My application is running on jdk1.8.0_221 & tomcat 8 on Kubernetes.
When I try to connect to the URL using wget with the same certificate able to complete the call.
But when I try to connect using Java application its failing with error "Received fatal alert: handshake_failure".
Following are the ssl logs:
Is initial handshake: true
Is secure renegotiation: false
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, setSoTimeout(30000) called
Ignoring disabled protocol: SSLv3
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1560217405 bytes = { 75, 51, 117, 237, 75, 213, 47, 220, 209, 236, 129, 21, 83, 91, 45, 173, 87, 8, 4, 62, 50, 51, 160, 94, 255, 240, 62, 68 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
***
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, WRITE: TLSv1.2 Handshake, length = 119
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, READ: TLSv1.2 Alert, length = 2
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, RECV TLSv1.2 ALERT: fatal, handshake_failure
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, called closeSocket()
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
22-Dec-2019 06:03:42.674 WARNING [Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370] org.jgroups.ping.kube.KubePing.doReadAll Problem getting Pod json from Kubernetes Client[masterUrl=https://10.100.0.1:443/api/v1, headers={}, connectTimeout=5000, readTimeout=30000, operationAttempts=3, operationSleep=1000, streamProvider=org.openshift.ping.common.stream.TokenStreamProvider#880aefb] for cluster [grails-cache-ehcache], namespace [default], labels [app=hushly]; encountered [java.lang.Exception: 3 attempt(s) with a 1000ms sleep to execute [OpenStream] failed. Last failure was [javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]]
Below is the code which used to prepare SSLSocketFactory:
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(pemInputStream);
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load((LoadStoreParameter)null);
String alias = cert.getSubjectX500Principal().getName();
trustStore.setCertificateEntry(alias, cert);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(kmf.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
sslsocketfactory = sslContext.getSocketFactory();
What am I missing here ?
I am facing a strange issue, looks like JDK behaving strangely.
I have written a JAVA application, and using setEnabledCipherSuites() to set my preferred cipher list for TLS connection.
Strangely when I set a single cipher suit (say TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), the TLS handshake fails. Please note, both client and server were configured to use same cipher.
However when I set a list of ciphers, at least 2 (say TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), everything works like a charm.
Is this caused by any strange JDK issue?
Editing the question to add a clientHello here for cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, however I dind't find a corresponding serverHello going out.
ClientHello, TLSv1.2 RandomCookie: GMT: 1483351573 bytes = { 236, 104, 69, 5, 204, 179, 32, 84, 44, 7, 84, 102, 15, 73, 185, 254, 42, 128, 113, 217, 120, 205, 199, 195, 162, 120, 161, 41 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA Extension renegotiation_info, renegotiated_connection: <empty> default-server-worker 3, WRITE: TLSv1.2 Handshake, length = 142 serverin-server-worker 0, READ: TLSv1.2 Handshake, length = 142
The java version is
java version "1.8.0_102"
Java(TM) SE Runtime Environment (build 1.8.0_102-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.102-b14, mixed mode)
I am trying to download an image from an HTTPS server using a Java HTTP client like so...
System.setProperty("javax.net.debug", "all");
System.setProperty("jsse.enableSNIExtension", "false");
URL url = new URL("https://secureserver.com/media/hot-jlaw-image.jpg")
HttpURLConnection urlConn = url.openConnection()
urlConn.setRequestMethod("GET")
File myImg = new File("/Users/joe/Downloads/myImage.jpg")
myImg.append(urlConn.getInputStream())
My client is running on Java 8. With debugging turned on, I see what includes the below...
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1478629170 bytes = { 23, 147, 128, 164, 76, 36, 0, 143, 175, 43, 227, 154, 16, 212, 209, 112, 224, 227, 0, 109, 196, 178, 231, 43, 112, 198, 36, 235 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
main, WRITE: TLSv1.2 Handshake, length = 193
Caught: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
So it seems like the Client Hello is sent and the Handshake is sent but nothing is sent back from the server except an alert about handshake failure.
