TLS issue with latest java11 openjdk

Problem:
I have just updated and restarted my opennms server. With the updates there is a new java-11-openjdk version. This seems to cause TLS connection problems with some clients.

Firefox 85.0 (Mac) reports “An error occurred during a connection to opennms.example.com:8443. SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE”

curl on CentOS 7:

$ curl --tlsv1.2 -v https://opennms.example.com:8443/
...
* NSS error -5938 (PR_END_OF_FILE_ERROR)
...

$ curl --tlsv1.3 -v https://opennms.example.com:8443/
...
* NSS error -12109 (SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE)
...

Using openssl s_client or wget, it works. So I guess the issue is related with the NSS TLS implementation.

Expected outcome:

Working connection

OpenNMS version:
opennms-27.0.4-1.noarch

Other relevant data:
CentOS 7.9.2009

It’s broken with this java version:

java-11-openjdk-11.0.10.0.9-0.el7_9.x86_64
java-11-openjdk-devel-11.0.10.0.9-0.el7_9.x86_64
java-11-openjdk-headless-11.0.10.0.9-0.el7_9.x86_64

If I downgrade the java-11 to the version before it works fine:

java-11-openjdk-11.0.9.11-2.el7_9.x86_64
java-11-openjdk-devel-11.0.9.11-2.el7_9.x86_64
java-11-openjdk-headless-11.0.9.11-2.el7_9.x86_64

So I guess in the end it could be either a java-11 or nss issue, but it knocks out opennms in the middle of it…

No one else having issues with the latest java11 openjdk in EL7?

Likely related to https://issues.opennms.org/browse/NMS-13111

Downgrading Java to 11.0.9 also works around the issue? Good to know!

Yes for me, the java version makes the difference… 11.0.9 is good.