SSL handshakes randomly fail when using BouncyCastle

Solution Unverified - Updated 5 Aug 2024

Environment

Java 6, 7, 8
BouncyCastle 1.50,1.51

Issue

SSL/TLS handshakes with Diffie-Hellman cipher suites randomly fail from invalid padding exceptions.
IOException in getSession(): javax.net.ssl.SSLHandshakeException: Invalid padding
javax.net.ssl.SSLHandshakeException: Invalid Padding length: 79 (number may vary)

Resolution

Upgrade BouncyCastle to 1.52.

Root Cause

BouncyCastle added server-side TLS support in 1.50, but there was a bug with zero-byte padding. Any Pre-Master Secret that started with a 0 would fail which would occur randomly approximately 1/256 requests. The Content from www.bouncycastle.org is not included.BouncyCastle release notes for 1.52 describe the fix as:

GenericSigner in the lightweight API would fail if the digest started with a zero byte, occassionally causing a TLS negotiation to fail. This has been fixed.

Note this has the same symptoms as a bug in the Oracle JDK and OpenJDK as described in SSL handshakes randomly fail on Java 7 and Invalid padding exceptions cause mod_cluster proxied requests over HTTPS to 502

SBR

JBoss Security

Product(s)

Other

Components

jbossas

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.