SSL handshake error with 11.0.6.10.1 Windows JDK. Cacerts truststore seems to be corrupt.

[Drakonhawk]

Describe the bug

When using Windows x64 11.0.6.10.1 Windows x64 JDK version with eclipse or ant during eclipse update and ant build an error occurs then trying to access https URLs or web sites.

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

To Reproduce

Download Eclipse 2019-12 Developer EE windows x64. Set Corretto 11.0.6.10.1 as standard in Windows (added first to Path variable) and extract and start eclipse. Try to install Enhanced Class Decompiler via marketplace.

Workarround

The cacerts truststore seems to be corrupt in this version. Its size is only 160 kB. Linux version the size is 252kB similar to all Corretto 11.0.5.x versions. Using the linux cacerts truststore fix the problem. In MacOS build the cacerts truststore is also 160kB. Using the old 11.0.5.x cacerts truststore also fixes the problem.

Expected behavior

SSL handshake should work with delivered cacerts truststore.

Platform information

OS: Windows 10 x64 1809
Version: OpenJDK Runtime Environment Corretto-11.0.6.10.1 (build 11.0.6+10-LTS)

[madsolar8582]

I am experiencing the same issue using 11.0.6.10.1 on macOS 10.15.2. Downgrading to 11.0.5.10.2 resolves the issue.

Example:

08:39:35  io.jenkins.plugins.appcenter.AppCenterException: Create upload resource unsuccessful: 
08:39:35  	at io.jenkins.plugins.appcenter.AppCenterLogger.logFailure(AppCenterLogger.java:23)
08:39:35  	at io.jenkins.plugins.appcenter.task.internal.CreateUploadResourceTask.lambda$execute$0(CreateUploadResourceTask.java:46)
08:39:35  	at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859)
08:39:35  	at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
08:39:35  	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
08:39:35  	at java.base/java.util.concurrent.CompletableFuture.completeExceptionally(CompletableFuture.java:2088)
08:39:35  	at retrofit2.CompletableFutureCallAdapterFactory$BodyCallAdapter$2.onFailure(CompletableFutureCallAdapterFactory.java:86)
08:39:35  	at retrofit2.OkHttpCall$1.callFailure(OkHttpCall.java:142)
08:39:35  	at retrofit2.OkHttpCall$1.onFailure(OkHttpCall.java:137)
08:39:35  	at okhttp3.RealCall$AsyncCall.execute(RealCall.java:180)
08:39:35  	at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
08:39:35  	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
08:39:35  	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
08:39:35  	at java.base/java.lang.Thread.run(Thread.java:834)
08:39:35  Caused by: javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
08:39:35  	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
08:39:35  	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
08:39:35  	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
08:39:35  	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
08:39:35  	at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1313)
08:39:35  	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:408)
08:39:35  	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
08:39:35  	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
08:39:35  	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
08:39:35  	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
08:39:35  	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
08:39:35  	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
08:39:35  	at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
08:39:35  	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
08:39:35  	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
08:39:35  	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:35  	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
08:39:35  	at io.jenkins.plugins.appcenter.api.AppCenterServiceFactory.lambda$createAppCenterService$0(AppCenterServiceFactory.java:66)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
08:39:35  	at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:223)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:35  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
08:39:35  	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
08:39:35  	at okhttp3.RealCall$AsyncCall.execute(RealCall.java:172)
08:39:35  	... 4 more
08:39:35  Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
08:39:35  	at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
08:39:35  	at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
08:39:35  	at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300)
08:39:35  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
08:39:35  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:189)
08:39:35  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
08:39:35  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1316)
08:39:35  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1207)
08:39:35  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1150)
08:39:35  	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
08:39:35  	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
08:39:35  	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
08:39:35  	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
08:39:35  	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
08:39:35  	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
08:39:35  	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
08:39:35  	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
08:39:35  	... 30 more
08:39:35  Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
08:39:35  	at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
08:39:35  	at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
08:39:35  	at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
08:39:35  	at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:99)
08:39:35  	... 46 more
08:39:34  io.jenkins.plugins.appcenter.AppCenterException: Upload to AppCenter failed.
08:39:34  	at io.jenkins.plugins.appcenter.task.UploadTask.call(UploadTask.java:56)
08:39:34  	at io.jenkins.plugins.appcenter.task.UploadTask.call(UploadTask.java:17)
08:39:34  	at hudson.remoting.UserRequest.perform(UserRequest.java:211)
08:39:34  	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
08:39:34  	at hudson.remoting.Request$2.run(Request.java:369)
08:39:34  	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
08:39:34  	at java.util.concurrent.FutureTask.run(FutureTask.java:264)
08:39:34  	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
08:39:34  	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
08:39:34  	at java.lang.Thread.run(Thread.java:834)
08:39:34  	Suppressed: hudson.remoting.Channel$CallSiteStackTrace: Remote call to MAC-BUILD-48
08:39:34  		at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1737)
08:39:34  		at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:356)
08:39:34  		at hudson.remoting.Channel.call(Channel.java:951)
08:39:34  		at hudson.FilePath.act(FilePath.java:1159)
08:39:34  		at io.jenkins.plugins.appcenter.AppCenterRecorder.uploadToAppCenter(AppCenterRecorder.java:142)
08:39:34  		at io.jenkins.plugins.appcenter.AppCenterRecorder.perform(AppCenterRecorder.java:129)
08:39:34  		at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80)
08:39:34  		at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67)
08:39:34  		at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
08:39:34  		at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
08:39:34  		at java.util.concurrent.FutureTask.run(FutureTask.java:266)
08:39:34  		at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
08:39:34  		at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
08:39:34  		at java.lang.Thread.run(Thread.java:748)
08:39:34  Caused by: java.util.concurrent.ExecutionException: io.jenkins.plugins.appcenter.AppCenterException: Create upload resource unsuccessful: 
08:39:34  	at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
08:39:34  	at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1999)
08:39:34  	at io.jenkins.plugins.appcenter.task.UploadTask.call(UploadTask.java:54)
08:39:34  	... 9 more
08:39:34  Caused by: io.jenkins.plugins.appcenter.AppCenterException: Create upload resource unsuccessful: 
08:39:34  	at io.jenkins.plugins.appcenter.AppCenterLogger.logFailure(AppCenterLogger.java:23)
08:39:34  	at io.jenkins.plugins.appcenter.task.internal.CreateUploadResourceTask.lambda$execute$0(CreateUploadResourceTask.java:46)
08:39:34  	at java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859)
08:39:34  	at java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
08:39:34  	at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
08:39:34  	at java.util.concurrent.CompletableFuture.completeExceptionally(CompletableFuture.java:2088)
08:39:34  	at retrofit2.CompletableFutureCallAdapterFactory$BodyCallAdapter$2.onFailure(CompletableFutureCallAdapterFactory.java:86)
08:39:34  	at retrofit2.OkHttpCall$1.callFailure(OkHttpCall.java:142)
08:39:34  	at retrofit2.OkHttpCall$1.onFailure(OkHttpCall.java:137)
08:39:34  	at okhttp3.RealCall$AsyncCall.execute(RealCall.java:180)
08:39:34  	at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
08:39:34  	... 3 more
08:39:34  Caused by: javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
08:39:34  	at sun.security.ssl.Alert.createSSLException(Alert.java:133)
08:39:34  	at sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
08:39:34  	at sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
08:39:34  	at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
08:39:34  	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1313)
08:39:34  	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:408)
08:39:34  	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
08:39:34  	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
08:39:34  	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
08:39:34  	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
08:39:34  	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
08:39:34  	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
08:39:34  	at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
08:39:34  	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
08:39:34  	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
08:39:34  	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:34  	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
08:39:34  	at io.jenkins.plugins.appcenter.api.AppCenterServiceFactory.lambda$createAppCenterService$0(AppCenterServiceFactory.java:66)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
08:39:34  	at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:223)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
08:39:34  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
08:39:34  	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
08:39:34  	at okhttp3.RealCall$AsyncCall.execute(RealCall.java:172)
08:39:34  	... 4 more
08:39:34  Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
08:39:34  	at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
08:39:34  	at sun.security.validator.Validator.getInstance(Validator.java:181)
08:39:34  	at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300)
08:39:34  	at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
08:39:34  	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:189)
08:39:34  	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
08:39:34  	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1316)
08:39:34  	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1207)
08:39:34  	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1150)
08:39:34  	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
08:39:34  	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
08:39:34  	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
08:39:34  	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
08:39:34  	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
08:39:34  	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
08:39:34  	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
08:39:34  	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
08:39:34  	... 30 more
08:39:34  Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
08:39:34  	at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
08:39:34  	at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
08:39:34  	at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
08:39:34  	at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:99)
08:39:34  	... 46 more

