SSL javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure - java

I'm getting this error while trying to execute and old MapleStory server on linux, I've tried same file on windows and worked without problem. I've tried with serveral Java version without success.

This could be because a root CA's certificate is not present in trust store. For more details refer to previous answer.

Related

Received fatal alert: handshake_failure after upgrade to TLSv1.2

I am working on a Java 1.7 application on a Linux Centos server that connects to a third party using SOAP. Everything was working until the third party upgraded their SSL from TLSv1.1 to TLSv1.2. Now when we try to call their service, we get:
javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://webservices.abc.company.com: Received fatal alert: handshake_failure
We also have another Linux Centos server, that uses the exact same code base, but it can call the SOAP service with no errors. So I have tried to compare to find any differences. The differences I can find is that some of the directory structures are different, but the files I think are applicable are the same. For example,
/etc/httpd/conf.d/ssl.conf
Are both in the same place, and both have the same ciphers:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
They both have the same certificate issued by the third party company.
/etc/httpd/ssl/abc.crt
I have stopped the firewall.
sudo systemctl stop firewalld
Question
Do you know where else I can look, and what I can try?

How to fix 'unknown_certificate' error of a self-signed TLS certificate in java play framework

I am trying to implement the HTTPS on an internal web application which uses Play framework (version 2.5) as a Backend framework and Angular as Frontend and I have created a self signed certificate with Keytool following the Play framework documentation:
https://www.playframework.com/documentation/2.5.x/CertificateGeneration.
Then I save the '.crt' file in cacerts (java keystore) and provide the .jks when starting the application with these additional commands:
-Dplay.server.https.keyStore.path="path-to-jks-file"
and -Dplay.server.https.keyStore.password="the-password-here"
But after trying to make a request to the server I get an error:
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown (image below)
Although the handshake happens after that and the HTTPS works correctly. Any ideas how to solve this issue
Link to error image
I have fixed this issue now. The problem with Chrome Browser was on 'Subject Alternative Name' missing, which is required from Chrome 58+ and that caused the error during the tls handshake. After adding SAN property to the certificate the problem is gone.
I posted this answer to help anyone who might have the same problem...

glassfish SSLHandshakeException: Received fatal alert: unknown_ca

I have to call a SOAP web service having client authentication over HTTPS.
I have imported the client certificate (got from company hosting the server) into by keyStore file. I also imported server certificate (downloaded from server) into my trustStore. I have set 'javax.net.ssl.keyStore' and 'javax.net.ssl.keyStorePassword' to the appropriate values.
When I call the web-service from a simple java client (including just some additional jars), the call works and I get a result from the server.
When I call the web-service from within glassfish-4 (same java, same keyStore, same trustStore, same 'javax.net.ssl.keyStore' value etc), I get an exception 'com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca'.
I use the same java, same keystore, same trustStore in both cases. The first version without glassfish works, so the certificates seems to be ok. The second version with glassfish does not.
Does glassfish-4 do anything specific?
Can it be a problem of other (third party) libraries?
Are there any additional HTTP/SSL settings that I can try out?
What else can it be?
Anybody an idea?
Thanks for help.
I have found the problem.
Glassfish needs the additional VM property 'com.sun.enterprise.security.httpsOutboundKeyAlias'.
This has to be set to the alias of the client certificate.
For standard this is set in domain.xml in the java-config area.
For standard this is set as -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as.
Change the value s1as to the alias of the certificate.

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure [duplicate]

This question already has answers here:
Received fatal alert: handshake_failure through SSLHandshakeException
(20 answers)
Closed 5 years ago.
I am posting this question after trying many options from two days. Below are the options I tried.
Disable ssl certificate validation
By downloading crt from browser and converting to .jks and importing keystore.
Still I am getting this issue, any help very much appreciated in advance.
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1943)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1296)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.honeywell.sensibo.api.NewMain.main(NewMain.java:73)
Issue resolved.!!! Below are the solutions.
For Java 6:
Add below jars into {JAVA_HOME}/jre/lib/ext.
1. bcprov-ext-jdk15on-154.jar
2. bcprov-jdk15on-154.jar
Add property into {JAVA_HOME}/jre/lib/security/java.security
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
Java 7:download jar from below link and add to {JAVA_HOME}/jre/lib/security
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
Java 8:download jar from below link and add to {JAVA_HOME}/jre/lib/security http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Issue is that it is failed to decrypt 256 bits of encryption.
I am getting similar errors recently because recent JDKs (and browsers, and the Linux TLS stack, etc.) refuse to communicate with some servers in my customer's corporate network. The reason of this is that some servers in this network still have SHA-1 certificates.
Please see:
https://www.entrust.com/understanding-sha-1-vulnerabilities-ssl-longer-secure/
https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
If this would be your current case (recent JDK vs deprecated certificate encription) then your best move is to update your network to the proper encription technology.
In case that you should provide a temporal solution for that, please see another answers to have an idea about how to make your JDK trust or distrust certain encription algorithms:
How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
Anyway I insist that, in case that I have guessed properly your problem, this is not a good solution to the problem and that your network admin should consider removing these deprecated certificates and get a new one.

How to solve sun.security.provider.certpath.SunCertPathBuilderException?

I have written some code to connect to my mail server and read emails. I am using POP3 using SSL connection. I have also added SSL certificate to the java keystore. But still i am getting the same exception. Please help. Thanks in advance.
Possible cause this exception would be the cert from the keystore does not match the cert from the server.
Checkout these link might be helpful to you:
Unable to Connect to SSL Services due to PKIX Path Building Failed sun.security.provider.certpath.SunCertPathBuilderException
How to handle invalid SSL certificates with Apache HttpClient?
I got the same error, I disabled always scan encrypted connections in the settings of my antivirus software, and it worked.
I have groovy script, and I was using #Grab(group='org.apache.commons', module='commons-collections4', version='4.2')
I could not runt it because of an error Error grabbing Grapes -- [unresolved dependency: org.apache.commons#commons-collections4;4.2: not found]
Using -Divy.message.logger.level=4 I saw I was having the following problem:
Server access error at url https://repo1.maven.org/maven2/org/apache/commons/commons-collections4/4.2/commons-collections4-4.2.pom (javax.net.ssl.SSLException: Received fatal alert: protocol_version)
My qick fix was to use JDK8 instead of JDK7 it seems that JDK8 has updated certificates and it worked

Categories