HTTPS/SSL deploy fails with "Received fatal alert: bad_record_mac"

Deploy to an SSL enabled server fails with the following message:

Received fatal alert: bad_record_mac

The problem is caused by issues with Sun Java security package (#4815023), which makes the Java try TLS even if it's not supported on the server. This results in aborted connection.

One workaround is to force use of SSLv3 only.  To do this, add the following to the MAVEN_OPTS environment variable:

"-Dhttps.protocols=SSLv3 -Dforce.http.jre.executor=true"


Another cause of this problem is that the server Maven is connecting to is using an SSL cipher that is not compatible.

For example, the following nginx configuration is known to avoid this error:

ssl_protocols SSLv3 TLSv1 SSLv2;
ssl_ciphers ALL:!ADH:!EXPORT56:!kEDH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

 Further background can be found here: https://issues.sonatype.org/browse/OSSRH-5165

Have more questions? Submit a request

2 Comments

Article is closed for comments.
Powered by Zendesk