JDK-8234467 : Some TLSv1.3 handshakes fail with a decode_error rather than negotiating to 1.2
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 11.0.5
  • Priority: P3
  • Status: Closed
  • Resolution: Incomplete
  • OS: os_x
  • CPU: x86
  • Submitted: 2019-11-15
  • Updated: 2019-12-03
  • Resolved: 2019-12-03
Related Reports
Relates :  
Description
ADDITIONAL SYSTEM INFORMATION :
openjdk 11.0.4 2019-07-16
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.4+11)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.4+11, mixed mode)

MacOS Mojave 10.14.6

A DESCRIPTION OF THE PROBLEM :
Sending a TLSv1.3 handshake to certain servers that do not support 1.3 are failing 100% of the time with a javax.net.ssl.SSLHandshakeException: Received fatal alert: decode_error.

A couple servers that this issue is reproducible on:
cvws.icloud-content.com
p58-caldav.icloud.com

SSLLabs also confirms this issue exists with java 11 and java 12: https://www.ssllabs.com/ssltest/analyze.html?d=cvws.icloud%2dcontent.com&s=17.248.185.81&hideResults=on&latest

I have also tested this using OpenJDK Runtime Environment AdoptOpenJDK (build 13.0.1+9) and confirmed that it has been fixed.

REGRESSION : Last worked in version 8u231

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Write code that attempts to initiate a TLSv1.3 handshake with cvws.icloud-content.com

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The expected result is the TLS handshake negotiates to 1.2 and the connection succeeds. This is what happens with java 8 and java 13. Below are the javax.net.debug=ssl:handshake results when using java 8 that results in a successful handshake:


trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1557081191 bytes = { 177, 73, 135, 83, 175, 208, 67, 34, 211, 223, 142, 206, 222, 220, 81, 53, 29, 51, 84, 167, 187, 234, 192, 72, 242, 246, 110, 84 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=cvws.icloud-content.com]
***
main, WRITE: TLSv1.2 Handshake, length = 267
main, READ: TLSv1.2 Handshake, length = 91
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -5935724 bytes = { 144, 121, 96, 16, 127, 37, 192, 6, 215, 192, 16, 58, 211, 193, 73, 141, 203, 65, 60, 100, 122, 89, 105, 6, 173, 75, 42, 20 }
Session ID:  {132, 172, 225, 136, 199, 66, 203, 240, 119, 57, 223, 246, 229, 35, 250, 132, 70, 171, 125, 221, 172, 70, 152, 41, 247, 139, 238, 138, 93, 1, 105, 254}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension server_name, server_name: 
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
main, READ: TLSv1.2 Handshake, length = 3582
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: C=US, ST=California, O=Apple Inc., CN=cvws.icloud-content.com
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 25136070334540197480951235264429332517082242805568304377402303134428062203207951007230871882126688910822392677931320184479476966338033178370551529136307339902832990859661051719823293181907523956108705027686386943737625068597358060738280645297098963730788836999271933753831897418263794411287215869197484725110736886292486246221826310249220772672822815285182429510896818759524733867398235431766047024750348570069639939858898888486811731532285132985034028088074695220799701795191869898460391416423627718640580194648053439206595265595995825258981466085927820634550843838218267012262565243680849699424419248062304741625027
  public exponent: 65537
  Validity: [From: Thu Apr 11 12:56:22 MDT 2019,
               To: Sun May 10 13:06:00 MDT 2020]
  Issuer: C=US, O=Apple Inc., OU=Certification Authority, CN=Apple IST CA 2 - G1
  SerialNumber: [    059c53fc f780d906 52ce1324 8646d5b8]

Certificate Extensions: 13
[1]: ObjectId: 1.2.840.113635.100.6.27.11.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 02 05 00                                        ....


[2]: ObjectId: 1.2.840.113635.100.6.27.15.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 02 05 00                                        ....


[3]: ObjectId: 1.2.840.113635.100.6.27.7.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 02 05 00                                        ....


