Problem:
I have just updated and restarted my opennms server. With the updates there is a new java-11-openjdk version. This seems to cause TLS connection problems with some clients.
Firefox 85.0 (Mac) reports “An error occurred during a connection to opennms.example.com:8443. SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE”
curl on CentOS 7:
$ curl --tlsv1.2 -v https://opennms.example.com:8443/
...
* NSS error -5938 (PR_END_OF_FILE_ERROR)
...
$ curl --tlsv1.3 -v https://opennms.example.com:8443/
...
* NSS error -12109 (SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE)
...
Using openssl s_client or wget, it works. So I guess the issue is related with the NSS TLS implementation.
Expected outcome:
Working connection
OpenNMS version:
opennms-27.0.4-1.noarch
Other relevant data:
CentOS 7.9.2009
It’s broken with this java version:
java-11-openjdk-11.0.10.0.9-0.el7_9.x86_64
java-11-openjdk-devel-11.0.10.0.9-0.el7_9.x86_64
java-11-openjdk-headless-11.0.10.0.9-0.el7_9.x86_64
If I downgrade the java-11 to the version before it works fine:
java-11-openjdk-11.0.9.11-2.el7_9.x86_64
java-11-openjdk-devel-11.0.9.11-2.el7_9.x86_64
java-11-openjdk-headless-11.0.9.11-2.el7_9.x86_64
So I guess in the end it could be either a java-11 or nss issue, but it knocks out opennms in the middle of it…