Search code examples

SSLHandshakeException with jlink created runtime

I've got a dropwizard app, which runs fine with the standard JRE.

I've tried creating a runtime using jlink which is considerably smaller:

/Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home/bin/jlink --no-header-files --no-man-pages --compress=2 --strip-debug --add-modules java.base,java.compiler,java.desktop,java.instrument,java.logging,,java.naming,java.scripting,,java.sql,java.xml,jdk.attach,jdk.jdi,,jdk.unsupported --output jre

If I run it with the jlink created runtime it throws this error connecting to redis (which has stunnel in front of it).

ERROR [2019-03-31 09:12:20,080] Failed to process message.
! Received fatal alert: handshake_failure
! at java.base/ Source)
! at java.base/ Source)
! at java.base/ Source)
! at java.base/$AlertConsumer.consume(Unknown Source)
! at java.base/ Source)
! at java.base/ Source)
! at java.base/ Source)
! at java.base/ Source)
! at java.base/ Source)
! at java.base/ Source)
! at java.base/$AppOutputStream.write(Unknown Source)
! at redis.clients.jedis.util.RedisOutputStream.flushBuffer(
! at redis.clients.jedis.util.RedisOutputStream.flush(
! at redis.clients.jedis.Connection.flush(
! ... 9 common frames omitted
! Causing: redis.clients.jedis.exceptions.JedisConnectionException: Received fatal alert: handshake_failure
! at redis.clients.jedis.Connection.flush(
! at redis.clients.jedis.Connection.getStatusCodeReply(
! at redis.clients.jedis.BinaryJedis.auth(
! at redis.clients.jedis.JedisFactory.makeObject(
! at org.apache.commons.pool2.impl.GenericObjectPool.create(
! at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(
! at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(
! at redis.clients.jedis.util.Pool.getResource(
! ... 2 common frames omitted
! Causing: redis.clients.jedis.exceptions.JedisConnectionException: Could not get a resource from the pool
! at redis.clients.jedis.util.Pool.getResource(
! at redis.clients.jedis.JedisPool.getResource(

The stunnel server logs show:

redis_1  | 09:12:20 stunnel.1 | 2019.03.31 09:12:20 LOG7[23]: TLS alert (write): fatal: handshake failure
redis_1  | 09:12:20 stunnel.1 | 2019.03.31 09:12:20 LOG3[23]: SSL_accept: 141F7065: error:141F7065:SSL routines:final_key_share:no suitable key share
redis_1  | 09:12:20 stunnel.1 | 2019.03.31 09:12:20 LOG5[23]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

Are there some crypt algorithms being left out by jlink?


  • As rich mentions in a comment

    Hmmn. If I add it works - why would jdeps have left that one out, if that one, would there be any others it's left out?

    adding to the modules list solved the problem.

    Edit: starting with Java 22 the "SunEC" crypto provider is part of the java.base module and is deprecated for removal. Find more details here: