[SOLVED] Protoclol_version Error launching from TLS 1.3 server

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
rchurchill
Posts: 3
Joined: 10 Mar 2021, 17:02

[SOLVED] Protoclol_version Error launching from TLS 1.3 server

Post by rchurchill »

Hi Guys

I'm not sure If I have a server side configuration issue or I've found a bug.

Summary
I'm updating a test server to match our incoming security standards, this requires exclusive use of TLS 1.3 with all other protocols disabled.
With the server configured like this OWS can not download resources form the server always with a the message Received fatal alert: protocol_version.
If I re enable TLS 1.2 the application starts correctly.
Policy means I can't have TLS 1.2 enabled in production so any suggestions as to how to resolve this would be most appreciated.

Details
Server side Setup: Tomcat 9 behind Apache 2.4.41 using Mod JK - Apache handles SSL
Client Side setup: Windows 10 x64 & OWS 1.3.3
Client Side JRE versions tried: Zulu 11.0.7 (OWS supplied), Zulu 11.0.10 and AdoptOpenJDK 11.0.10

Apache working correctly in Firefox and Chrome when running TLS 1.3 only, resource URL available.

The Application is a Java 8 application, though as it doesn't get downloaded I don't think this is realivent

Console line this I think highlight the error
Exception while downloading resource location=https://xxxxxxxx.net/launch.jnlp version=null state=INCOMPLETE from https://xxxxxxxx.net/launch.jnlp - Received fatal alert: protocol_version
Full console Log
Console Log
===========

