okhttp3 issues with openjdk8 > 8u251 and http/2

[fabiokung]

Hello, we are seeing the same issues described at fabric8io/kubernetes-client#2212 with the official client (version 8.0.0) against kube-apiserver v1.17.3. #1003 also looks similar.

As a quick remediation, we are pinned to older (<= 8u251) JVMs. I haven't tested if the HTTP2_DISABLE=true env var suggested at fabric8io/kubernetes-client#2212 (comment) works with the official client yet, as I haven't had a chance to dig if that is being used by okhttp3 directly, or if it's something that the fabric8io java client does.

[fabiokung]

The main symptoms are TCP connections being RST by kube-apiserver right after TLS handshakes. GODEBUG=http2debug=2 on kube-apiservers will show:

http2: Framer 0xc0136c55e0: wrote GOAWAY len=45 LastStreamID=0 ErrCode=INADEQUATE_SECURITY Debug="Prohibited TLS 1.2 Cipher Suite: c014"

[yue9944882]

thank you @fabiokung for reporting this! the walkaround for this issue on okhttp client will be explicitly excluding HTTP2 from the supported protocols --- the good news is that the okhttp client instance under ApiClient is accessible by its getter/setter. additionally the fix #960 is already published in 9.0.0.

client.setHttpClient(
client.getHttpClient().newBuilder().protocols(Arrays.asList(Protocol.HTTP_1_1)).build());

[fabiokung]

Fixed in 9.0.0