I use Netty 4.1.92.Final with netty-tcnative-boringssl-static version 2.0.60.Final. I get the below error sometimes (Also, sometimes like once a day it's very frequent and CPU uses shoots up very high).

I am not able to figure out the root cause and any possible fix.

io.netty.handler.ssl.ReferenceCountedOpenSslEngine$OpenSslHandshakeException: error:10000070:SSL routines:OPENSSL_internal:BAD_PACKET_LENGTH

Code:

SslProvider provider = SslProvider.isAlpnSupported(SslProvider.OPENSSL) ? SslProvider.OPENSSL : SslProvider.JDK;
logger.info("SSL provider: {}", provider);
sslCtx = SslContextBuilder.forServer(keyManagerFactory)
    .sslProvider(provider)
    .ciphers(cypherList)
    .applicationProtocolConfig(new ApplicationProtocolConfig(
        Protocol.ALPN,
        SelectorFailureBehavior.NO_ADVERTISE,
        SelectedListenerFailureBehavior.ACCEPT,
        ApplicationProtocolNames.HTTP_1_1
    ))
    .sessionCacheSize(SSL_SESSION_CACHE_SIZE) // 1800 -> 30 mins
    .sessionTimeout(SSL_SESSION_CACHE_TIMEOUT_SECOND) // 1024 * 100 -> 1000_00 sessions
    .build();

I am assuming it doesn't depend on the installed version of openssl on the linux server.

Any possible fix or way to debug the real reason?

This looks like you receive an "invalid" SSL packet.

It's a server-to-server communication setup and it occurs only sometimes.
Is there a way to prove or be 100% sure if that's the reason?
The main problem is the very high CPU load during that time which affects the whole system during that period which sometimes lasts for 15-20 mins.
One thing that I have noticed is that after restarting the entire cluster (100+) of servers, it disappears. However, I am not very sure of it.

I think the only way how you could really "proof it" would be to capture stuff with Wireshark when it happens