SonarLint VSCode handshake failure

  • Operating system: Windows 10
  • SonarLint plugin version: v3.20.2
  • Programming language you’re coding in: N/A
  • Is connected mode used:
    • Connected to SonarQube Community Edition Version 9.7.1:

Hello,

I have an issue setting up Sonarlint to connect to Sonarqube server through HTTPS.

I’m getting handshake failure error, please see logs below:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:347)
	at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:186)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
	at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
	at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
	at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
	at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
	at org.apache.hc.core5.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:330)
	at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:386)
	at org.apache.hc.core5.reactor.ssl.SSLIOSession.access$100(SSLIOSession.java:74)
	at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.inputReady(SSLIOSession.java:201)
	at org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:142)
	at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
	at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:178)
	at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:127)
	at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:86)
	at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
	at java.base/java.lang.Thread.run(Thread.java:829)

It seems that for some reason java doesn’t send the certificate to the server:

[stderr] javax.net.ssl|DEBUG|14|httpclient-dispatch-1|2023-08-28 15:54:57.622 EEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
[stderr] <empty>
[stderr] )
[stderr] javax.net.ssl|DEBUG|14|httpclient-dispatch-1|2023-08-28 15:54:57.622 EEST|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
[stderr] javax.net.ssl|DEBUG|14|httpclient-dispatch-1|2023-08-28 15:54:57.623 EEST|CertificateMessage.java:330|Produced client Certificate handshake message (
[stderr] "Certificates": <empty list>
[stderr] )

And these are vmargs that I use:

    "sonarlint.ls.vmargs": "-Djavax.net.debug=ssl,handshake -Djavax.net.ssl.keyStore=C:\\path\\to\\Certificates\\cert.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=C:\\java\\jdk-11.0.19+7lib\\security\\cacerts -Djavax.net.ssl.trustStorePassword=changeit",

Does anyone had similar issue which is already resolved and could pointing me to the right direction?

Note! I’m using the same certificate for Maven to access Nexus and it is working without any issues.

Best Regards!

Hi @n00lz

I see that you are using client certificates to connect to your SonarQube server. It was previously not intentionally supported by SonarLint (it was working “by luck” when using Java properties javax.net.ssl.keyStore, javax.net.ssl.keyStoreType, …).

With the latest release, we have changed our HTTP Client, and those properties aren’t working anymore. The good point is that we are now officially supporting SSL client certificates.
So you have 2 options:

  • put your certificate in the SonarLint default keystore location (~/.sonarlint/ssl/keystore.p12). You can create a pkcs12 keystore with the password sonarlint and restart VSCode.
  • or use the new SonarLint-specific properties to point SonarLint to your existing keystore: replace "sonarlint.ls.vmargs": "-Djavax.net.ssl.keyStore=C:\\path\\to\\Certificates\\cert.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword=changeit"
    by
    "sonarlint.ls.vmargs": "-Dsonarlint.ssl.keyStorePath=C:\\path\\to\\Certificates\\cert.p12 -Dsonarlint.ssl.keyStorePassword=changeit" then restart VSCode

As a side note, SonarLint will also maintain its own truststore from now on, so you can probably remove the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties (SonarLint will ask you if you trust the server certificate the first time you connect).

Let me know how it goes.

Hi,

Thank you very much for the information, it seems that it’s working now.

I’ve used second option “point SonarLint to your existing keystore” and I was able to connect to Sonarqube server.

Best Regards!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.