Affects: 5.1.4
Error: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
How to reproduce: Attempt to call a HTTPS endpoint using the Spring Webflux WebClient.
Everything works perfectly when I use RestTemplate.
I tried two different configurations:
Option 1:
WebClient webClient = WebClient.builder().build();
return new MyApi(settings, webClient);
Option 2:
SslProvider sslProvider = SslProvider.builder()
.sslContext(SslContextBuilder.forClient())
.defaultConfiguration(SslProvider.DefaultConfigurationType.NONE)
.build();
TcpClient tcpClient = TcpClient.create().secure(sslProvider);
HttpClient httpClient = HttpClient.from(tcpClient);
ClientHttpConnector httpConnector = new ReactorClientHttpConnector(httpClient);
WebClient webClient = WebClient.builder().clientConnector(httpConnector).build();
return new MyAPI(settings, webClient);
There is nothing specifically special about the HTTPS endpoint that I want to call.
Comment From: rstoyanchev
How is the trust manager set up?
Comment From: drieselliott
For the trust manager I use the default one.
I managed to solve this issue by playing around with allowed Ciphers on the Nginx web server that we call. It still seems strange to me that somehow WebClient and RestTemplate are supporting a different cipher set.
Comment From: rstoyanchev
I'm not sure what you mean by "default one". As far as I know you need to set one up, even if it is InsecureTrustManagerFactory.INSTANCE.
Comment From: drieselliott
I'm not using mutual SSL here, just standard HTTPS in order to make a web service call. The certificate of the web server is a certificate provided by a global CA and is trusted by the standard Java trust store.
Comment From: rstoyanchev
WebClient and RestTemplate use different underlying HTTP libraries (by default Reactor Netty and HttpUrlConnection) which is probably what the difference is due to.