KB Article #181675
STANDARD CLUSTER: Synchronization issues after applying Patch 45 for ST 5.4
Problem
After applying Patch 45 for SecureTransport 5.4 on a Standard Cluster, manual synchronization attempts might start to fail with the following error message:
Error closing output stream for "https://<Your IP or FQDN>:444" java.io.IOException: The size of the handshake message (56589) exceeds the maximum allowed size (32768) at com.tumbleweed.st.server.sync.provider.http.HttpRunnable.doSync(HttpClientOutputStream.java:316) at com.tumbleweed.st.server.sync.provider.http.HttpRunnable.run(HttpClientOutputStream.java:208) at java.lang.Thread.run(Thread.java:748) aused by: javax.net.ssl.SSLProtocolException: The size of the handshake message (56589) exceeds the maximum allowed size (32768) at sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:313) at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:180) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:110) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373) at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:573) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:557) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:414) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118) at com.tumbleweed.st.server.sync.provider.http.HttpRunnable.doSync(HttpClientOutputStream.java:294) ... 2 more
Resolution
The embedded JRE was upgraded to version 1.8.0_281 in Patch 45. A change in version 1.8.0_271 introduced a limit on the size of the TLS handshake messages. In some cases, when ST had accumulated a large list of Trusted CA certificates in its store, the JRE's default limit settings are insufficient to allow the ST cluster sync to complete.
The solution is to add the following parameter in the start_admin
script:
JAVA_OPTS="-Djdk.tls.maxHandshakeMessageSize=65536 $JAVA_OPTS"
The value for jdk.tls.maxHandshakeMessageSize
must be greater than the value reported in the error message. In the example above see "The size of the handshake message (56589) ...".