javax.net.ssl.SSLHandshakeException for https://eclipse-uc.sonarlint.org/compositeContent.xml

ViToni · November 2, 2020, 9:36pm

In the recent weeks we had issue with the update site. It seemed to return a 404.
Now the content is there but trying our Ooomph setup (using Java8) gives me:

	ERROR: org.eclipse.equinox.p2.transport.ecf code=1002 Unable to read repository at https://eclipse-uc.sonarlint.org/compositeContent.xml.
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
  at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
  at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
  at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Unknown Source)
  at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
  at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
  at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
  at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
  at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
  at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
  at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
  at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
  at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
  at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
  at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
  at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
  at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
  at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
  at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
  at org.eclipse.ecf.provider.filetransfer.httpclient45.HttpClientFileSystemBrowser.runRequest(HttpClientFileSystemBrowser.java:248)
  at org.eclipse.ecf.provider.filetransfer.browse.AbstractFileSystemBrowser$DirectoryJob.run(AbstractFileSystemBrowser.java:71)
  at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)

Not sure what changed that it doesn’t work anymore for us though.

Julien_HENRY · November 3, 2020, 8:16am

Hi Victor,

Could it be the same issue described here? https://stackoverflow.com/questions/32846168/java8-httpclient-receiving-received-fatal-alert-handshake-failure

rgra · November 10, 2020, 9:53am

For reference: This happens as well when using the Eclipse Installer with the included JRE.
Issue seems to be a reduced set of available Ciphers in this JRE (striped down OpenJDK 14):

"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]"

Java 8 gives me:
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]"

Handshake negotiation chooses TLS_AES_256_GCM_SHA384 on my system, which is missing in the eclipse installer cipher suites.

Using AdoptOpenJDK 14 in the eclipse installer works as well.

ViToni · November 10, 2020, 11:44am

@Julien_HENRY @rgra Thanks for your help and analysis.

So the issue is on the Eclipse installer side or better the packaged / missing cipher suites.
Here is the bug entry created for the issue: https://bugs.eclipse.org/bugs/show_bug.cgi?id=568669
and the thread on the Oomph forum: https://www.eclipse.org/forums/index.php/m/1834439

Julien_HENRY · November 10, 2020, 12:32pm

Thanks guys for the feedback, we will see if there is something we can do on our side to mitigate the problem.

Just for completeness, can you please describe how you end up using OOMPH with Java 8 or with a striped down OpenJDK 14?
I tried to reproduce by downloading latest eclipse-installer(https://www.eclipse.org/downloads/download.php?file=/oomph/epp/2020-09/R/eclipse-inst-jre-linux64.tar.gz)
Then when starting it it I choose Eclipse for Java developers:

And then I end up having my OS Java 11 selected:

@ViToni Do you manually select Java 8 here? Or maybe that’s the only JRE installed in your OS?

@rgra How is the included JRE of Eclipse installer involved in SonarLint installation? Is there a way to tell the eclipse-installer to get SonarLint directly?

Sorry for the possibly dumb questions, but I have to admit I’m not very familiar with oomph.

rgra · November 10, 2020, 12:55pm

@ViToni: Thanks for opening the bug

@Julien_HENRY.

The Java you select in the installer dialog is the one that is used to run the eclipse your are about to install.

The Problem is the JRE which is included in the installer, to run the installer itself.
If you klick on the upper right 3 lines and change to advanced mode it will ask you to provide a location to keep the installer permanently. Do this and then go to the folder and open the eclipse-inst.ini file. Look for the -vm Parameter to see which VM is used.

Please find a setup file here: Java.setup.

Download this file and if you are in advanced mode of the installer add the file with the green + to the User Products:

Click Next and don’t choose anything on the second page.
On the third page choose the install location and click Next.
On the fourth page a summary is displayed. Click Finish to start the install.

Julien_HENRY · November 10, 2020, 1:01pm

Thanks for the reproducer:

This will allow us to experiment if we can provide a workaround on our side.

ViToni · November 10, 2020, 1:22pm

@rgra You’re welcome

Thanks for explaining the problem and providing the reproducer. Nothing left for me

@Julien_HENRY Thanks for caring.

ViToni · November 24, 2020, 9:52am

Seems to have been fixed by https://bugs.eclipse.org/bugs/show_bug.cgi?id=567050

system · November 24, 2020, 9:52am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.