[davecurrie]

@DanielWebelsiep @madsolar8582 We have identified the issue and are preparing a new release to fix it. In the meantime, there are two options to keep going:

1. Re-install 11.0.5 (available from our release archives page at https://github.com/corretto/corretto-11/releases/tag/11.0.5.10.1)
2. Replace the file “lib\security\cacerts” in your Corretto home directory with the equivalent from the 11.0.5 release, downloaded from the link above.
   We will keep this issue updated.

[alvdavi]

We have released an update for Windows and Mac OS that fixes this issue: https://github.com/corretto/corretto-11/releases/tag/11.0.6.10.1-1

[Drakonhawk]

Under Windows I sucessfully tested the new build. If @madsolar8582 can confirm it under macOS the issue can be closed.

[madsolar8582]

Confirmed working. Thank you for resolving this so quickly.

[finnyb]

@alvdavi We are seeing the same issue using jlink to create a bundled jre in 11.0.6.10.1 and 11.0.6.10.1-1. Should this also be resolved in 11.0.6.10.1-1?

[davecurrie]

@finnyb This was fixed in release 11.0.6.10.1-2, on Jan 23. I noticed that this was not clear in the releases page and updated the release accordingly. Please let us know if you still have problems.

[gkersting]

@davecurrie It looks like 11.0.6.10.1-2 is only available for macOS. Is there a windows version?

[davecurrie]

@gkersting I read @finnyb's comment on jlink and I thought it referred to another jlink issue on macOS that was fixed in 11.0.6.10.1-2. Question: When do you get the handshake error, is it while linking or is it while running the linked app?

[gkersting]

@davecurrie ....... @finnyb and my issue is occurring when running the linked app. Before 11.0.6.10.1 the cacert file added under lib/security after the jlink was around 245kb but now when using 11.0.6.10.1-1 or 11.0.6.10.1 it is around 157kb. If I manually copy the cacert from the JDK into the the jre directory it works fine.

[gkersting]

@davecurrie Should we open a new issue for this? Did something change where we need to add an additional module to our jlink?

[davecurrie]

Yes, please. A new issue is better than trying to track on this closed one.

[gkersting]

@davecurrie I added #88