KB Article #181675

STANDARD CLUSTER: Synchronization issues after applying Patch 45 for ST 5.4

Problem

After applying Patch 45 for SecureTransport 5.4 on a Standard Cluster, manual synchronization attempts might start to fail with the following error message:


Error closing output stream for "https://<Your IP or FQDN>:444"
java.io.IOException: The size of the handshake message (56589) exceeds the maximum allowed size (32768) at
com.tumbleweed.st.server.sync.provider.http.HttpRunnable.doSync(HttpClientOutputStream.java:316) at
com.tumbleweed.st.server.sync.provider.http.HttpRunnable.run(HttpClientOutputStream.java:208) at
java.lang.Thread.run(Thread.java:748) aused by: javax.net.ssl.SSLProtocolException: The size of the handshake message (56589) exceeds the maximum allowed size (32768) at
sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:313) at
sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:180) at
sun.security.ssl.SSLTransport.decode(SSLTransport.java:110) at
sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279) at
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188) at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373) at
org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:573) at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:557) at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:414) at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at
org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326) at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610) at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445) at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835) at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118) at
com.tumbleweed.st.server.sync.provider.http.HttpRunnable.doSync(HttpClientOutputStream.java:294)
... 2 more


Resolution

The embedded JRE was upgraded to version 1.8.0_281 in Patch 45. A change in version 1.8.0_271 introduced a limit on the size of the TLS handshake messages. In some cases, when ST had accumulated a large list of Trusted CA certificates in its store, the JRE's default limit settings are insufficient to allow the ST cluster sync to complete.


The solution is to add the following parameter in the start_admin script:


JAVA_OPTS="-Djdk.tls.maxHandshakeMessageSize=65536 $JAVA_OPTS"


The value for jdk.tls.maxHandshakeMessageSize must be greater than the value reported in the error message. In the example above see "The size of the handshake message (56589) ...".

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.