I had started following Armeria project and finally decided it’s to play with it today. Browsed their documentation and example project. Looks good!
And then, I wanted to edit their example code to understand their APIs and how to use it. So I started with the obvious change – use HTTPS server with a self-signed certificate! It was 2 line change. Sweet!
Start server. In the logs noticed below message. Strange. That should not be the case, as project dependencies are setup appropriately. (Asked this in their Slack channel)
[main] INFO com.linecorp.armeria.common.Flags - OpenSSL not available: java.lang.IllegalArgumentException: Failed to load any of the given libraries: [netty_tcnative_linux_x86_64, netty_tcnative_linux_x86_64_fedora, netty_tcnative_x86_64, netty_tcnative]
I thought, its INFO. How bad can it be? Let’s try some cURL command. Very bad! All requests failed due to TLSv1.3 error ??!.
[armeria-common-worker-epoll-2-1] WARN com.linecorp.armeria.server.HttpServerPipelineConfigurator - [id: 0xc833df45, L:/127.0.0.1:8080 - R:/127.0.0.1:46360] Unexpected exception: io.netty.handler.codec.DecoderException: java.lang.IllegalArgumentException: TLSv1.3
Started digging through this. I was running using JDK 8, and it does not support TLSv1.3. Could that be the reason? Why?
As Trustin suggested, enabled Netty’s debug log to understand what happened? And then it all started to make sense.
Suppressed: java.lang.UnsatisfiedLinkError: /tmp/libnetty_tcnative_linux_x86_642188735639722784112.so: libcrypt.so.1: cannot open shared object file: No such file or directory
libcrypto.so.1 is missing in Fedora 30. Some more googling, provided more context (and knowledge to me). Fedora 30 ships with libcrypt version 2 & netty-tcnative is looking for libcrypt version 1. Use below commands to install libcrypt version 1 for my OS, and things were happy again!
$ dnf install libxcrypt-compat // installs libxcrypt-compat-4.4.6-2.fc30.x86_64
Armeria can find netty-tcnative and no more TLSv1.3 related errors. yay!
While I was writing this page (and doing other things), Trustin created issue#1984 to disable TLSv1.3 when not supported by SSL Engine (in this case JDKSSLEngine)