JWKS url no longer accessible from JAVA

Hi,

Starting 4-5 hours ago out of nowhere, multiple JAVA environments are having trouble accessing their Auth0 JWKS URL. I get an SSL handshake failure on my DEV, TEST and PRODUCTION environment which each have a separate Auth0 config and run on different servers. The URL’s that are being accessed are:

https://drivolution-dev1.eu.auth0.com/.well-known/jwks.json
https://drivolution-test1.eu.auth0.com/.well-known/jwks.json
https://drivolution.eu.auth0.com/.well-known/jwks.json

They are available in a browser and also through a curl command on every server, but apparently no longer when the request comes from my application. Java version used is 11.

Does anybody have any idea if very recently any SSL config / requirement changed for these URL’s?

Thx!

Hi @Jente

They are working, so the problem probably isn’t SSL, unless you have something different client side on your java app.

I’d check your firewall, maybe try a network sniffer and seeing if the ACK is coming back from the SYN or if the connection is refused.

John

Hi @john.gateley

For now I fixed my problem by telling java 11 to not use TLS 1.3 by default but use the older 1.2 version for SSL communication. Still no idea why this problem started occuring yesterday on all our environments while nothing changed on our side.

Thx anyway for the reply!

Jente

We’re here for you Jente!

Hi,
We’re experiencing this exact same problem, since yesterday morning (CET).
The urls work from the commandline, but dont work from our Tomcat Java environment. We get the “Received fatal alert: handshake_failure” error.
Disabling the TLS 1.3 did not solve our problem though.
Please advice.
Also: nothing changed on our side.

@marceloerlemans

Just to be sure, what I did is add https.protocols=TLSv1.2 as a startup parameter.

I still have another Auth0 related issue though (also on multiple environments since yesterday). We use the mvc-auth-commons-1.0.3.jar. The AuthenticationController from that jar is used inside our callback after login which exchanges the authorization code for Auth0 tokens. That fails with a IdentityVerificationException with code “a0.api_error” and error message “An error occurred while exchanging the Authorization Code for Auth0 Tokens”. Not much to go on … but a restart of our java module seems to temporarily fix the problem. Sadly it’s just a matter of hours before it occurs again. So far no clue as to what to do about this.

I also noticed this handshake_failure when accessing the jwks url, in our case it only happened when the app is running in Docker/Kubernetes. Using the suggested workaround (-Dhttps.protocols=TLSv1.2) fixes the problem. After some more investigation it turns out that the problem was actually caused because we are using Jlink to create a custom JRE , which was missing a module ‘jdk.crypto.ec’
This module is apparently required for TLS 1.3 to work. After adding this module into the custom JRE the problem was solved

Thanks for the info @johan.raedemaeker