[SOLVED] SSLException with latest Java Zulu 8.0.252

SSLException with latest Java Zulu 8.0.252

With the latest Java Zulu 8.0.252 and Payara5 Server i cannot read any HTTPS URLs anymore. After downgrading to 8.0.251 everything works fine again.

javax.net.ssl.SSLException
at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:133)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:352)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:295)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:290)
at org.openjsse.sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1330)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:424)
at org.openjsse.sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at org.openjsse.sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at org.openjsse.sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:730)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:705)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:295)
Caused by: java.lang.NullPointerException
at org.openjsse.sun.security.ssl.CertificateAuthorityExtension$CHCertificateAuthoritiesProducer.produce(CertificateAuthorityExtension.java:185)
at org.openjsse.sun.security.ssl.SSLExtension.produce(SSLExtension.java:560)
at org.openjsse.sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:253)
at org.openjsse.sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:649)
at org.openjsse.sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at org.openjsse.sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at org.openjsse.sun.security.ssl.TransportContext.kickstart(TransportContext.java:259)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
... 97 more

Solution

It looks like your application or library uses a custom insecure Trust Manager.

This custom Trust Manager implements X509TrustManager class and returns null from the X509TrustManager.getAcceptedIssuers() method.

According to java specification getAcceptedIssuers() must return "non-null (possibly empty) array of acceptable CA issuer certificates" but in the provided stack trace getAcceptedIssuers() returns null. It causes NPE.

See https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509TrustManager.html#getAcceptedIssuers()