Invalid key or spec in GCM mode – error message

Hi All,

Just starting from yesterday we faced this “invalid key or spec in GCM mode” error message in our production Lucee webservers (5 nos identical Lucee webservers) out of the blue.

We have never encountered this error before and has been unable to track down the cause; no changes/update was done to our production servers for several days prior. We run an application login page Lucee server which passes the encrypted user login credentials to main Lucee webservers.

This error message appear in the main Lucee webservers during users login stage to our application. After reboot main Lucee webservers, error disappear. But error sometimes repeat several hours later, and error occurrence has no fixed pattern (some webservers error repeat, other webservers no error repeat after reboot).

Upgrading to Lucee does not resolve this issue. Unable yet to upgrade to due to some unresolved compatibility.

Much appreciated if anyone is able to guide me on where to start troubleshooting on this “invalid key or spec in GCM mode” error message.

Lucee webservers running on AWS Cloud
O/S: Ubuntu 22.04LTS
Java version: 11.0.17 (Ubuntu) 64bit
Database: PostgreSQL 14.5 (in separate DB server)

Could you please post the complete stack trace (better as text than image)? To me this looks like some SSL connection error. What is what this code block does? Some sort of SSL connection to some service?

Hi Andreas,

Apologies, will post full stack trace on next time error occur (its unpredictable and intermittent). End-users did not copy the full stack trace when they reported the errors, and server reboots were done quickly on urgent basis.

The role of above block of code was to receive the encrypted end-users login credentials data from login page from a login server and query for validation. Before this block of code there is a decryption block of codes. There is no SSL service connection function here; just a direct data query to database.

Login Server? How do you get the data? Is there any SSL connection there?

Also, do you have any of those stack traces in your application logs? It should have been logged there.

Below the stack trace from Lucee application log and yes, there is SSL connection.

Our “login server” is basically a small AWS EC2 instance that display an application user login form. When user submit their application login credentials, the form posts to another EC2 instance for login credentials validation. This is 2nd Lucee server where the GCM error appear and code as was screenshot earlier above:

“ERROR”,“https-jsse-nio-8443-exec-16”,“01/31/2023”,“17:28:44”,“”,"invalid key or spec in GCM mode;lucee.runtime.exp.NativeException: invalid key or spec in GCM mode
at java.base/$T13GcmWriteCipherGenerator$GcmWriteCipher.encrypt(
at java.base/
at java.base/
at java.base/
at java.base/$AppOutputStream.write(
at java.base/
at java.base/
at org.postgresql.core.PGStream.sendChar(
at org.postgresql.core.v3.QueryExecutorImpl.sendBind(
at org.postgresql.core.v3.QueryExecutorImpl.sendOneQuery(
at org.postgresql.core.v3.QueryExecutorImpl.sendQuery(
at org.postgresql.core.v3.QueryExecutorImpl.execute(
at org.postgresql.jdbc.PgStatement.executeInternal(
at org.postgresql.jdbc.PgStatement.execute(
at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(
at org.postgresql.jdbc.PgPreparedStatement.execute(
at lucee.runtime.type.util.QueryUtil.execute(
at lucee.runtime.type.QueryImpl.execute(
at lucee.runtime.type.QueryImpl.(
at lucee.runtime.tag.Query.executeDatasoure(
at lucee.runtime.tag.Query._doEndTag(
at lucee.runtime.tag.Query.doEndTag(
at v50foldersetadmin.v50stringg3new.v50master.contentadmin.inc_glob3cache_settings_cfm$
at lucee.runtime.PageContextImpl._doInclude(
at lucee.runtime.PageContextImpl._doInclude(
at lucee.runtime.PageContextImpl.doInclude(
at v50foldersetadmin.v50stringg3new.v50master.contentadmin.inc_cache_invoke_template_cfm$
at lucee.runtime.PageContextImpl._doInclude(
at lucee.runtime.PageContextImpl._doInclude(
at lucee.runtime.PageContextImpl.doInclude(
at v50foldersetadmin.v50stringg3new.v50master.contentadmin.sym_meta_lang_a_cfm$
at lucee.runtime.PageContextImpl._doInclude(
at lucee.runtime.PageContextImpl._doInclude(
at lucee.runtime.PageContextImpl.doInclude(
at v50foldersetadmin.v50stringg3new.v50master.contentadmin.application_cfc$cf.udfCall(/v50foldersetadmin/v50stringg3new/v50master/contentadmin/application.cfc:289)
at lucee.runtime.type.UDFImpl.implementation(
at lucee.runtime.type.UDFImpl._call(
at lucee.runtime.ComponentImpl._call(
at lucee.runtime.ComponentImpl._call(
at lucee.runtime.listener.ModernAppListener.onError(
at lucee.runtime.listener.MixedAppListener.onError(
at lucee.runtime.PageContextImpl.execute(
at lucee.runtime.PageContextImpl._execute(
at lucee.runtime.PageContextImpl.executeCFML(
at lucee.runtime.engine.Request.exe(
at lucee.runtime.engine.CFMLEngineImpl._service(
at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(
at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(
at lucee.loader.servlet.CFMLServlet.service(
at javax.servlet.http.HttpServlet.service(
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
at org.apache.tomcat.websocket.server.WsFilter.doFilter(
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
at org.apache.catalina.core.StandardWrapperValve.invoke(
at org.apache.catalina.core.StandardContextValve.invoke(
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
at org.apache.catalina.core.StandardHostValve.invoke(
at org.apache.catalina.valves.ErrorReportValve.invoke(
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(
at org.apache.catalina.core.StandardEngineValve.invoke(
at org.apache.catalina.connector.CoyoteAdapter.service(
at org.apache.coyote.http11.Http11Processor.service(
at org.apache.coyote.AbstractProcessorLight.process(
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(
at org.apache.tomcat.util.threads.ThreadPoolExecutor$
at org.apache.tomcat.util.threads.TaskThread$
at java.base/
Caused by: java.lang.RuntimeException: invalid key or spec in GCM mode
… 75 more
Caused by: Cannot reuse iv for GCM encryption
at java.base/com.sun.crypto.provider.CipherCore.init(
at java.base/com.sun.crypto.provider.AESCipher.engineInit(
at java.base/javax.crypto.Cipher.init(
at java.base/$T13GcmWriteCipherGenerator$GcmWriteCipher.encrypt(
… 74 more

Not sure, but random guessing (and that is what my experience says) is that the servers you are SSL connecting to (or at least one of them) have been updated in their/its SSL configuration and the underlying Java is not capable of handling these.