[SpringCloudGateway]: Netty HttpClient failed to connect with SSLHandshakeException after establishing HTTPS connection with endpoint about spring-cloud-gateway HOT 13 OPEN

@lhotari
Following is the relevant output of sslscan utility:

SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0  disabled
TLSv1.1  disabled
TLSv1.2  enabled
TLSv1.3  disabled

TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Supported Server Cipher(s):
Preferred  TLSv1.2   256 bits  AES256-SHA256
Accepted  TLSv1.2   128 bits  AES128-SHA256
Accepted  TLSv1.2   128 bits  DES-CBC3-SHA

from spring-cloud-gateway.

@lhotari Is there any settings that can be configured in yml file directly like spring.cloud.gateway.httpclient.ssl ?

No. That's the reason why you need either of the solutions that I mentioned in the previous comments.

from spring-cloud-gateway.

@deepak-chhetri Unfortunately not.

from spring-cloud-gateway.

answered in netty/netty#14087 (comment)

from spring-cloud-gateway.

@lhotari
We checked the remote IBM server/endpoint and found following error in server logs:

SSL0222W: SSL Handshake Failed, No ciphers specified (no shared ciphers or no shared protocols).

It seems that cipher configuration is missing in request sent to endpoint server from Spring Cloud Gateway HttpClient.
Could you please share details around how to configure cipher suites in Spring Cloud Gateway HttpClient?

We have used following command to list down the ciphers used by endpoint server as follows:

openssl s_client -connect serverAddress:port

and got following output with cipher details:

SSL-Session:
    Protocol: TLSv1.2
    Cipher: AES256-SHA256
    Verify return code: 0 (ok)

from spring-cloud-gateway.

@deepak-chhetri to investigate the problem and suggest a proper solution, it could be helpful to also share the output of sslscan (https://github.com/rbsec/sslscan) for the target server. sslscan is available in package managers such as homebrew (brew install sslscan) or ubuntu apt (sudo apt-get install sslscan).

from spring-cloud-gateway.

@lhotari Could you please share HttpClient settings to configure cipher suites to connect with endpoint server over HTTPS?

from spring-cloud-gateway.

@deepak-chhetri I don't have a ready made example. I guess you should be able to customize that by adding a bean that implements org.springframework.cloud.gateway.config.HttpClientCustomizer.

from spring-cloud-gateway.

You might also be able to override httpClientSslConfigurer bean with your own implementation that configures the ciphers.

from spring-cloud-gateway.

@lhotari Is there any settings that can be configured in yml file directly like spring.cloud.gateway.httpclient.ssl ?

from spring-cloud-gateway.

@deepak-chhetri Although it is possible that defaults for the ciphers could be configured with a system property.

from spring-cloud-gateway.

@lhotari
Could you please share example to configure default cipher suite?

from spring-cloud-gateway.

It's also worth checking if "Configuring default extensions" is related.

Some TLS implementations may not handle unknown extensions properly. As a result, you might encounter unexpected interoperability issues when the JDK introduces new extensions.

(check https://bugs.openjdk.org/browse/JDK-8217633 for more details)

Some servers get confused by TLS handshake extensions that clients send and report it as a cipher error (based on comment https://bugs.openjdk.org/browse/JDK-8257825).

You could try passing -Djdk.tls.client.disableExtensions=supported_versions to see if that helps, unless configuring ciphers is possible or doesn't fix the issue.

from spring-cloud-gateway.