DecoderException/SSLException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT

[AndyRichter-TomTom]

Hi netty-team,
we run into an (probably) netty related exception while reading from a Microsoft Azure blob storage using Java API azure-storage-blob and azure-identy to identify against blob storage, which internally depends on azure-core-http-netty including netty-handler and other netty dependencies.

The error is not systematic (i.e. it occurred from time to time, sometimes after several minutes, sometime after several hours), hence it is not really reproducible. After exception entire data read process gets stuck.

Stacktrace

2021-11-03 10:51:53,909 DEBUG SslHandler           : [id: 0xde011f0a, L:/xx.xx.xxx.xxx:43400 - R:blobcontainer.blob.core.windows.net/xx.xx.xxx.xxx:443] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2021-11-03 10:51:53,932 DEBUG SslHandler           : [id: 0x68ee1974, L:/xx.xx.xxx.xxx:43394 - R:blobcontainer.blob.core.windows.net/xx.xx.xxx.xxx:443] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2021-11-03 10:51:53,942 DEBUG SslHandler           : [id: 0x38b405f3, L:/xx.xx.xxx.xxx:43398 - R:blobcontainer.blob.core.windows.net/xx.xx.xxx.xxx:443] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
...
2021-11-03 11:00:23,255 DEBUG CountedOpenSslEngine : SSL_read failed with 1: OpenSSL error: 503316581 error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT
2021-11-03 11:00:23,263 ERROR BlobContainer        : Error dropped: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT
reactor.core.Exceptions$ErrorCallbackNotImplemented: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT
Caused by: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
        at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:425)
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469)
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:384)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.net.ssl.SSLException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1071)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1365)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1305)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1392)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1435)
        at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:222)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1342)
        at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1246)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1286)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
        ... 17 common frames omitted

Netty version

4.1.69.FINAL
also tried with 4.1.54.Final

JVM version (e.g. java -version)

openjdk 11.0.10 2021-01-19
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.10+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.10+9, mixed mode)

OS version (e.g. uname -a)

Linux 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Thank you in advance for your help.

[normanmaurer]

The only thing I can say is that there was dome error during decryption, which seems like some data corruption for example

[normanmaurer]

Please try again with later netty version an re-open if the problem still exists.

[vpanta]

We would like to re-open this Issue, as it has not been resolved.

We have been hitting this semi-regularly within bazel executions on our CI instances (presumably because that's where we do the most downloads for bazel's remote cache). This wasn't associated with any bazel version change, instead was likely due to just incrementally adding more bazel targets, requiring more active parallel network for the cache, and making the bug more likely to occur.

We had hoped that updating bazel from netty@4.1.69 to netty@4.1.75 would resolve it due to the recent 1df38d2 (reducing unsafe async calls to native code), however we are still getting sporadic BAD_DECRYPT errors on CI.

Here's some info for the bug:

Stacktrace

FATAL: bazel crashed due to an internal error. Printing stack trace:
java.lang.RuntimeException: Unrecoverable error while evaluating node 'ActionLookupData{actionLookupKey=ConfiguredTargetKey{label=@org_golang_x_net//html:html, config=BuildConfigurationValue.Key[76128f62a9304cf1ac92c831dde599b7a2b0951f0b9bf3ac2c18a91c7a43512d]}, actionIndex=0}' (requested by nodes '<REMOVED_FOR_BREVITY>', ...)
	at com.google.devtools.build.skyframe.AbstractParallelEvaluator$Evaluate.run(AbstractParallelEvaluator.java:674)
	at com.google.devtools.build.lib.concurrent.AbstractQueueVisitor$WrappedRunnable.run(AbstractQueueVisitor.java:382)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:722)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:658)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:584)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	... 1 more
Caused by: javax.net.ssl.SSLException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1071)
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1365)
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1305)
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1392)
	at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:216)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1342)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1284)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449)
	... 21 more

Netty version

4.1.75 now, previously on 4.1.69
(via bazel)

JVM version (e.g. java -version)

openjdk version "11.0.8" 2020-07-14
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.8+10)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.8+10, mixed mode)

OS version (e.g. uname -a)

Linux 2fde00d8a1e6 5.13.0-1017-aws #19~20.04.1-Ubuntu SMP Mon Mar 7 12:53:12 UTC 2022 x86_64 GNU/Linux

[vpanta]

@normanmaurer should we reopen this or should I open a new Issue?

