Postgresql connection : handshake_failure

gpadider5 years ago

Hello,

I have a problem with my new database server which is Postgresql 11 with ssl enabled.
When I launch Traccar I have this message : org.postgresql.util.PSQLException: SSL error: Received fatal alert: handshake_failure
The jdbc string include ?sslmode=require

Of course I check on the forum, for example this thread : https://www.traccar.org/forums/topic/upgrade-from-42-to-43/
So I tried with -Djdk.tls.client.protocols=TLSv1.2 but it's not working either.

Here is the result with more logging :

/opt/traccar/jre/bin/java -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=ssl:handshake:verbose -jar tracker-server.jar conf/traccar.xml
javax.net.ssl|DEBUG|01|main|2020-01-28 11:48:55.867 CET|SSLCipher.java:437|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|01|main|2020-01-28 11:48:56.050 CET|ECPointFormatsExtension.java:195|Need no ec_point_formats extension
javax.net.ssl|DEBUG|01|main|2020-01-28 11:48:56.051 CET|SSLExtensions.java:256|Ignore, context unavailable extension: ec_point_formats
javax.net.ssl|WARNING|01|main|2020-01-28 11:48:56.053 CET|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2020-01-28 11:48:56.054 CET|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2020-01-28 11:48:56.055 CET|SignatureScheme.java:282|Signature algorithm, SHA256withECDSA, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2020-01-28 11:48:56.056 CET|SignatureScheme.java:282|Signature algorithm, SHA384withECDSA, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2020-01-28 11:48:56.057 CET|SignatureScheme.java:282|Signature algorithm, SHA512withECDSA, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2020-01-28 11:48:56.063 CET|SignatureScheme.java:282|Signature algorithm, SHA224withECDSA, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2020-01-28 11:48:56.070 CET|SignatureScheme.java:282|Signature algorithm, SHA1withECDSA, is not supported by the underlying providers
javax.net.ssl|ALL|01|main|2020-01-28 11:48:56.075 CET|SignatureScheme.java:358|Ignore disabled signature sheme: rsa_md5
javax.net.ssl|INFO|01|main|2020-01-28 11:48:56.076 CET|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|01|main|2020-01-28 11:48:56.077 CET|SSLExtensions.java:256|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|01|main|2020-01-28 11:48:56.080 CET|ClientHello.java:651|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "8C 5B FB CA 40 88 CC DF AA 01 EB C7 ED D7 7D A1 73 20 0E FF 5E 55 26 .......(data masked, i don't know if it's sensitive)",
  "session id"          : "",
  "cipher suites"       : "[TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032)]",
  "compression methods" : "00",
  "extensions"          : [
    
  ]
}
)
javax.net.ssl|DEBUG|01|main|2020-01-28 11:48:56.090 CET|Alert.java:232|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "handshake_failure"
}
)
javax.net.ssl|ERROR|01|main|2020-01-28 11:48:56.096 CET|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
      at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
      at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
      at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
      at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
      at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
      at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:441)
      at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:135)
      at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
      at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
      at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:211)
      at org.postgresql.Driver.makeConnection(Driver.java:458)
      at org.postgresql.Driver.connect(Driver.java:260)
      at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:138)
      at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:353)
      at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:201)
      at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:473)
      at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:562)
      at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:115)
      at com.zaxxer.hikari.HikariDataSource.<init>(HikariDataSource.java:81)
      at org.traccar.database.DataManager.initDatabase(DataManager.java:139)
      at org.traccar.database.DataManager.<init>(DataManager.java:89)
      at org.traccar.Context.init(Context.java:389)
      at org.traccar.Main.run(Main.java:110)
      at org.traccar.Main.main(Main.java:104)}

)
javax.net.ssl|DEBUG|01|main|2020-01-28 11:48:56.097 CET|SSLSocketImpl.java:1361|close the underlying socket
javax.net.ssl|DEBUG|01|main|2020-01-28 11:48:56.098 CET|SSLSocketImpl.java:1380|close the SSL connection (initiative)
Exception in thread "main" java.lang.RuntimeException: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: SSL error: Received fatal alert: handshake_failure
    at org.traccar.Main.run(Main.java:152)
    at org.traccar.Main.main(Main.java:104)
Caused by: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: SSL error: Received fatal alert: handshake_failure
    at com.zaxxer.hikari.pool.HikariPool.throwPoolInitializationException(HikariPool.java:597)
    at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:576)
    at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:115)
    at com.zaxxer.hikari.HikariDataSource.<init>(HikariDataSource.java:81)
    at org.traccar.database.DataManager.initDatabase(DataManager.java:139)
    at org.traccar.database.DataManager.<init>(DataManager.java:89)
    at org.traccar.Context.init(Context.java:389)
    at org.traccar.Main.run(Main.java:110)
    ... 1 more
Caused by: org.postgresql.util.PSQLException: SSL error: Received fatal alert: handshake_failure
    at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
    at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:441)
    at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:135)
    at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
    at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
    at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:211)
    at org.postgresql.Driver.makeConnection(Driver.java:458)
    at org.postgresql.Driver.connect(Driver.java:260)
    at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:138)
    at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:353)
    at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:201)
    at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:473)
    at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:562)
    ... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
    at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
    at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
    ... 19 more

I've checked many hours for the strange message Signature algorithm, SHA256withECDSA, is not supported by the underlying providers but nothing is working. I've tried to set java policy https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html but it does not concern java 11. I'm using Traccar 4.1

Thanks for help !

gpadider5 years ago

I've just tried with Traccar 4.7 and it's not working either with this command :
/opt/traccar/jre/bin/java -Djdk.tls.client.protocols=TLSv1.2 -jar tracker-server.jar conf/traccar.xml

gpadider5 years ago

Solved by replacing /opt/traccar/jre/bin/java to /usr/bin/java in the service file.