Java客户端通过F5 BIG-IP负载平衡器与IIS服务器进行SSL握手时收到“连接重置”

Question

We currently cannot find an approach to use Java code to connect to an IIS server (configured as mutual authentication) via a F5 BIG-IP load balancer , we have tried different Java versions and code, they all generated the same error.

Here is what we have set up:

• a Java client
• a F5 BIG-IP load balancer - configured as a simple TCP load-balancing, no SSL offloading, treating port 443 like any ordinary TCP ports for load-balancing purpose
• an IIS server configured for mutual authentication, it is sitting behind the F5 load balancer

Here is what we have tried:

• when connecting Java client through the load balancer, there was a "connection reset" exception
• when connecting Java client to the IIS server directly, there was no issue and the mutual authentication has completed successfully
• then I wrote a C# console app and connected through the load balancer, there was no issue and the mutual authentication has completed successfully
• also tried Postman, "openssl -s_client" command, "curl" command and browsers, they are all working successfully through the F5 load balancer

Here is the SSL log (last few lines) recorded when connecting Java client through the F5 load balancer,

upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 01 00 01 01                                  ......
*** Finished
verify_data:  { 73, 224, 69, 18, 151, 153, 193, 139, 98, 147, 188, 146 }
***
update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1 Handshake, length = 16
Padded plaintext before ENCRYPTION:  len = 48
0000: 14 00 00 0C 49 E0 45 12   97 99 C1 8B 62 93 BC 92  ....I.E.....b...
0010: 1D FC E6 70 EB 17 5C D7   CD 9A 3A A5 9D 48 55 59  ...p..\...:..HUY
0020: 62 FB F0 0E 0B 0B 0B 0B   0B 0B 0B 0B 0B 0B 0B 0B  b...............
[Raw write]: length = 53
0000: 16 03 01 00 30 27 77 7E   52 F6 3F 4D DB 5D 30 C0  ....0'w.R.?M.]0.
0010: 61 A4 A6 4A 9A 93 75 40   59 37 DB E3 8D DC C3 DC  a..J..u@Y7......
0020: AB 1A 31 57 6A 98 6D 45   D7 43 04 2A A8 DE 7E D5  ..1Wj.mE.C.*....
0030: AF E9 D5 5A 5E                                     ...Z^
main, handling exception: java.net.SocketException: Connection reset
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
Padded plaintext before ENCRYPTION:  len = 32
0000: 02 0A 1A 14 26 47 FC 57   B2 86 75 FC 32 13 76 07  ....&G.W..u.2.v.
0010: 9E DD 02 D6 29 73 09 09   09 09 09 09 09 09 09 09  ....)s..........
main, Exception sending alert: java.net.SocketException: Connection reset by peer: socket write error
main, called closeSocket()

Process finished with exit code 0

Tried Java code 1

SocketFactory factory = SSLSocketFactory.getDefault();
String hostname = "test-efi.in.abcdefg.com";
int port = 443;
SSLSocket socket = (SSLSocket) factory.createSocket(hostname, port);
socket.startHandshake();

Tried Java code 2

URL url = new URL("https://test-efi.in.abcdefg.com/InterfaceTest/api/FORM/CheckStatus?ID=123456");
conn = (HttpsURLConnection) url.openConnection();
conn.setDoInput(true);
conn.setDoOutput(true);
conn.setRequestMethod("GET");

if (conn.getResponseCode() != 200) {
throw new RuntimeException("Failed : HTTP error code : " + conn.getResponseCode());
}

My question is, given that the C# client, Postman, "openssl -s_client" command, "curl" command and browsers are all working correctly, can you please advise if there is a way to get this Java code working? Thanks.

Answer 1

Try another Java version. I had similar problem and the same error. Everything worked well on machine with java 1.8.0_161 but didn't work on machine with Java 1.8.0_171. So, I reinstalled java on bad machine (downgraded it) and it started working well.