[4]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 02 5B 04 82 02 57   02 55 00 76 00 B2 1E 05  ...[...W.U.v....
0010: CC 8B A2 CD 8A 20 4E 87   66 F9 2B B9 8A 25 20 67  ..... N.f.+..% g
0020: 6B DA FA 70 E7 B2 49 53   2D EF 8B 90 5E 00 00 01  k..p..IS-...^...
0030: 6A 0D CB 36 58 00 00 04   03 00 47 30 45 02 20 17  j..6X.....G0E. .
0040: ED 4E BB BA ED 81 40 64   43 10 72 5D 9B 0E EB B6  .N....@dC.r]....
0050: C7 6F DA 36 5A 74 2B A3   8B 25 B5 4E C6 1A 97 02  .o.6Zt+..%.N....
0060: 21 00 B8 3D B7 63 07 CB   14 10 3D 18 0A A2 9E 43  !..=.c....=....C
0070: B1 DE 0A 9F 54 E3 C8 1C   91 54 A9 79 F7 F2 FC 69  ....T....T.y...i
0080: 64 E0 00 77 00 A4 B9 09   90 B4 18 58 14 87 BB 13  d..w.......X....
0090: A2 CC 67 70 0A 3C 35 98   04 F9 1B DF B8 E3 77 CD  ..gp.<5.......w.
00A0: 0E C8 0D DC 10 00 00 01   6A 0D CB 36 57 00 00 04  ........j..6W...
00B0: 03 00 48 30 46 02 21 00   8A A6 96 1B 85 CD CE 00  ..H0F.!.........
00C0: 3A D1 84 95 7E 42 A5 09   81 80 FE 37 4D 42 CE 9E  :....B.....7MB..
00D0: A3 F5 E9 31 8F DE B7 4C   02 21 00 AF 34 90 66 FA  ...1...L.!..4.f.
00E0: 37 75 9B 89 31 9F 11 19   08 3D B4 99 AF 9E C9 1C  7u..1....=......
00F0: F2 4A D1 10 A5 34 1D 75   10 75 E1 00 75 00 56 14  .J...4.u.u..u.V.
0100: 06 9A 2F D7 C2 EC D3 F5   E1 BD 44 B2 3E C7 46 76  ../.......D.>.Fv
0110: B9 BC 99 11 5C C0 EF 94   98 55 D6 89 D0 DD 00 00  ....\....U......
0120: 01 6A 0D CB 37 3B 00 00   04 03 00 46 30 44 02 20  .j..7;.....F0D. 
0130: 2A 2D AA F8 BB 85 20 9B   A9 4F 4F 34 BC 73 47 09  *-.... ..OO4.sG.
0140: 12 37 55 55 97 D8 65 A4   5C 62 B3 DD 32 44 A1 AF  .7UU..e.\b..2D..
0150: 02 20 0F 9E D6 6A 24 BE   60 53 7F E7 64 3A BA 7C  . ...j$.`S..d:..
0160: D6 F8 48 9A 13 C9 D3 BB   7E AA 47 92 D4 6C E6 0E  ..H.......G..l..
0170: 8D 2D 00 75 00 87 75 BF   E7 59 7C F8 8C 43 99 5F  .-.u..u..Y...C._
0180: BD F3 6E FF 56 8D 47 56   36 FF 4A B5 60 C1 B4 EA  ..n.V.GV6.J.`...
0190: FF 5E A0 83 0F 00 00 01   6A 0D CB 37 16 00 00 04  .^......j..7....
01A0: 03 00 46 30 44 02 20 66   4A 7A 71 22 95 69 64 47  ..F0D. fJzq".idG
01B0: EA 7D 9C 22 26 16 E1 26   DF EA F3 9A C3 4B 51 4B  ..."&..&.....KQK
01C0: FF 06 F3 C8 E3 B2 CD 02   20 46 32 09 11 59 33 9E  ........ F2..Y3.
01D0: E0 B8 71 89 C3 0E 60 40   F4 B3 38 4E 56 6B F1 E2  ..q...`@..8NVk..
01E0: 5C 39 0E 31 61 EA 2F EA   4F 00 74 00 5E A7 73 F9  \9.1a./.O.t.^.s.
01F0: DF 56 C0 E7 B5 36 48 7D   D0 49 E0 32 7A 91 9A 0C  .V...6H..I.2z...
0200: 84 A1 12 12 84 18 75 96   81 71 45 58 00 00 01 6A  ......u..qEX...j
0210: 0D CB 36 A5 00 00 04 03   00 45 30 43 02 1F 17 52  ..6......E0C...R
0220: 00 D1 79 3A 12 25 23 B6   66 5C C4 86 69 67 55 B4  ..y:.%#.f\..igU.
0230: E3 09 B7 FC 6D 0D FC 0C   96 DD AF 8C BE 02 20 5F  ....m......... _
0240: C3 C1 CD 70 79 15 2D 3D   1A 84 8D 68 1A EA FF C8  ...py.-=...h....
0250: F7 7D AC E0 00 C6 09 E9   9E FF 97 8D 78 9F 9E     ............x..


