This question already has answers here:
Received fatal alert: handshake_failure through SSLHandshakeException
(20 answers)
Closed 5 years ago.
I am posting this question after trying many options from two days. Below are the options I tried.
Disable ssl certificate validation
By downloading crt from browser and converting to .jks and importing keystore.
Still I am getting this issue, any help very much appreciated in advance.
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1943)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1296)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.honeywell.sensibo.api.NewMain.main(NewMain.java:73)
Issue resolved.!!! Below are the solutions.
For Java 6:
Add below jars into {JAVA_HOME}/jre/lib/ext.
1. bcprov-ext-jdk15on-154.jar
2. bcprov-jdk15on-154.jar
Add property into {JAVA_HOME}/jre/lib/security/java.security
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
Java 7:download jar from below link and add to {JAVA_HOME}/jre/lib/security
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
Java 8:download jar from below link and add to {JAVA_HOME}/jre/lib/security http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Issue is that it is failed to decrypt 256 bits of encryption.
I am getting similar errors recently because recent JDKs (and browsers, and the Linux TLS stack, etc.) refuse to communicate with some servers in my customer's corporate network. The reason of this is that some servers in this network still have SHA-1 certificates.
Please see:
https://www.entrust.com/understanding-sha-1-vulnerabilities-ssl-longer-secure/
https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
If this would be your current case (recent JDK vs deprecated certificate encription) then your best move is to update your network to the proper encription technology.
In case that you should provide a temporal solution for that, please see another answers to have an idea about how to make your JDK trust or distrust certain encription algorithms:
How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
Anyway I insist that, in case that I have guessed properly your problem, this is not a good solution to the problem and that your network admin should consider removing these deprecated certificates and get a new one.
Related
I am working on a Java 1.7 application on a Linux Centos server that connects to a third party using SOAP. Everything was working until the third party upgraded their SSL from TLSv1.1 to TLSv1.2. Now when we try to call their service, we get:
javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://webservices.abc.company.com: Received fatal alert: handshake_failure
We also have another Linux Centos server, that uses the exact same code base, but it can call the SOAP service with no errors. So I have tried to compare to find any differences. The differences I can find is that some of the directory structures are different, but the files I think are applicable are the same. For example,
/etc/httpd/conf.d/ssl.conf
Are both in the same place, and both have the same ciphers:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
They both have the same certificate issued by the third party company.
/etc/httpd/ssl/abc.crt
I have stopped the firewall.
sudo systemctl stop firewalld
Question
Do you know where else I can look, and what I can try?
I am trying to implement the HTTPS on an internal web application which uses Play framework (version 2.5) as a Backend framework and Angular as Frontend and I have created a self signed certificate with Keytool following the Play framework documentation:
https://www.playframework.com/documentation/2.5.x/CertificateGeneration.
Then I save the '.crt' file in cacerts (java keystore) and provide the .jks when starting the application with these additional commands:
-Dplay.server.https.keyStore.path="path-to-jks-file"
and -Dplay.server.https.keyStore.password="the-password-here"
But after trying to make a request to the server I get an error:
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown (image below)
Although the handshake happens after that and the HTTPS works correctly. Any ideas how to solve this issue
Link to error image
I have fixed this issue now. The problem with Chrome Browser was on 'Subject Alternative Name' missing, which is required from Chrome 58+ and that caused the error during the tls handshake. After adding SAN property to the certificate the problem is gone.
I posted this answer to help anyone who might have the same problem...
My code connects to apns for push notification. Am using clevertap library from git(https://github.com/CleverTap/apns-http2). It uses okhttp for the connection. When I run code on IBM WAS 8.5.5 and am receiving SSLHandshakeException. Details below. Can you pls help me on how to address this? Am trying with Synchronous mode of sending push message. I use Java 1.7, WAS 8.5.5. Pls let me know if you need more details.
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.ibm.jsse2.j.a(j.java:23)
at com.ibm.jsse2.j.a(j.java:21)
at com.ibm.jsse2.qc.b(qc.java:465)
at com.ibm.jsse2.qc.a(qc.java:451)
at com.ibm.jsse2.qc.h(qc.java:759)
at com.ibm.jsse2.qc.a(qc.java:353)
at com.ibm.jsse2.qc.startHandshake(qc.java:800)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:299)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:268)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:160)
When I googled for the issue, it seems the issue is because of IBMJSSE2, the JSSE implementation used by Websphere, in not compatible with this solution.
The problem is that for this implementation, the cipher suite names may starts with SSL_ or TLS_ (IBM documentation), both accepted: but that is not true for OkHttp. But I could not find a work around that I can use to fix the problem.
I read that version 3.7 of the jar will fix the problem but am using 3.9.1 and still running into the same issue.
I have the certificate imported into WAS trust store. I also have TLS 1.2 in the environment.
I'm getting this error while trying to execute and old MapleStory server on linux, I've tried same file on windows and worked without problem. I've tried with serveral Java version without success.
This could be because a root CA's certificate is not present in trust store. For more details refer to previous answer.
I have written some code to connect to my mail server and read emails. I am using POP3 using SSL connection. I have also added SSL certificate to the java keystore. But still i am getting the same exception. Please help. Thanks in advance.
Possible cause this exception would be the cert from the keystore does not match the cert from the server.
Checkout these link might be helpful to you:
Unable to Connect to SSL Services due to PKIX Path Building Failed sun.security.provider.certpath.SunCertPathBuilderException
How to handle invalid SSL certificates with Apache HttpClient?
I got the same error, I disabled always scan encrypted connections in the settings of my antivirus software, and it worked.
I have groovy script, and I was using #Grab(group='org.apache.commons', module='commons-collections4', version='4.2')
I could not runt it because of an error Error grabbing Grapes -- [unresolved dependency: org.apache.commons#commons-collections4;4.2: not found]
Using -Divy.message.logger.level=4 I saw I was having the following problem:
Server access error at url https://repo1.maven.org/maven2/org/apache/commons/commons-collections4/4.2/commons-collections4-4.2.pom (javax.net.ssl.SSLException: Received fatal alert: protocol_version)
My qick fix was to use JDK8 instead of JDK7 it seems that JDK8 has updated certificates and it worked