The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption

[yymap]

Driver version

The jdbc driver is from :com.microsoft.sqlserver , name: mssql-jdbc, version: 6.4.0.jre8

SQL Server version

Microsoft SQL Server 2016 (SP3-GDR) (KB5021129) - 13.0.6430.49 (X64) on Windows Server 2016 Standard 10.0

Client Operating System

Linux , the kernel version: 3.X

JAVA/JVM version

OpenJdk 1.8.0_345

DB Connection string

jdbc:sqlserver://host.corpname.com:1433;sslProtocol=TLS;jaasConfigurationName=SQLConfig;statementPoolingCacheSize=0;serverPreparedStatementDiscardThreshold=10;enablePrepareOnFirstPreparedStatementCall=false;fips=false;socketTimeout=0;authentication=NotSpecified;authenticationScheme=nativeAuthentication;xopenStates=false;sendTimeAsDatetime=true;trustStoreType=JKS;trustServerCertificate=false;TransparentNetworkIPResolution=true;serverNameAsACE=false;sendStringParametersAsUnicode=false;selectMethod=direct;responseBuffering=adaptive;queryTimeout=-1;packetSize=8000;multiSubnetFailover=false;loginTimeout=30;lockTimeout=-1;lastUpdateCount=true;encrypt=false;disableStatementPooling=true;databaseName=db1;columnEncryptionSetting=Disabled;applicationName=Microsoft JDBC Driver for SQL Server;applicationIntent=readwrite;

Problem description

• Client web app is deployed on linux server based on OpenJdk 1.8 , SQL Server is deployed on Windows Server as above description.
• Then web app can't connect to db server suddendly, this issue continue for about 15 minutes and then it went back to well.
• This is an intermittent issue, can't reproduced recent days.

Error message/stack trace

• Error message:
  The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Unexpected rethrowing". (SQLError:0)

• Stack trace:
  '''
  2023-04-21 11:05:04,030 WARN [] [BasicDataSource] [commons-pool-evictor-thread] [] [] An internal object pool swallowed an Exception.
  com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Unexpected rethrowing".
  at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2670)
  at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1837)
  at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2257)
  at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1921)
  at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1762)
  at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1077)
  at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:623)
  at org.apache.commons.dbcp2.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:38)
  at org.apache.commons.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:260)
  at org.apache.commons.pool2.impl.GenericObjectPool.create(GenericObjectPool.java:883)
  at org.apache.commons.pool2.impl.GenericObjectPool.ensureIdle(GenericObjectPool.java:951)
  at org.apache.commons.pool2.impl.GenericObjectPool.ensureMinIdle(GenericObjectPool.java:930)
  at org.apache.commons.pool2.impl.BaseGenericObjectPool$Evictor.run(BaseGenericObjectPool.java:1121)
  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
  at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
  at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
  at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
  at java.lang.Thread.run(Thread.java:750)
  Caused by: javax.net.ssl.SSLException: Unexpected rethrowing
  at sun.security.ssl.Alert.createSSLException(Alert.java:127)
  at sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
  at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
  at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
  at sun.security.ssl.SSLTransport.decode(SSLTransport.java:138)
  at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397)
  at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
  at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1767)
  ... 18 common frames omitted
  Caused by: java.io.IOException: Connection reset ClientConnectionId:d7a0236c-1f78-4bf3-a916-7b778f488a6c
  at com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.ensureSSLPayload(IOBuffer.java:769)
  at com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.readInternal(IOBuffer.java:836)
  at com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.read(IOBuffer.java:827)
  at com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.readInternal(IOBuffer.java:1009)
  at com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.read(IOBuffer.java:997)
  at sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:464)
  at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:165)
  at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
  ... 22 common frames omitted
  '''

Any other details that can be helpful

• Not find error log from DB server and windows event logs.
• Not find errors on network logs.
• I found there are some same issues reported before , but they are closed without fixed, below are the history similar issues:
  The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. #1771
  Failed to create/setup connection: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Connection reset ClientConnectionId:ebd0ff64-b053-4919-b90d-6a43ec79f25f". #1127
  Failed to create/setup connection: The driver could not establish a secure connection to Azure SQL DB(PAAS) by using Secure Sockets Layer (SSL) encryption. Error: "Connection reset ClientConnectionId:XXXX #1612

Request for help

• Can we provide some workaround for this issue?
• Can we provide some possible reason for this issue?

Hope for your response and thanks in advance.