[5]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://certs.apple.com/appleistca2g1.der
, 
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.apple.com/ocsp03-appleistca2g123
]
]

[6]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D8 7A 94 44 7C 90 70 90   16 9E DD 17 9C 01 44 03  .z.D..p.......D.
0010: 86 D6 2A 29                                        ..*)
]
]

[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[8]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.apple.com/appleistca2g1.crl]
]]

[9]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.2.840.113635.100.5.11.4]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 81 97 0C 81 94 52 65   6C 69 61 6E 63 65 20 6F  0.....Reliance o
0010: 6E 20 74 68 69 73 20 63   65 72 74 69 66 69 63 61  n this certifica
0020: 74 65 20 62 79 20 61 6E   79 20 70 61 72 74 79 20  te by any party 
0030: 61 73 73 75 6D 65 73 20   61 63 63 65 70 74 61 6E  assumes acceptan
0040: 63 65 20 6F 66 20 61 6E   79 20 61 70 70 6C 69 63  ce of any applic
0050: 61 62 6C 65 20 74 65 72   6D 73 20 61 6E 64 20 63  able terms and c
0060: 6F 6E 64 69 74 69 6F 6E   73 20 6F 66 20 75 73 65  onditions of use
0070: 20 61 6E 64 2F 6F 72 20   63 65 72 74 69 66 69 63   and/or certific
0080: 61 74 69 6F 6E 20 70 72   61 63 74 69 63 65 20 73  ation practice s
0090: 74 61 74 65 6D 65 6E 74   73 2E                    tatements.

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 2D 68 74 74 70 3A 2F   2F 77 77 77 2E 61 70 70  .-http://www.app
0010: 6C 65 2E 63 6F 6D 2F 63   65 72 74 69 66 69 63 61  le.com/certifica
0020: 74 65 61 75 74 68 6F 72   69 74 79 2F 72 70 61     teauthority/rpa

]]  ]
]

[10]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[11]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[12]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: cvws-007.icloud-content.com
  DNSName: cvws-003.icloud-content.com
  DNSName: cvws-006.icloud-content.com
  DNSName: cvws-008.icloud-content.com
  DNSName: cvws-004.icloud-content.com
  DNSName: cvws-009.icloud-content.com
  DNSName: cvws-005.icloud-content.com
  DNSName: cvws-dc-internal.icloud-content.com
  DNSName: cvws.icloud-content.com
  DNSName: cdn.icloud-content.com
  DNSName: cvws-001.icloud-content.com
  DNSName: cvws-dc.icloud-content.com
  DNSName: cvws-002.icloud-content.com
]

