javax.net.ssl, https clients and close_notify

Question

Simple Netty implementation of https server utilizing javax.net.ssl, with a self-signed certificate. Server is up, and then a request is made using DHC by Restlet. On the server side I get:

io.netty.handler.ssl.SslHandler setHandshakeFailure WARNING: SSLEngine.closeInbound() raised an exception due to closed connection. javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) at sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source) at io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:905) at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:576) at io.netty.channel.DefaultChannelHandlerContext.invokeChannelInactive(DefaultChannelHandlerContext.java:819) at io.netty.channel.DefaultChannelHandlerContext.access$1300(DefaultChannelHandlerContext.java:38) at io.netty.channel.DefaultChannelHandlerContext$5.run(DefaultChannelHandlerContext.java:808) at io.netty.channel.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:259) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:305) at io.netty.channel.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:110) at java.lang.Thread.run(Unknown Source)

And on the client side:

No response. Is the certificate valid? Click here to check.

Issuing the same request at Chrome's address bar, the same server-side exception. Issuing the same at Firefox's address bar, the same exception while Firefox is displaying its warning page about the certificate not being from a trusted CA. This exception seems very generic and not directly indicating what the state of the protocol is. Does it mean these 3 clients (Chrome, Firefox, DHC by Restlet), are not playing the protocol nicely and just disappearing on the server rather than sending a close_notify? or is that a client-side behavior mandated by SSL RFC's or just a security oriented client-side design?

Answer 1

I have contacted with DHC by Restlet team and they have told me a workaround:

Chrome doesn't provide an API for managing certificates. In other words, we have no API to automatically accept your certificate nor a way how to raise 'untrusted certificate' dialog. But, you can use a little workaround:

1. Open the https URL in another tab.
2. Manually accept the certificate.
3. Go back to DHC and it will work because your certificate has been accepted manually (is stored in your Chrome) by the previous step.

Usually you have to do this just once.

Answer 2

I faced this issue when I was installing open JDK version of java on linux machine, when I changed the java version to Oracle JDK the issue disappeared.

The exact application that threw this exception is Information Workbench (fluid ops product) and java version was 8 Using which version of java wasn't mentiond in system prerequists by fluid ops people.