Problem
When connecting to an external endpoint from within a DoFN object on a Dataflow Worker it cannot complete TLS handshake or make a connection:
Error message from worker: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure sun.security.ssl.Alerts.getSSLException(Alerts.java:192) sun.security.ssl.Alerts.getSSLException(Alerts.java:154) sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033) sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135) sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
Environment
- Cloud Dataflow
Solution
- Update jdk.tls.disabledAlgorithms to an empty string using JvmInitializer as mentioned below:
@AutoService(JvmInitializer.class) public static class TestInitializer implements JvmInitializer { @Override public void onStartup() { Security.setProperty("jdk.tls.disabledAlgorithms", "") } @Override public void beforeProcessing(PipelineOptions options) {} } You may need to add dependency for @AutoService as follow <dependency> <groupId>com.google.auto.service</groupId> <artifactId>auto-service</artifactId> <version>1.0-rc7</version> </dependency> - If adding the above dependency does not work add an annotationProcessor to build.gradle.kts in dependencies, as below:
dependencies { implementation("com.google.auto.service:auto-service:1.0-rc7") annotationProcessor("com.google.auto.service:auto-service:1.0-rc7") }
Cause
Dataflow JVM intentionally disables GCM algorithm and hence is the cause of this issue.