[chrisvest]

Reopening. Is it possible to narrow down if it's only certain configurations of the SslHandler that run into this? E.g. use of async tasks, or delegate task executor, or only certain engine implementations.

[vpanta]

Unfortunately I have neither experience with Netty nor with Bazel's source code (beyond simple "update these deps" PRs), so I can't really help you there. The best I can do is point you to https://github.com/bazelbuild/bazel/blob/6872fd230b7fe4a15fa900d16f6f9ddd5726cdc3/src/main/java/com/google/devtools/build/lib/remote/http/HttpCacheClient.java#L273 which seems to be the only place referencing Netty's SslHandler in Bazel.

[MikhailTymchukFT]

We started to face this error too recently. For the first time we associated this with the migration of CI executors to AWS, while they access stuff in GCP and other providers.
@vpanta How did you generate DEBUG log entries?

[vpanta]

@MikhailTymchukFT sorry for the delay, the data I included is just error output from Bazel, we didn't do anything to generate extra log entries.

[vpanta]

For the first time we associated this with the migration of CI executors to AWS, while they access stuff in GCP and other providers.

Interesting, that is actually how we're seeing it as well: CircleCI runs in AWS, and we're accessing the bazel remote cache in GCS instead. It's still fairly transient for us, so we haven't been able to create a hard repeatable case, our best guess is that it has to do with the amount of work attempting to download (more cached data == more likely, maybe?)

[ronisec]

Any update on this? Our setup is similar to the one described by @vpanta - we have Bazel running on CircleCI pulling its remote cache from GCS.

Example error:

FATAL: bazel crashed due to an internal error. Printing stack trace:
java.lang.RuntimeException: Unrecoverable error while evaluating node 'ActionLookupData{actionLookupKey=ConfiguredTargetKey{label=@org_golang_x_mod//modfile:modfile, config=BuildConfigurationValue.Key[715397c6a7caf09b4e18b981ad9582d05714bf0242e15ba840e86c39e4959bae]}, actionIndex=0}' (requested by nodes 'ArtifactNestedSetKey{rawChildren=[File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/com_github_golang_mock[source]]mockgen/mockgen.go, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/com_github_golang_mock[source]]mockgen/parse.go, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/com_github_golang_mock[source]]mockgen/reflect.go, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/com_github_golang_mock[source]]mockgen/version.1.11.go, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/com_github_golang_mock[source]]mockgen/version.1.12.go, File:[[<execution_root>]bazel-out/k8-opt-exec-2B5CBBC6/bin]external/go_sdk/packages.txt, File:[[<execution_root>]bazel-out/k8-opt-exec-2B5CBBC6/bin]external/com_github_golang_mock/mockgen/model/model.x, File:[[<execution_root>]bazel-out/k8-opt-exec-2B5CBBC6/bin]external/org_golang_x_mod/modfile/modfile.x, File:[[<execution_root>]bazel-out/k8-opt-exec-2B5CBBC6/bin]external/org_golang_x_tools/imports/imports.x, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]bin/gofmt, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/addr2line, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/asm, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/buildid, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/cgo, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/compile, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/cover, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/dist, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/doc, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/fix, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/link, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/nm, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/objdump, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/pack, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/pprof, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/test2json, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/trace, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/tool/linux_amd64/vet, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/include/asm_ppc64x.h, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/include/funcdata.h, File:[/home/circleci/.cache/bazel/_bazel_circleci/f16e36219ef33c22efc2ad20f3e3775c/external/go_sdk[source]]pkg/include/textflag.h, File:[[<execution_root>]bazel-out/k8-opt-exec-2B5CBBC6-ST-8f6eb6207b9d/bin]external/io_bazel_rules_go/stdlib_/pkg, File:[[<execution_root>]bazel-out/k8-opt-exec-2B5CBBC6-ST-f53220aca0c7/bin]build/nogo_actual_/nogo_actual]}', ...)
	at com.google.devtools.build.skyframe.AbstractParallelEvaluator$Evaluate.run(AbstractParallelEvaluator.java:674)
	at com.google.devtools.build.lib.concurrent.AbstractQueueVisitor$WrappedRunnable.run(AbstractQueueVisitor.java:382)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	... 1 more
Caused by: javax.net.ssl.SSLException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1071)
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1365)
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1305)
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1392)
	at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:217)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1342)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1284)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
	... 21 more

[normanmaurer]

Is there a way you could share a reproducer ?