9

I'm getting a javax.net.ssl.SSLException: Received fatal alert: bad_record_mac for an HTTPS connection. This doesn't happen for every request -- if I send the same request in 10 times I only get this error once or twice.

I have the following code to validate the certificate:

TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            public void checkClientTrusted(X509Certificate[] certs, String authType) {
            }

            public void checkServerTrusted(X509Certificate[] certs, String authType) {
            }

        } };

        try {
            SSLContext sslContext = null;
                try {
                    sslContext = SSLContext.getInstance("SSLv3");
                    
                } catch (NoSuchAlgorithmException e3) {
                    logException(Arrays.toString(e3.getStackTrace()));          
            }

            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
            SSLSocketFactory factory = sslContext.getSocketFactory();
            HttpsURLConnection.setDefaultSSLSocketFactory(factory);
        } catch (KeyManagementException e) {
            logException(Arrays.toString(e.getStackTrace()));
        }

        // Create all-trusting host name verifier
        HostnameVerifier allHostsValid = new HostnameVerifier() {
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        };
        // Install the all-trusting host verifier
        HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
        /*
         * end of the fix
         */

I've set two system properties in my main method:

System.setProperty("jsse.enableSNIExtension", "false");
        System.setProperty("https.protocols", "SSLv3");

But nothing helps.

Improve this question
2
  • ihave set the property already Commented Mar 11, 2014 at 7:15
  • BTW, if the target is only one server (i.e. no load balancer with different targets) then it does not match the criteria for this bug: bugs.openjdk.java.net/browse/JDK-4615819 (its decade old but never was fixed on client side). But I wanted to mention it as a possible case when there is a SSL3-only server... (which should not be the case anymore!) Commented Jan 29, 2015 at 18:17

3 Answers 3

Reset to default
5

According to this rubygems issue and the detailed description of the error (see below), it appears to be a bug in Oracle's JDK that is not present in OpenJDK. I recall (but cannot verify) that there was a bug in OpenSSL that also caused this error, so you may want to check the software on the other side of the connection.

You can read more details about what this error means here.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

We ran into this with Braintree's payment gateway and they said upgrading the Oracle JDK to 1.7 u 51 or later solves the problem (and indeed with u 67 we no longer see the issue). I'm trying to figure out the bottom version of the JDK where this happens since they just said u 45 "or lower"...
4

It is a hard to say what causing this. You need to find out by analyzing the logs. Enable debug by setting property:

System.setProperty("javax.net.debug", "all");

and check what is wrong.

A problem may be that the server is not supporting TLS, which may be picked by the implementation. To make sure that you always use the plain SSLv3 set the property:

System.setProperty("https.protocols", "SSLv3");
Improve this answer

Comments

2

Try set com.sun.net.ssl.rsaPreMasterSecretFix to true.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.