After updating to the latest Java Buildpack, your apps are failing with SSLHandshakeException errors.

The full error message may be sightly different for different applications, but it should show an SSLHandshakeException. The following is an example:

Cause: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake___Message:com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed 

Java Buildpack v4.88.0 and higher

Oracle has disabled all ciphers starting with "TLS_RSA_" in recent JDK releases. These releases are 8u481, 11.0.30, 17.0.18, and 21.0.10

If the server your app is trying to connect to only supports these ciphers then it will fail with an SSLHandshakeException.

The recommended solution is to enable stronger ciphers on the server your app is trying to connect to. If this is not possible you may try one of the following workarounds

NOTE: Both workarounds will enable the weak TLS_RSA ciphers again. This is not recommended long term. Use at your own risk

Workaround 1: Use an older Java Buildpack version

• If you are using Java 11, downgrade to Java Buildpack v4.91.0
• If you are using Java 8, 17, or 21, downgrade to Java Buildpack v4.87.0

Workaround 2: Supply a custom java.security file

If you need to use the latest buildpack, you can supply a custom java.security file which enables the TLS_RSA ciphers again. This requires a code change to each application

1. In your application repo, create a java.security file at src/main/resources/java.security with the following contents:

   • networkaddress.cache.ttl=0
     networkaddress.cache.negative.ttl=0
     security.provider.1=SUN
     security.provider.2=org.cloudfoundry.security.CloudFoundryContainerProvider
     security.provider.3=SunRsaSign
     security.provider.4=SunEC
     security.provider.5=SunJSSE
     security.provider.6=SunJCE
     security.provider.7=SunJGSS
     security.provider.8=SunSASL
     security.provider.9=XMLDSig
     security.provider.10=SunPCSC
     security.provider.11=JdkLDAP
     security.provider.12=JdkSASL
     security.provider.13=SunPKCS11
     
     jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
         MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
         ECDH, \
         include jdk.disabled.namedCurves

2. Add "-Djava.security.properties=/home/vcap/app/BOOT-INF/classes/java.security" to your JAVA_OPTS environment variable in your application manifest.yml or via the cf CLI
   1. Example manifest.yml:
      

      ---
      applications:
      - name: demo
        memory: 768mb
        buildpack: java_buildpack_offline
        path: ./target/demo-0.0.1-SNAPSHOT.jar
        env:
          JBP_CONFIG_OPEN_JDK_JRE: '{ jre: { version: 11.+ } }'
          JAVA_OPTS: '-Djava.security.properties=/home/vcap/app/BOOT-INF/classes/java.security'
      

3. Rebuild and push your application and it should be able to use the TLS_RSA ciphers again