[13]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A3 17 94 E7 58 5B 11 CF   7A 8C 89 35 20 4C 2B C6  ....X[..z..5 L+.
0010: 02 41 00 9C                                        .A..
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 23 78 B3 A4 E7 0B 83 5E   6E DF 21 59 66 36 82 C2  #x.....^n.!Yf6..
0010: 2B BD A9 94 98 2B 20 40   CD 5D 78 FF DC 00 B7 01  +....+ @.]x.....
0020: B5 2A 22 62 48 C5 D5 3C   77 C2 34 BE 52 4B 12 3A  .*"bH..<w.4.RK.:
0030: 2C 6A 2A D6 81 A2 C9 CD   CF A1 04 DC 07 27 5F 86  ,j*..........'_.
0040: 86 33 B9 03 8C A8 26 8D   CD 92 E6 01 FE 51 69 EF  .3....&......Qi.
0050: DC 8B C3 09 9E 4A 03 05   D2 37 73 1F E6 73 0D C3  .....J...7s..s..
0060: 73 8A C6 9A 85 F0 51 A2   26 B3 AE D5 7C EF CC 6E  s.....Q.&......n
0070: 65 5E 40 47 99 77 E6 BB   93 27 B6 6C FD 52 D2 DF  e^@G.w...'.l.R..
0080: 58 46 63 27 7C 9A EB 2F   B8 19 0E EB 3C 1C CA FA  XFc'.../....<...
0090: 98 AE FF E4 96 7E 8D 45   16 6A FC BF 59 6C EA 45  .......E.j..Yl.E
00A0: 05 A0 12 3F 20 C4 E8 E5   89 05 7E 6B FC A9 51 52  ...? ......k..QR
00B0: C1 F7 C3 E7 E0 0A 4B 70   85 12 18 C5 A5 72 5B D5  ......Kp.....r[.
00C0: FA F6 E4 83 6B 45 DB 86   C1 72 12 37 F6 1B DC B9  ....kE...r.7....
00D0: AD A5 6F C1 78 0C A7 B4   5B E2 12 C6 64 5D 98 09  ..o.x...[...d]..
00E0: 47 2C D1 5D 74 3E 2A 6E   CC AF C3 36 2F B4 AB 3D  G,.]t>*n...6/..=
00F0: DF 7D 4B EB AA 44 A7 14   AC 8F 9C 19 01 98 F8 5D  ..K..D.........]

]
chain [1] = [
[
  Version: V3
  Subject: C=US, O=Apple Inc., OU=Certification Authority, CN=Apple IST CA 2 - G1
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 26330366180152162663243748524461199192109853866060511299305371442192547271190172543013997772257744947940715083991734107692943402404203123939311757660058382600586273484750279500282618036597119027582086815739987980331622715773257682320381732071033801181183707978956451061736722995790878734036146013911760381049242345016130735393935732892787679915689938048551510876632506426429315941355677879486183706273188028673311167093230512587848959522924446757200558185443093057847590075019525517726908645157180896742086780647451706360551233683099547081674234458862181835970948065160248890092660564147031174101668846413887268359411
  public exponent: 65537
  Validity: [From: Mon Jun 16 09:42:02 MDT 2014,
               To: Fri May 20 09:42:02 MDT 2022]
  Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  SerialNumber: [    023a74]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://g.symcd.com
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB   05 64 0C 11 7D AA 7D 65  .z.h.....d.....e
0010: B8 CA CC 4E                                        ...N
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://g.symcb.com/crls/gtglobal.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 25 68 74 74 70 3A 2F   2F 77 77 77 2E 67 65 6F  .%http://www.geo
0010: 74 72 75 73 74 2E 63 6F   6D 2F 72 65 73 6F 75 72  trust.com/resour
0020: 63 65 73 2F 63 70 73                               ces/cps