Waiting for exception dialog to be closed
Exiting Boot.mainWithReturnCode() with 1
failed to launch
netx: Read Error: Could not read or parse the JNLP file at 'file:/C:/Users/rchurchill/Downloads/launch_newLive.jnlp'. (java.lang.NullPointerException ())
Error flag set for resource 'https://[Redacted URL]/foundry/webstart/launch.jnlp'. Can not return a local file for the resource
Download done. Shutting down executor
could not download resource location=https://[Redacted URL]/foundry/webstart/launch.jnlp version=null state=INCOMPLETE from any of theses urls [https://[Redacted URL]/foundry/webstart/launch.jnlp]
Exception while downloading resource location=https://[Redacted URL]/foundry/webstart/launch.jnlp version=null state=INCOMPLETE from https://[Redacted URL]/foundry/webstart/launch.jnlp - Received fatal alert: protocol_version
Using NO_PROXY
Using NO_PROXY
Will download in background: https://[Redacted URL]/foundry/webstart/launch.jnlp
Failed to determine best URL for location=https://[Redacted URL]/foundry/webstart/launch.jnlp version=null state=INCOMPLETE will try all of [https://[Redacted URL]/foundry/webstart/launch.jnlp]
failed to determine best URL: java.util.concurrent.ExecutionException: javax.net.ssl.SSLException: Received fatal alert: protocol_version
While processing https://[Redacted URL]/foundry/webstart/launch.jnlp by HEAD for resource location=https://[Redacted URL]/foundry/webstart/launch.jnlp version=null state=INCOMPLETE got Received fatal alert: protocol_version
URL connection 'https://[Redacted URL]/foundry/webstart/launch.jnlp' header fields: {}
Following exception should be harmless, but may help in finding root cause.
Using NO_PROXY
Using NO_PROXY
Candidate URLs for location=https://[Redacted URL]/foundry/webstart/launch.jnlp version=null state=INCOMPLETE: [https://[Redacted URL]/foundry/webstart/launch.jnlp]
needsUpdateCheck: https://[Redacted URL]/foundry/webstart/launch.jnlp -> true
isCached: https://[Redacted URL]/foundry/webstart/launch.jnlp - (v: null) = true
isCached: remote size:6758 cached size:6758 -> true
Download of resource launch.jnlp will start now!
Download has not been started yet: launch.jnlp
Checking download state of launch.jnlp
Download for launch.jnlp has not been started until now
Will check and maybe put into cache: launch.jnlp
Will add resource 'launch.jnlp'
Will add resource at location 'https://[Redacted URL]/foundry/webstart/launch.jnlp'
good - your JRE - 1.8.0_265 - match requested JRE - 1.6+
Acceptable vendor tag found, contains: First Call Payment Protection
Jars not ready to provide attribute Application-Name
Description: Titanium
Homepage: https://[Redacted URL]/foundry
Using MalformedXMLParser
Download done. Shutting down executor
Resource is not cacheable: launch_newLive.jnlp
Checking download state of launch_newLive.jnlp
Download for launch_newLive.jnlp has not been started until now
Will check and maybe put into cache: launch_newLive.jnlp
Will add resource 'launch_newLive.jnlp'
Will add resource at location 'file:/C:/Users/rchurchill/Downloads/launch_newLive.jnlp'
JNLP file location: C:\Users\rchurchill\Downloads\launch_newLive.jnlp
Proceeding with jnlp
Proxy disabled ( registry value 'ProxyEnable'). Will use direct proxy.
Windows based proxy created
Selected ProxyProvider : OPERATION_SYSTEM
Operating Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.clientcerts
Loading Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.clientcerts
Keystore file C:\Users\rchurchill\.config\icedtea-web\security\trusted.clientcerts exists.
Operating Keystore Unknown
Loading Keystore Unknown
Keystore file c:\program files\openwebstart\jre\lib\security\trusted.clientcerts does not exists.
Operating Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.cacerts
Loading Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.cacerts
Keystore file C:\Users\rchurchill\.config\icedtea-web\security\trusted.cacerts exists.
Operating Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.jssecacerts
Loading Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.jssecacerts
Keystore file C:\Users\rchurchill\.config\icedtea-web\security\trusted.jssecacerts exists.
Operating Keystore c:\program files\openwebstart\jre\lib\security\cacerts
Loading Keystore c:\program files\openwebstart\jre\lib\security\cacerts
Keystore file c:\program files\openwebstart\jre\lib\security\cacerts exists.
Operating Keystore Unknown
Loading Keystore Unknown
Keystore file c:\program files\openwebstart\jre\lib\security\jssecacerts does not exists.
Operating Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.certs
Loading Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.certs