[tkyc]

So, from what I know, usually if that SSL error is followed by an Unexpected rethrowing error it could mean a couple things. Either an issue with the cipher suites (different JDKs have different cipher suites enabled for TLS negotiation). I'd recommend trying out a different JDK from a different vendor eg. Azul, Oracle, IBM etc... The other reason would be a plain networking issue. The driver attempts to retry on these intermittent SSL/TLS issues, but we retry on specific error messages (for tls 1.2) and the problem is that for some reason the JDK (depending on JDK version/vendor) wraps these expected error messages with Unexpected rethrowing so a retry doesn't occur. Again, in this case as well I'd recommend try different JDK versions from different vendors.

So to debug this and confirm whether it's a driver issue or SSL/TLS issue, you can set sslProtocol=TLSv1 or to any other version other than tls 1.2. If you do not experience intermittent SSL errors on TLSv1, I imagine it is a problem with TLSv1.2 in combination with what JDK you're using (the issue being JDK wraps expected error message with Unexpected rethrowing and so driver doesn't retry).

You can also try sslProtocol=TLSv1.2 while experimenting with different JDKs to try to find a JDK that doesn't affect the driver's retry. Off hand, I believe Oracle JDK 11.0.1+13 should work well with the driver regarding this issue, but I can't recall a specific JDK 8 version that would as well.

[lilgreenbird]

@yymap what version of the driver are you using? starting in version 10 there is an idle connection resiliency feature which should auto re-connect dropped connections for you since it sounds like you may be having intermittent network issues. Please upgrade to the latest stable 12.2.0 release as that contains all the latest fixes.

I would also recommend increasing the loginTimeout value to 60 or even 90 depending on your network. And, we also have a Troubleshooting Intermittent Connection Failures wiki containing info on how to debug intermittent connection issues.

[yymap]

@yymap what version of the driver are you using? starting in version 10 there is an idle connection resiliency feature which should auto re-connect dropped connections for you since it sounds like you may be having intermittent network issues. Please upgrade to the latest stable 12.2.0 release as that contains all the latest fixes.

I would also recommend increasing the loginTimeout value to 60 or even 90 depending on your network. And, we also have a Troubleshooting Intermittent Connection Failures wiki containing info on how to debug intermittent connection issues.

Thanks.
The jdbc driver is from :com.microsoft.sqlserver , name: mssql-jdbc, version: 6.4.0.jre8
This issue just happened once in the last 2 weeks, so it's an intermittent issue and hard to reproduce.

[yymap]

So, from what I know, usually if that SSL error is followed by an Unexpected rethrowing error it could mean a couple things. Either an issue with the cipher suites (different JDKs have different cipher suites enabled for TLS negotiation). I'd recommend trying out a different JDK from a different vendor eg. Azul, Oracle, IBM etc... The other reason would be a plain networking issue. The driver attempts to retry on these intermittent SSL/TLS issues, but we retry on specific error messages (for tls 1.2) and the problem is that for some reason the JDK (depending on JDK version/vendor) wraps these expected error messages with Unexpected rethrowing so a retry doesn't occur. Again, in this case as well I'd recommend try different JDK versions from different vendors.

So to debug this and confirm whether it's a driver issue or SSL/TLS issue, you can set sslProtocol=TLSv1 or to any other version other than tls 1.2. If you do not experience intermittent SSL errors on TLSv1, I imagine it is a problem with TLSv1.2 in combination with what JDK you're using (the issue being JDK wraps expected error message with Unexpected rethrowing and so driver doesn't retry).

You can also try sslProtocol=TLSv1.2 while experimenting with different JDKs to try to find a JDK that doesn't affect the driver's retry. Off hand, I believe Oracle JDK 11.0.1+13 should work well with the driver regarding this issue, but I can't recall a specific JDK 8 version that would as well.

Thanks, Most time it works well, and the issue just happened once in recent 2 weeks and hard to reproduce.

[lilgreenbird]

The jdbc driver is from :com.microsoft.sqlserver , name: mssql-jdbc, version: 6.4.0.jre8

That is a very old version of the driver as a matter of fact it is no longer supported (please see Microsoft JDBC Driver support lifecycle matrix and policy). Please upgrade to a more recent version as there had been a lot of bug fixes and features since then in particular the idle connection resiliency feature should help you in this case as the driver will re-connect automatically when connection is dropped.

fyi 12.2.0 is the latest stable version of the driver.

[lilgreenbird]

hi @yymap
Any luck with latest version of the driver? Hope that resolved your issue please let us know if you have more questions otherwise we will be closing this in the next day or 2.

[yymap]

@lilgreenbird Thank you , we will plan to upgrade jdbc driver to latest version, you can close it currently. I will update if meet the issue again in the future.