]]  ]
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D8 7A 94 44 7C 90 70 90   16 9E DD 17 9C 01 44 03  .z.D..p.......D.
0010: 86 D6 2A 29                                        ..*)
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 16 47 73 6F 85 A2 62 E1   E7 2A 76 BB 89 95 42 26  .Gso..b..*v...B&
0010: 97 BC 4A AC AC 70 53 3A   3F 31 83 3D 3C 1C AB 9A  ..J..pS:?1.=<...
0020: E2 B1 5D 1C 76 1A A0 3C   0C 72 57 BE D3 9E 50 E0  ..].v..<.rW...P.
0030: C8 99 D6 58 D7 02 EA CE   0D 29 54 7C CD F5 C2 C6  ...X.....)T.....
0040: 90 29 55 A3 6F 14 A8 0B   42 0D 3A 98 6D 06 78 9E  .)U.o...B.:.m.x.
0050: F0 6A A3 1D 02 0A A2 28   A4 8D C2 81 46 3E 6D 67  .j.....(....F>mg
0060: DA DE 3F FE 85 0E 42 2A   12 DE B5 B7 FB B8 1B A7  ..?...B*........
0070: 96 EC 77 9F EC D4 53 95   7A FF 07 F4 F2 0A 14 C0  ..w...S.z.......
0080: 51 52 B1 D6 8E 50 0B 1A   99 5C BC 0B C9 BD ED ED  QR...P...\......
0090: F8 5E C1 56 DB 4D 7E 23   A4 11 A1 2C D4 1B 05 9A  .^.V.M.#...,....
00A0: E4 1B 52 F6 7C 38 99 05   4B BA 72 8D 42 89 60 04  ..R..8..K.r.B.`.
00B0: 66 2A F4 FD 68 D7 6B F7   99 41 28 D6 6C 24 AB E6  f*..h.k..A(.l$..
00C0: 25 53 2E C8 82 99 E2 A2   8F 23 BE 30 83 B1 27 8B  %S.......#.0..'.
00D0: FA 68 7F 01 49 E8 C6 98   6B 10 2E 98 5E 8A D7 CA  .h..I...k...^...
00E0: 4B B1 C7 C9 58 9A D0 36   DB 96 95 EC B6 81 E4 F2  K...X..6........
00F0: CD 6F 1B 79 87 4C 10 3C   89 E4 4D FA 54 DC AA A6  .o.y.L.<..M.T...

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953
  public exponent: 65537
  Validity: [From: Mon May 20 22:00:00 MDT 2002,
               To: Fri May 20 22:00:00 MDT 2022]
  Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  SerialNumber: [    023456]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB   05 64 0C 11 7D AA 7D 65  .z.h.....d.....e
0010: B8 CA CC 4E                                        ...N
]
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB   05 64 0C 11 7D AA 7D 65  .z.h.....d.....e
0010: B8 CA CC 4E                                        ...N
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 35 E3 29 6A E5 2F 5D 54   8E 29 50 94 9F 99 1A 14  5.)j./]T.)P.....
0010: E4 8F 78 2A 62 94 A2 27   67 9E D0 CF 1A 5E 47 E9  ..x*b..'g....^G.
0020: C1 B2 A4 CF DD 41 1A 05   4E 9B 4B EE 4A 6F 55 52  .....A..N.K.JoUR
0030: B3 24 A1 37 0A EB 64 76   2A 2E 2C F3 FD 3B 75 90  .$.7..dv*.,..;u.
0040: BF FA 71 D8 C7 3D 37 D2   B5 05 95 62 B9 A6 DE 89  ..q..=7....b....
0050: 3D 36 7B 38 77 48 97 AC   A6 20 8F 2E A6 C9 0C C2  =6.8wH... ......
0060: B2 99 45 00 C7 CE 11 51   22 22 E0 A5 EA B6 15 48  ..E....Q"".....H
0070: 09 64 EA 5E 4F 74 F7 05   3E C7 8A 52 0C DB 15 B4  .d.^Ot..>..R....
0080: BD 6D 9B E5 C6 B1 54 68   A9 E3 69 90 B6 9A A5 0F  .m....Th..i.....
0090: B8 B9 3F 20 7D AE 4A B5   B8 9C E4 1D B6 AB E6 94  ..? ..J.........
00A0: A5 C1 C7 83 AD DB F5 27   87 0E 04 6C D5 FF DD A0  .......'...l....
00B0: 5D ED 87 52 B7 2B 15 02   AE 39 A6 6A 74 E9 DA C4  ]..R.+...9.jt...
00C0: E7 BC 4D 34 1E A9 5C 4D   33 5F 92 09 2F 88 66 5D  ..M4..\M3_../.f]
00D0: 77 97 C7 1D 76 13 A9 D5   E5 F1 16 09 11 35 D5 AC  w...v........5..
00E0: DB 24 71 70 2C 98 56 0B   D9 17 B4 D1 E3 51 2B 5E  .$qp,.V......Q+^
00F0: 75 E8 D5 D0 DC 4F 34 ED   C2 05 66 80 A1 CB E6 33  u....O4...f....3

