javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)

javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:130)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:818)
        at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
        at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:909)
        at arc.dqV.a(SourceFile:80)
        at arc.dqV.read(SourceFile:56)
        at arc.ud.a(SourceFile:187)
        at arc.ud.a(SourceFile:256)
        at arc.mf.modules.dicom.DicomNetworkService.readNextMessage(SourceFile:250)
        at arc.cQg.run(SourceFile:303)
        at arc.cQh.doExecute(SourceFile:497)
        at arc.utils.Task.a(SourceFile:990)
        at arc.utils.Task.run(SourceFile:939)
        at arc.dFf.a(SourceFile:530)
        at arc.dFf.run(SourceFile:478)
        at arc.dFe.run(SourceFile:321)
Caused by: javax.crypto.BadPaddingException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
        at sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1845)
        at sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:262)
        at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:190)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
        ... 18 more

Cause:
javax.crypto.BadPaddingException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16):
Stack:
javax.crypto.BadPaddingException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
        at sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1845)
        at sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:262)
        at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:190)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:818)
        at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
        at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:909)
        at arc.dqV.a(SourceFile:80)
        at arc.dqV.read(SourceFile:56)
        at arc.ud.a(SourceFile:187)
        at arc.ud.a(SourceFile:256)
        at arc.mf.modules.dicom.DicomNetworkService.readNextMessage(SourceFile:250)
        at arc.cQg.run(SourceFile:303)
        at arc.cQh.doExecute(SourceFile:497)
        at arc.utils.Task.a(SourceFile:990)
        at arc.utils.Task.run(SourceFile:939)
        at arc.dFf.a(SourceFile:530)
        at arc.dFf.run(SourceFile:478)
        at arc.dFe.run(SourceFile:321)

Cause

This is known Oracle issue. For details, visit the following links:

• https://bugs.openjdk.java.net/browse/JDK-8221218
• https://support.oracle.com/knowledge/Middleware/2519569_1.html

Solution

There are two solutions for this issue:

• Add -DUseSunHttpHandler=true in the startup arguments.
• Identify on which cipher the handshake was negoitiated by enabling the JSSE debug and disable that cipher in the jre/lib/security/java.security file.

see also

• https://docs.microfocus.com/doc/UCMDB/2021.05/InsufficientBufferAEADcipher

Diagnose Java OutOfMemoryError

Diagnose

• add -XX:+HeapDumpOnOutOfMemoryError to dump Java heap
• use jmap while the process is runnin:
• jmap -histo:live pid
• jmap -dump pid
• use jhat or Eclipse MAT to analyse the heap dump file

Solutions

• Analyse the heap dump to find what objects were consuming memory
• Increase Java heap size: -Xmx1g
• To reduce the memory usage, add -XX:+UseG1GC -XX:+UseStringDeduplication arguments to java command

Java: UseG1GC to reduce memory consumption

Add java arugments:

-XX:+UseG1GC -XX:+UseStringDeduplication

Note: UseStringDeduplication only works with UseG1GC. From my experience, it does reduce the memory consumption significantly for some applications. But it also slows down the process a little bit compared with the default Parallel GC.

see also

• G1 GC: Reducing Memory Consumption by 20%

Java: jmap heap dump

To capture a heap dump using jmap we need to use the dump option:

jmap -dump:[live],format=b,file=<file-path> <pid>

Along with that option, we should specify several parameters:

• live: if set it only prints objects which have active references and discards the ones that are ready to be garbage collected. This parameter is optional
• format=b: specifies that the dump file will be in binary format. If not set the result is the same
• file: the file where the dump will be written to
• pid: id of the Java process

An example would be like this:

jmap -dump:live,format=b,file=/tmp/dump.hprof 12587

see also

• https://www.baeldung.com/java-heap-dump-capture
• 7 Ways to Capture Java Heap Dumps

Analyse Java Heap Dump with Eclipse Memory Analyser Tool

• Install Eclipse Memory Analyser Tool: Install New Software -> https://download.eclipse.org/mat/1.9.0/update-site
• Get Java Heap Dump with jmap or dump it by adding Java argument:-XX:+HeapDumpOnOutOfMemoryError
• In Eclipse, use the File -> New -> Other…​ -> Other -> Heap Dump menu entry to open a dialog to select for which process you want to acquire a memory dump.

see also

• Dump Java heap when OutOfMemoryError occurs
• Dump Java heap using jmap
• 10 Tips for using the Eclipse Memory Analyzer

Dump Java Heap when OutOfMemoryError occurs

• Add argument

  -XX:+HeapDumpOnOutOfMemoryError

  and it will dump to java_pid.hprof file in the working directory.
• Add argument

  -XX:HeapDumpPath=/path/to/output-dir

  to specify the output directory for the dump file. For example:

  -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=$HOME/JavaHeapDumps/

see also

• Oracle Documentation
• Using HeapDumpOnOutOfMemoryError parameter for heap dump for JBoss