We have spring-boot 1.5 & spring-boot-starter-amqp:1.5.22 application in aws cloud and working fine with rabbitmq ssl enabled. After spring-boot 2.0.9 migration, rabbitmq ssl failed with following error.
ERROR o.s.a.r.l.SimpleMessageListenerContainer - Failed to check/redeclare auto-delete queue(s).
org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at org.springframework.amqp.rabbit.support.RabbitExceptionTranslator.convertRabbitAccessException(RabbitExceptionTranslator.java:71)
at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:407)
at org.springframework.amqp.rabbit.connection.CachingConnectionFactory.createConnection(CachingConnectionFactory.java:588)
at org.springframework.amqp.rabbit.core.RabbitTemplate.doExecute(RabbitTemplate.java:1445)
at org.springframework.amqp.rabbit.core.RabbitTemplate.execute(RabbitTemplate.java:1426)
at org.springframework.amqp.rabbit.core.RabbitTemplate.execute(RabbitTemplate.java:1402)
at org.springframework.amqp.rabbit.core.RabbitAdmin.getQueueProperties(RabbitAdmin.java:368)
at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.redeclareElementsIfNecessary(SimpleMessageListenerContainer.java:1241)
at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.run(SimpleMessageListenerContainer.java:1502)
Migration from Springboot 1.5 with rabbitmq to 2.0.9
Expected to connect rabbitmq with ssl enabled property.
Springboot2 we can skip the ssl certificate validation using setSkipServerCertificateValidation flag to true in rabbitmqconnectionfactory.
My spring boot application could not work with old SSL certificate after upgrading to spring boot 2.6 and Java 17.
After debuging, seems there was problem with TLS version or ciphers suite. I don't have experience with this. But, I tried generate the new self signed SSL certificate, and it works fine.
Debugging with javax.net.debug, and got unclear message. It's different btw using Firefox and Chrome. Here is debug log with Firefox:
2022-09-20 15:26:33.448 [WARN] o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3
2022-09-21 09:46:48.214 [WARN] o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|ERROR|F6|https-jsse-nio-5151-exec-1|2022-09-21 09:46:48.215 BST|TransportContext.java:363|Fatal (INTERNAL_ERROR): problem unwrapping net record (
"throwable" : {
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:215)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1764)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)}
)
Does anyone have experience with this?
We are facing the below issue while migrating.
Spring Batch 4.0.x from 3.0.x
Spring Boot 2.0.x from 1.5.x
Spring core 5.0.x from 4.3.x
After restarting the application, I could see after a min it throws the logs as SpringBootJPAHikariCP - Shutdown initiated....
But when we trigger the Job Hikari starts the new connections and working as expected.
But I am not sure why the first connection is shutting down after a minute.
I understood that SpringBoot2.0 uses the Hikari for the DB Pool, but not sure why I am seeing Shut down info logs after one min of ideal time.
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.0.4.RELEASE)
2018-09-07 17:16:38,117 -0700,threadId=1,level=INFO ,logger=,msg="The following profiles are active: local"
2018-09-07 17:16:39,495 -0700,threadId=1,level=WARN ,logger=HikariConfig.1081,msg="SpringBootJPAHikariCP - idleTimeout is close to or more than maxLifetime, disabling it."
2018-09-07 17:16:39,495 -0700,threadId=1,level=INFO ,logger=HikariDataSource.110,msg="SpringBootJPAHikariCP - Starting..."
Fri Sep 07 17:16:39 PDT 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
2018-09-07 17:16:39,695 -0700,threadId=1,level=INFO ,logger=HikariDataSource.123,msg="SpringBootJPAHikariCP - Start completed."
Fri Sep 07 17:16:39 PDT 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
Fri Sep 07 17:16:39 PDT 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
Fri Sep 07 17:16:39 PDT 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
Fri Sep 07 17:16:39 PDT 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
Fri Sep 07 17:16:39 PDT 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
Fri Sep 07 17:16:39 PDT 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
Fri Sep 07 17:16:39 PDT 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
Fri Sep 07 17:16:39 PDT 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
Fri Sep 07 17:16:39 PDT 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
2018-09-07 17:16:40,002 -0700,threadId=1,level=INFO ,logger=Http11NioProtocol.180,msg="Initializing ProtocolHandler ["http-nio-8080"]"
2018-09-07 17:16:40,010 -0700,threadId=1,level=INFO ,logger=StandardService.180,msg="Starting service [Tomcat]"
2018-09-07 17:16:40,011 -0700,threadId=1,level=INFO ,logger=StandardEngine.180,msg="Starting Servlet Engine: Apache Tomcat/8.5.32"
2018-09-07 17:16:40,014 -0700,threadId=54,level=INFO ,logger=AprLifecycleListener.180,msg="The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [/Users/xxxxx/Library/Java/Extensions:/Library/Java/Extensions:/Network/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java:.]"