]
main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 92834745786580266321945464844046947079188679388565224135134587487855806935538
  public y coord: 95225875105857778834605560043339969985828922220038169565392626892101364324247
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 243, 170, 178, 20, 73, 6, 31, 16, 89, 245, 125, 124, 114, 172, 1, 21, 241, 90, 84, 12, 105, 126, 69, 68, 167, 13, 120, 214, 37, 84, 63, 68, 61, 199, 91, 207, 245, 165, 185, 78, 234, 153, 43, 128, 212, 133, 111, 36, 243, 194, 141, 216, 233, 18, 78, 21, 144, 90, 155, 204, 99, 113, 168, 82 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: E9 5B 27 43 48 DE E1 DB   D7 48 E5 83 09 18 8D 26  .['CH....H.....&
0010: 9B 33 9F BB 4C 84 AC 41   87 6C 5B 0D E8 11 25 EC  .3..L..A.l[...%.
CONNECTION KEYGEN:
Client Nonce:
0000: 5D CF 2C 67 B1 49 87 53   AF D0 43 22 D3 DF 8E CE  ].,g.I.S..C"....
0010: DE DC 51 35 1D 33 54 A7   BB EA C0 48 F2 F6 6E 54  ..Q5.3T....H..nT
Server Nonce:
0000: 00 A5 6E 94 90 79 60 10   7F 25 C0 06 D7 C0 10 3A  ..n..y`..%.....:
0010: D3 C1 49 8D CB 41 3C 64   7A 59 69 06 AD 4B 2A 14  ..I..A<dzYi..K*.
Master Secret:
0000: 4C FC 4C 92 27 01 4C EF   2A 2A 0F E3 B1 FA CA 67  L.L.'.L.**.....g
0010: 9E 66 A8 6D 1A F2 78 EA   2C 10 64 0D CE EE 5D 20  .f.m..x.,.d...] 
0020: CB 97 F1 9E 61 7A C1 45   85 44 25 99 96 F4 3F 24  ....az.E.D%...?$
... no MAC keys used for this cipher
Client write key:
0000: F3 0C 1A 0E EC 55 F4 14   02 FF 37 96 14 18 D5 59  .....U....7....Y
0010: 60 40 DB 25 00 A6 29 0B   CF 68 19 DE 1F E5 DF EB  `@.%..)..h......
Server write key:
0000: DD 7F 01 4C EB 75 F9 90   55 DB 74 BE 4E 09 6A 51  ...L.u..U.t.N.jQ
0010: 0A 3A D4 8E F3 74 0E A1   A0 F4 E2 57 66 64 A5 7F  .:...t.....Wfd..
Client write IV:
0000: 43 E1 83 7D                                        C...
Server write IV:
0000: 7C 07 27 DA                                        ..'.
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 172, 38, 95, 140, 197, 253, 0, 32, 90, 168, 233, 232 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data:  { 164, 35, 232, 112, 189, 150, 171, 145, 214, 138, 83, 111 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, WRITE: TLSv1.2 Application Data, length = 186
main, READ: TLSv1.2 Application Data, length = 668
ACTUAL -
When using java 11, the below handshake is what actually occurs and result in an unsuccessful connection.


javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.485 MST|SSLCipher.java:438|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.755 MST|Utilities.java:73|the previous server name in SNI (type=host_name (0), value=cvws.icloud-content.com) was replaced with (type=host_name (0), value=cvws.icloud-content.com)
javax.net.ssl|WARNING|01|main|2019-11-15 15:55:33.803 MST|SignatureScheme.java:283|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2019-11-15 15:55:33.803 MST|SignatureScheme.java:283|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|INFO|01|main|2019-11-15 15:55:33.808 MST|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.809 MST|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.809 MST|SSLExtensions.java:257|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.843 MST|SSLExtensions.java:257|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.844 MST|PreSharedKeyExtension.java:633|No session to resume.
javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.844 MST|SSLExtensions.java:257|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.854 MST|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "51 69 15 70 EA 4E 2E 04 77 49 B7 33 02 17 D6 CA 71 07 B5 86 5A 9A C3 D7 F3 E0 F0 20 DA 23 2B 3F",
  "session id"          : "45 DD DF 8E F5 32 26 1C DF 88 05 0E CF 9F DA D0 EC F4 62 D9 78 5E C4 8B AC 61 DD 85 F3 3A 1F 29",
  "cipher suites"       : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=cvws.icloud-content.com
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "key_share (51)": {
      "client_shares": [  
        {
          "named group": secp256r1
          "key_exchange": {
            0000: 04 5C 2C 43 09 AC 18 D4   6A E5 F8 2A D4 6C C1 D2  .\,C....j..*.l..
            0010: 27 B5 D2 24 81 C4 FF 4F   85 04 DD A4 DF 60 76 AB  '..$...O.....`v.
            0020: 72 69 83 FD 78 74 C7 12   58 13 FD 74 72 35 C1 79  ri..xt..X..tr5.y
            0030: 92 EE 3B 33 83 88 42 B4   99 E1 73 BA 14 E2 EC 9E  ..;3..B...s.....
            0040: 3A 
          }
        },
      ]
    }
  ]
}
)
javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.896 MST|Alert.java:238|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "decode_error"
}
)
javax.net.ssl|ERROR|01|main|2019-11-15 15:55:33.897 MST|TransportContext.java:312|Fatal (DECODE_ERROR): Received fatal alert: decode_error (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: decode_error
  	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
  	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
  	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
  	at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285)
  	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
  	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
  	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
  	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
  	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
  	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
  	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
  	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587)
  	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515)
  	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)
  	at Main.main(Main.java:12)}

)
javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.898 MST|SSLSocketImpl.java:1361|close the underlying socket
javax.net.ssl|DEBUG|01|main|2019-11-15 15:55:33.898 MST|SSLSocketImpl.java:1380|close the SSL connection (initiative)
javax.net.ssl.SSLHandshakeException: Received fatal alert: decode_error
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
	at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515)
	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)
	at Main.main(Main.java:12)

---------- BEGIN SOURCE ----------
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;

public class Main {
    public static void main(String[] args) {
        try {
            URL url = new URL("https://cvws.icloud-content.com");
            URLConnection conn = url.openConnection();
            InputStream in = conn.getInputStream();
        } catch (FileNotFoundException e) {
            System.out.println("Expected");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Setting the system property jdk.tls.client.protocols to "TLSv1,TLSv1.1,TLSv1.2" prevents sending a TLSv1.3 handshake and the error does not occur.

FREQUENCY : always



Comments
The test in the bug description could pass in JDK 13. In JDK 13, the x25519 could be used for key exchange. X25519 is not supported in JDK 11. In JDK 11, secp256r1 is used instead. If enabling secp256r1 named groups only (-Djdk.tls.namedGroups=secp256r1), the server does not accept the handshake request as well. It might be a problem of the server, which cannot parse the secp256r1 key_share message. Before doing further evaluation, please help to check the server capacities and behaviors. Close it as incomplete for now. Please re-open it if there is more information about the server configuration and behaviors.
03-12-2019