My application is a form of “web scraper” which loads the HTML from a desired input page using the Java Jsoup library. I recently upgraded my application platform from Java 8 to Java 11. With this upgrade, I have received several reports from my clients saying that they receive SSLHandshakeExceptions while trying to load the HTML content of certain webpages. The webpages these occur on vary from device to device, and on some devices, my clients are not able to load any webpages at all (neither http:// nor https:// webpages).
I’ve tried resolving this in several ways but to no avail:
- Replacing the Java 11 runtime’s CACERT file with the Java 8 runtime’s CACERT file
- Creating a custom SSL certificate acceptor which accepts all SSL certificates regardless of validity (I know this is bad for production code but this was just for test purposes) – see Trusting all certificates using HttpClient over HTTPS
At this point, I’m not really sure what options to take, since I have a limited knowledge of SSL, TLS, and HTTPS. These errors never occurred in Java 8, and everything used to work fine before the upgrade to Java 11.
From my understanding, the only thing Java 11 changed about SSL was upgrading to TLS 1.3, while previous version of Java relied on using TLS 1.2.
Hence, I would like to force Java 11 to use TLS 1.2 rather than TLS 1.3, as I believe this to be the cause of the SSLHandshakeExceptions. How should I go about doing this?
Advertisement
Answer
Neardupe Java 11 HTTPS connection fails with SSL HandshakeException while using Jsoup but I have some to add.
Use Connection.sslSocketFactory(factory) with a suitable argument. Assuming the standard/default providers, you can use a factory created from SSLContext.getInstance("TLSv1.2")
probably with the default trustmanager and keymanager i.e. .init(null,null,null)
.
Or set jdk.tls.client.protocols
or https.protocols
per table 8-3 in the JSSE documentation. Note this can affect any other SSL/TLS connections, or other URLConnection’s for HTTPS, made from the same JVM.
I’d be surprised if this fixes your problem, though. TLS1.3 was delayed years partly because of the hacks they added so it doesn’t fail with legacy 1.2 (and even earlier) systems and ‘boxes’.