2018-09-07 17:16:40,117 -0700,threadId=54,level=INFO ,logger=[/].180,msg="Initializing Spring embedded WebApplicationContext"
2018-09-07 17:16:40,310 -0700,threadId=54,level=INFO ,logger=ReceiverConfig$$EnhancerBySpringCGLIB$$8c1192a0.68,msg="creating activeMQConnectionFactory"
2018-09-07 17:16:40,786 -0700,threadId=1,level=WARN ,logger=Flyway.53,msg="Flyway.setCallbacks(FlywayCallback) has been deprecated and will be removed in Flyway 6.0. Use Flyway.setCallbacks(Callback) instead."
2018-09-07 17:16:40,804 -0700,threadId=1,level=INFO ,logger=VersionPrinter.49,msg="Flyway Community Edition 5.1.4 by Boxfuse"
2018-09-07 17:16:40,807 -0700,threadId=1,level=INFO ,logger=DatabaseFactory.49,msg="Database: jdbc:mysql://127.0.0.1:3306/invoicing (MySQL 5.7)"
2018-09-07 17:16:40,853 -0700,threadId=1,level=INFO ,logger=DbValidate.49,msg="Successfully validated 2 migrations (execution time 00:00.015s)"
2018-09-07 17:16:40,861 -0700,threadId=1,level=INFO ,logger=DbMigrate.49,msg="Current version of schema `invoicing`: 1.0.13.1"
2018-09-07 17:16:40,862 -0700,threadId=1,level=INFO ,logger=DbMigrate.49,msg="Schema `invoicing` is up to date. No migration necessary."
2018-09-07 17:16:43,166 -0700,threadId=1,level=ERROR,logger=,msg="[ThreadID-1] Warning: big time skew between machina and client: service=1536365803166 client=1536365760000 diffSecs=43"
2018-09-07 17:16:44,425 -0700,threadId=1,level=WARN ,logger=JpaBaseConfiguration$JpaWebConfiguration$JpaWebMvcConfiguration.235,msg="spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning"
2018-09-07 17:16:45,814 -0700,threadId=85,level=INFO ,logger=FailoverTransport.1052,msg="Successfully connected to ssl://qal.message-preprod.a.intuit.com:61617"
2018-09-07 17:16:46,100 -0700,threadId=1,level=INFO ,logger=Http11NioProtocol.180,msg="Starting ProtocolHandler ["http-nio-8080"]"
2018-09-07 17:16:46,120 -0700,threadId=1,level=INFO ,logger=NioSelectorPool.180,msg="Using a shared selector for servlet write/read"
2018-09-07 17:16:46,133 -0700,threadId=1,level=INFO ,logger=LateFeeProcessor.59,msg="Started LateFeeProcessor in 12.283 seconds (JVM running for 13.152)"
2018-09-07 17:16:46,429 -0700,threadId=19,level=INFO ,logger=[/].180,msg="Initializing Spring FrameworkServlet 'dispatcherServlet'"
2018-09-07 17:17:47,868 -0700,threadId=93,level=INFO ,logger=HikariDataSource.381,msg="SpringBootJPAHikariCP - Shutdown initiated..."
2018-09-07 17:17:47,876 -0700,threadId=93,level=INFO ,logger=HikariDataSource.383,msg="SpringBootJPAHikariCP - Shutdown completed."
I have some issue and so far found that somehow spring issues shutdown command to Hikari thinking that its disposable bean.
I have a Hudson CI job setup for deployment to Apache Tomcat. If Tomcat server is restricted to accept only TLSv1.2 protocol, I get a protocol mismatch type of error.
If I put JVM into debug for SSL on my Hudson job I can see that TLSv1 is still being attempted:
main, WRITE: TLSv1 Handshake, length = 163
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, protocol_version
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version
main, called close()
main, called closeInternal(true)
I have tried to use https.protocols=TLSv1.2 with my mvn parameters but still TLSv1 is given during client hello. At this point I am not sure where else I could look to force TLSv1.2.