Library shows SSL exception after upgrade engine

Problem

The following error shows when trying to connect to the Kube API endpoint using the Kubernetes Java Client Library after upgrading Google Kubernetes Engine primary.

Caused by: io.kubernetes.client.openapi.ApiException: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request

Environment

  • Google Kubernetes Engine v1.16.13-gke.401
  • Java Development Kit  v8,11,14

Solution

  1. Make sure you are using your Java Client Library with one of the following Java Development Kit versions:
    • 14.0.2
    • 11.0.7 
    • openjdk8u272 
    • 8u261
  2. If this isn't possible, upgrading the Java Runtime Environment to the latest might help fix the issue.

Cause

This is a Java Development Kit issue and not a Google Kubernetes or Java Client Library issue.

TLS 1.3 was introduced to newer versions of Google Kubernetes while older JDK versions will not accept the status request message when TLS 1.3 is negotiated and the server sends a certificate request message with that extension in it. This is an allowed extension in TLS 1.3.

Reference Oracle Java bug and OpenJDK bug for more detailed information.