13

I am using Spring Rest Template to call a REST service that is hosted at an SSL endpoint. After the first request, I am getting the below error. The environment is AWS EC2, Open JDK 1.8.161, Linux. The endpoint only supports TLSv1.2 and 1.3. 

 org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://mycompany.com": Connection reset; nested exception is java.net.SocketException: Connection reset
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:743)
        at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:686)
        at org.springframework.web.client.RestTemplate.postForObject(RestTemplate.java:437)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:855)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    ... more stack here
Caused by: java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(SocketInputStream.java:210)
    at java.net.SocketInputStream.read(SocketInputStream.java:141)
    at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
    at sun.security.ssl.InputRecord.read(InputRecord.java:503)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:940)
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
    at .....
    ... 107 common frames omitted

Any guidance will be greatly appreciated=!!

Improve this question
6
  • Is this the whole stack trace? Commented Oct 16, 2018 at 13:06
  • Please also post your java code. Commented Oct 16, 2018 at 14:41
  • Is Connection: Keep-Alive? You can check this from response header. If yes what are the Keep-Alive parameters? Ex: Keep-Alive: timeout=10, max=20 Commented Mar 22, 2019 at 10:19
  • That was my first thought. I had the same issue on here and now deploying the changes with a keep alive and a connection pool to try to fix the issue. My environment is fully TLS1.2 and over AWS ec2 Commented Mar 22, 2019 at 14:46
  • Please show us your RestTemplate configuration? Do you have anything configured for SSL? Commented Mar 23, 2019 at 10:29

2 Answers 2

Reset to default
20
+50

This quite feels like the protocol issue. The AWS is fully TLS 1.2 or higher supporting, but the client is not. The Rest Template if not configured otherwise, will start negotiation with TLS 1.0. You have to forcefully make the client to connect only with 1.2 or 1.3 protocol stacks.

In general, this can be configured while creating the client. Something similar to this

SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(null, null, null);

CloseableHttpClient httpClient = HttpClientBuilder.create().setSSLContext(context)
    .build();
HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
RestTemplate restTemplate = new RestTemplate(factory);

You can find how to tune the template based on the spring version. Forcing the client to negotiate only on the allowed protocols will solve this problem.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Total sense, I actually resolved the issue last week. I moved the http client to our software default (OkHttp) and specified that the TLS version should always be 1.2. Thanks!
0

I used that properties -

"-Djsse.enableSNIExtension=false",

The problem solved when that property is removed from command line.

java -Djsse.enableSNIExtension=false -jar app.jar

java -jar app.jar
Improve this answer

1 Comment

Essentially, this JVM arg should be set to true

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.