecutorService.execute(ClientManager.java:848) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118) at org.glassfish.tyrus.client.ClientManager.connectToServer(ClientManager.java:493) at org.glassfish.tyrus.client.ClientManager.connectToServer(ClientManager.java:337) at TyrusTest.main(TyrusTest.java:46)

When using Java 8, 9 or 10 the same test works. Also, switching to GrizzlyClientContainer instead of JdkClientContainer or using a ws:// URL works. Tested using Tyrus version 1.15.

See the attached text file for example source code: TyrusTest.java.txt

dahlinger-simus avatar Jun 06 '19 15:06 dahlinger-simus

So when I sued jetty websocket client for java 11 I had to do the following --- -Djavax.net.ssl.trustStore=keystore/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit

I think if you do that it will default to the right trust store

irfman12 avatar Jun 21 '19 14:06 irfman12

I don't think that the problem is related to certificate verification. The exception would be different in that case. Also, as I mentioned, the code works when using GrizzlyClientContainer.

dahlinger-simus avatar Jun 24 '19 08:06 dahlinger-simus

I got it working by putting a custom SSLContext with TLSv1.2 in here (Tyrus 1.17):

SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(...)
SslEngineConfigurator sslEngineConfigurator = new SslEngineConfigurator(sslContext);
client.getProperties().put(ClientProperties.SSL_ENGINE_CONFIGURATOR, sslEngineConfigurator);

sco0ter avatar Apr 16 '21 21:04 sco0ter

Yes, I can confirm it works when using SSLContext.getInstance("TLSv1.2"). However, it doesn't work when using SSLContext.getInstance("TLSv1.3") or SSLContext.getInstance("TLS"), so the problem really seems to be TLSv1.3-related as suggested by the comments in #707. We should see the problem fixed when a new version is released that contains the fix from #707.

dahlinger-simus avatar Apr 27 '21 12:04 dahlinger-simus