Keystore file C:\Users\rchurchill\.config\icedtea-web\security\trusted.certs exists.
Operating Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.jssecerts
Loading Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.jssecerts
Keystore file C:\Users\rchurchill\.config\icedtea-web\security\trusted.jssecerts exists.
Operating Keystore Unknown
Loading Keystore Unknown
Keystore file c:\program files\openwebstart\jre\lib\security\trusted.certs does not exists.
Operating Keystore Unknown
Loading Keystore Unknown
Keystore file c:\program files\openwebstart\jre\lib\security\trusted.jssecerts does not exists.
Operating Keystore Unknown
Operating Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.clientcerts
Loading Keystore C:\Users\rchurchill\.config\icedtea-web\security\trusted.clientcerts
Keystore file C:\Users\rchurchill\.config\icedtea-web\security\trusted.clientcerts exists.
Starting security dialog thread
using com.openwebstart.extensionpoint.OwsExtensionPoint extension point
Java Runtime AdoptOpenJDK-1.8.0_265
OS: Windows 10
OpenWebStartLauncher called with args: [C:\Users\rchurchill\Downloads\launch_newLive.jnlp].
Calling ITW Boot with args [C:\Users\rchurchill\Downloads\launch_newLive.jnlp].
RelevantJavawsArgs: '[C:\Users\rchurchill\Downloads\launch_newLive.jnlp]'
Checking if installation time (1615383237524) is after last initial config time (1615383251797)
Setting download indicator to com.openwebstart.download.ApplicationDownloadIndicator@340f438e
Trying to set download indicator
Property 'ows.install4j.propertyUpdate' is unknown.
Loading USER level properties from: file:/C:/Users/rchurchill/.config/icedtea-web/deployment.properties
Start logging into: net.sourceforge.jnlp.util.logging.filelogs.WriterBasedFileLog@69fb11b6
Property 'ows.install4j.propertyUpdate' is unknown.
Loading USER level properties from: file:/C:/Users/rchurchill/.config/icedtea-web/deployment.properties
Ico provider registered correctly.
Ico provider registered correctly.
Starting OpenWebStart 1.3.3
OWS main args [C:\Users\rchurchill\Downloads\launch_newLive.jnlp].
init logger factory to net.sourceforge.jnlp.util.logging.OutputControllerLoggerFactory@694f9431
Log File
[rchurchill][ITW-CORE][2021-03-10 15:48:47.191 GMT][INFO ][net.sourceforge.jnlp.util.logging.filelogs.WriterBasedFileLog][Output controller consumer daemon#56bd6f45] writer-based impl.
[ITW-CORE][2021-03-10 15:48:46.964 GMT][INFO ][com.openwebstart.launcher.OpenWebStartLauncher] OWS main args [C:\Users\rchurchill\Downloads\launch.jnlp].
[ITW-CORE][2021-03-10 15:48:47.048 GMT][INFO ][com.openwebstart.launcher.PhaseTwoWebStartLauncher] Starting OpenWebStart 1.3.3
[ITW-CORE][2021-03-10 15:48:47.092 GMT][INFO ][net.sourceforge.jnlp.config.DeploymentConfiguration] Ico provider registered correctly.
[ITW-CORE][2021-03-10 15:48:47.129 GMT][INFO ][net.sourceforge.jnlp.config.DeploymentConfiguration] Ico provider registered correctly.
[ITW-CORE][2021-03-10 15:48:47.133 GMT][INFO ][net.sourceforge.jnlp.config.DeploymentConfiguration] Loading USER level properties from: file:/C:/Users/rchurchill/.config/icedtea-web/deployment.properties
[ITW-CORE][2021-03-10 15:48:47.136 GMT][INFO ][net.sourceforge.jnlp.config.DeploymentConfiguration] Property 'ows.install4j.propertyUpdate' is unknown.
[ITW-CORE][2021-03-10 15:48:47.189 GMT][INFO ][net.sourceforge.jnlp.config.DeploymentConfiguration] Loading USER level properties from: file:/C:/Users/rchurchill/.config/icedtea-web/deployment.properties
[ITW-CORE][2021-03-10 15:48:47.194 GMT][INFO ][net.sourceforge.jnlp.config.DeploymentConfiguration] Property 'ows.install4j.propertyUpdate' is unknown.
[ITW-CORE][2021-03-10 15:48:47.234 GMT][INFO ][com.openwebstart.launcher.PhaseTwoWebStartLauncher] Calling ITW Boot with args [C:\Users\rchurchill\Downloads\launch.jnlp].
[ITW-CORE][2021-03-10 15:48:47.237 GMT][INFO ][net.sourceforge.jnlp.runtime.EnvironmentPrinter] OpenWebStartLauncher called with args: [C:\Users\rchurchill\Downloads\launch.jnlp].
[ITW-CORE][2021-03-10 15:48:47.237 GMT][INFO ][net.sourceforge.jnlp.runtime.EnvironmentPrinter] OS: Windows 10
[ITW-CORE][2021-03-10 15:48:47.237 GMT][INFO ][net.sourceforge.jnlp.runtime.EnvironmentPrinter] Java Runtime AdoptOpenJDK-1.8.0_265
[ITW-CORE][2021-03-10 15:48:47.766 GMT][INFO ][net.sourceforge.jnlp.runtime.Boot] Proceeding with jnlp
[ITW-CORE][2021-03-10 15:48:47.769 GMT][INFO ][net.sourceforge.jnlp.runtime.Boot] JNLP file location: C:\Users\rchurchill\Downloads\launch.jnlp
[ITW-CORE][2021-03-10 15:48:47.802 GMT][INFO ][net.adoptopenjdk.icedteaweb.xmlparser.MalformedXMLParser] Using MalformedXMLParser
[ITW-CORE][2021-03-10 15:48:48.048 GMT][INFO ][net.sourceforge.jnlp.Parser] Homepage: https://[Redacted URL]/foundry
[ITW-CORE][2021-03-10 15:48:48.049 GMT][INFO ][net.sourceforge.jnlp.Parser] Description: Titanium
[ITW-CORE][2021-03-10 15:48:48.050 GMT][INFO ][net.sourceforge.jnlp.JNLPFile] Acceptable vendor tag found, contains: First Call Payment Protection
[ITW-CORE][2021-03-10 15:48:48.054 GMT][INFO ][net.sourceforge.jnlp.Parser] good - your JRE - 1.8.0_265 - match requested JRE - 1.6+
[ITW-CORE][2021-03-10 15:48:48.090 GMT][INFO ][net.adoptopenjdk.icedteaweb.resources.cache.LeastRecentlyUsedCache] isCached: https://[Redacted URL]/foundry/webstart/launch.jnlp - (v: null) = true
[ITW-CORE][2021-03-10 15:48:48.226 GMT][ERROR][net.adoptopenjdk.icedteaweb.resources.downloader.BaseResourceDownloader] could not download resource location=https://[Redacted URL]/foundry/webstart/launch.jnlp version=null state=INCOMPLETE from any of theses urls [https://[Redacted URL]/foundry/webstart/launch.jnlp]
[ITW-CORE][2021-03-10 15:48:48.229 GMT][ERROR][net.sourceforge.jnlp.AbstractLaunchHandler]
netx: Read Error: Could not read or parse the JNLP file at 'file:/C:/Users/rchurchill/Downloads/launch.jnlp'. (java.lang.NullPointerException ())
net.sourceforge.jnlp.LaunchException: Fatal: Read Error: Could not read or parse the JNLP file at 'file:/C:/Users/rchurchill/Downloads/launch.jnlp'. You can try to download this file manually and send it as bug report to IcedTea-Web team.
at net.sourceforge.jnlp.Launcher.fromUrl(Launcher.java:331)
at net.sourceforge.jnlp.Launcher.launch(Launcher.java:191)
at net.sourceforge.jnlp.runtime.Boot.launch(Boot.java:355)
at net.sourceforge.jnlp.runtime.Boot.run(Boot.java:335)
at net.sourceforge.jnlp.runtime.Boot.run(Boot.java:73)
at java.security.AccessController.doPrivileged(Native Method)
at net.sourceforge.jnlp.runtime.Boot.runMain(Boot.java:279)
at net.sourceforge.jnlp.runtime.Boot.mainWithReturnCode(Boot.java:132)
at net.sourceforge.jnlp.runtime.Boot.main(Boot.java:114)
at com.openwebstart.launcher.PhaseTwoWebStartLauncher.main(PhaseTwoWebStartLauncher.java:81)
at com.openwebstart.launcher.OpenWebStartLauncher.main(OpenWebStartLauncher.java:35)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.exe4j.runtime.LauncherEngine.launch(LauncherEngine.java:84)
at com.exe4j.runtime.WinLauncher.main(WinLauncher.java:94)
at com.install4j.runtime.launcher.WinLauncher.main(WinLauncher.java:25)
Caused by: java.io.IOException: java.lang.NullPointerException
at net.sourceforge.jnlp.JNLPFileFactory.openURL(JNLPFileFactory.java:107)
at net.sourceforge.jnlp.JNLPFileFactory.create(JNLPFileFactory.java:79)
at net.sourceforge.jnlp.JNLPFileFactory.create(JNLPFileFactory.java:63)
at net.sourceforge.jnlp.Launcher.fromUrl(Launcher.java:322)
... 17 more
Caused by: java.lang.NullPointerException
at java.io.FileInputStream.<init>(FileInputStream.java:130)
at net.sourceforge.jnlp.JNLPFileFactory.openURL(JNLPFileFactory.java:103)
... 20 more
[ITW-CORE][2021-03-10 15:48:48.229 GMT][ERROR][net.sourceforge.jnlp.runtime.Boot]
failed to launch
net.sourceforge.jnlp.LaunchException: Fatal: Read Error: Could not read or parse the JNLP file at 'file:/C:/Users/rchurchill/Downloads/launch.jnlp'. You can try to download this file manually and send it as bug report to IcedTea-Web team.
at net.sourceforge.jnlp.Launcher.fromUrl(Launcher.java:331)
at net.sourceforge.jnlp.Launcher.launch(Launcher.java:191)
at net.sourceforge.jnlp.runtime.Boot.launch(Boot.java:355)
at net.sourceforge.jnlp.runtime.Boot.run(Boot.java:335)
at net.sourceforge.jnlp.runtime.Boot.run(Boot.java:73)
at java.security.AccessController.doPrivileged(Native Method)
at net.sourceforge.jnlp.runtime.Boot.runMain(Boot.java:279)
at net.sourceforge.jnlp.runtime.Boot.mainWithReturnCode(Boot.java:132)
at net.sourceforge.jnlp.runtime.Boot.main(Boot.java:114)
at com.openwebstart.launcher.PhaseTwoWebStartLauncher.main(PhaseTwoWebStartLauncher.java:81)
at com.openwebstart.launcher.OpenWebStartLauncher.main(OpenWebStartLauncher.java:35)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.exe4j.runtime.LauncherEngine.launch(LauncherEngine.java:84)
at com.exe4j.runtime.WinLauncher.main(WinLauncher.java:94)
at com.install4j.runtime.launcher.WinLauncher.main(WinLauncher.java:25)
Caused by: java.io.IOException: java.lang.NullPointerException
at net.sourceforge.jnlp.JNLPFileFactory.openURL(JNLPFileFactory.java:107)
at net.sourceforge.jnlp.JNLPFileFactory.create(JNLPFileFactory.java:79)
at net.sourceforge.jnlp.JNLPFileFactory.create(JNLPFileFactory.java:63)
at net.sourceforge.jnlp.Launcher.fromUrl(Launcher.java:322)
... 17 more
Caused by: java.lang.NullPointerException
at java.io.FileInputStream.<init>(FileInputStream.java:130)
at net.sourceforge.jnlp.JNLPFileFactory.openURL(JNLPFileFactory.java:103)
... 20 more

Stephan Classen
Posts: 174
Joined: 27 Mar 2020, 09:55

Re: Protoclol_version Error launching from TLS 1.3 server

Post by Stephan Classen »

According to https://github.com/AdoptOpenJDK/openjdk ... ssues/1254 TLS 1.3 support was added in 8u272.
The OWS version 1.4.0 will contain an updated JRE which should contain TLS 1.3 support.
Release is planned for April 2021.

Janak Mulani
Posts: 204
Joined: 24 Mar 2020, 13:37

Re: [SOLVED] Protoclol_version Error launching from TLS 1.3 server

Post by Janak Mulani »

As part of OWS installation there is a JRE directory under the installation directory. This JRE is used to start OWS and download the jnlp file. The current version is 8 u 265. You could replace this JRE with 8 u 272+. Can you please try this and report back if it solved your issue?

Thanks

rchurchill
Posts: 3
Joined: 10 Mar 2021, 17:02

Re: [SOLVED] Protoclol_version Error launching from TLS 1.3 server

Post by rchurchill »

Thank you for your quick reply

I've done some additional testing this morning based on your suggestions, and I'm getting the same error.
I used AdoptOpenJDK jdk8u282-b08, and after updating the OWS launch jre, ultimately ended up uninstalling OWS and ensuring I had no other JRE installed. Finally reinstalling only AdoptOpenJDK jdk8u282-b08 and using IceTea from this to attempt to launch the app and the problem is still present.

This leads me to assume that even current versions of OpenJDK 8 don't have full TLS1.3 support and I will have to adjust the servers setting in an attempt to find a compromise between what I'm required to have and what the available versions of Java support.

Any suggestions would be appreciated.

Janak Mulani
Posts: 204
Joined: 24 Mar 2020, 13:37

Re: [SOLVED] Protoclol_version Error launching from TLS 1.3 server

Post by Janak Mulani »

Hi

I am not sure what steps you followed. I hope here is what you did:
1. Install OWS
2. Go to <OWS install dir>/jre
3. you can rename this to jre_8_u265
4. Install a JVM 8 u 272 or later on your machine
5. Copy JRE directory from that JVM to OWS install dir.
6. From command line >javaws <url of jnlp file>
7. In the stage-1 log file you should see:

Code: Select all

[ITW-CORE][2021-03-11 17:24:52.430 IST][INFO ][net.sourceforge.jnlp.runtime.EnvironmentPrinter] OpenWebStartLauncher called with args: [...xyz.jnlp].
[ITW-CORE][2021-03-11 17:24:52.431 IST][INFO ][net.sourceforge.jnlp.runtime.EnvironmentPrinter] OS: Windows 10
[ITW-CORE][2021-03-11 17:24:52.431 IST][INFO ][net.sourceforge.jnlp.runtime.EnvironmentPrinter] [b]Java Runtime[/b] [b]AdoptOpenJDK-1.8.0_275[/b] <= or whichever 8 u 272+ JRE version you used.
Please confirm if you followed the above steps and yet your issue was not solved i.e. you still got TLC

rchurchill
Posts: 3
Joined: 10 Mar 2021, 17:02

Re: [SOLVED] Protoclol_version Error launching from TLS 1.3 server

Post by rchurchill »

Hi Janak

The steps you outlined were the ones I carried out with AOjdk8u282-b08, I verified the version in use and I still got the error.
I also completely removed OWS and carried out a fresh install of AdoptOpenJDK jdk8u282-b08 stand alone on the system and tried the built in javaws and received the same error.

I have now reread my security spec and found that TLS1.2 with certain cyphers is deprecated but allowable, this has resolved the operational problem for the moment.

Thanks

Richard

Janak Mulani
Posts: 204
Joined: 24 Mar 2020, 13:37

Re: [SOLVED] Protoclol_version Error launching from TLS 1.3 server

Post by Janak Mulani »

Hi Richard,

I cannot say why it is not working for you.

However I tried the TLS1.3 sample given here https://blog.gypsyengineer.com/en/secur ... -java.html.

This sample does not work with AO JRE 8 u 265 (the bundled JRE of OWS) but it works with AO JRE 8 u 275.

I hope this helps.

Thanks

Janak

Post Reply