This answer suggests several reasons why this error could occur, for example Incompatible cipher suites or Incomplete trust paths, and it suggests turning on debugging.
But in my case debugging hasn't revealed the culprit. Any suggestions on what else to try?
Turns out the problem was this line
System.setProperty("jsse.enableSNIExtension", "false");'
Their server must have been virtual because some posts indicate this will not work for such servers.
I recently received a certificate from Commodo and I'm trying to integrate it with my Scala Spray Server. I have an trait to configure my Spray sever:
import java.io.{BufferedInputStream, FileInputStream}
import java.security.{SecureRandom, KeyStore}
import java.security.cert.{X509Certificate, CertificateFactory}
import javax.net.ssl.{TrustManagerFactory, KeyManagerFactory, SSLContext}
import spray.io._
import org.apache.camel.util.jsse._
// for SSL support (if enabled in application.conf)
trait MySSLConfig {
// if there is no SSLContext in scope implicitly the HttpServer uses the default SSLContext,
// since we want non-default settings in this example we make a custom SSLContext available here
implicit def sslContext: SSLContext = {
val keyStoreResource = "/home/ubuntu/key.jks"
val password = "password"
val keyStore = KeyStore.getInstance("jks")
keyStore.load(getClass.getResourceAsStream(keyStoreResource), password.toCharArray)
val keyManagerFactory = KeyManagerFactory.getInstance("SunX509")
keyManagerFactory.init(keyStore, password.toCharArray)
val trustManagerFactory = TrustManagerFactory.getInstance("SunX509")
trustManagerFactory.init(keyStore)
val context = SSLContext.getInstance("TLS")
context.init(keyManagerFactory.getKeyManagers, trustManagerFactory.getTrustManagers, new SecureRandom)
context
}
implicit def sslEngineProvider: ServerSSLEngineProvider = {
ServerSSLEngineProvider { engine =>
engine.setEnabledCipherSuites(Array("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"))
engine.setEnabledProtocols(Array("SSLv3", "TLSv1.2", "TLSv1", "TLSv1.1"))
engine
}
}
}
However I am getting this error at runtime when I try and request my uri with https
2015-09-15 02:06:54,662 - [ERROR] - from akka.actor.OneForOneStrategy in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-11
Unsupported ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
at sun.security.ssl.CipherSuite.valueOf(CipherSuite.java:235) ~[na:1.7.0_79]
at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:82) ~[na:1.7.0_79]
at sun.security.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:2014) ~[na:1.7.0_79]
at com.suredbits.dfs.config.MySSLConfig$$anonfun$sslEngineProvider$1.apply(MySslConfig.scala:34) ~[suredbits-dfs.suredbits-dfs-0.0.1.jar:0.0.1]
at com.suredbits.dfs.config.MySSLConfig$$anonfun$sslEngineProvider$1.apply(MySslConfig.scala:33) ~[suredbits-dfs.suredbits-dfs-0.0.1.jar:0.0.1]
at scala.Option.map(Option.scala:145) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.SSLEngineProviderCompanion$$anonfun$apply$3.apply(SslTlsSupport.scala:408) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.SSLEngineProviderCompanion$$anonfun$apply$3.apply(SslTlsSupport.scala:408) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.ServerSSLEngineProvider$$anon$3.apply(SslTlsSupport.scala:427) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.ServerSSLEngineProvider$$anon$3.apply(SslTlsSupport.scala:425) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.HttpServerConnection$$anon$1.sslEngine(HttpServerConnection.scala:78) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.RequestParsing$$anon$1$$anon$2.<init>(RequestParsing.scala:41) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.RequestParsing$$anon$1.apply(RequestParsing.scala:39) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.RequestParsing$$anon$1.apply(RequestParsing.scala:37) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:117) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:116) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:116) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:116) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:116) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:116) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.ConnectionHandler$class.running(ConnectionHandler.scala:56) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.HttpServerConnection.running(HttpServerConnection.scala:29) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.HttpServerConnection.register(HttpServerConnection.scala:68) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.HttpServerConnection$$anonfun$receive$1.applyOrElse(HttpServerConnection.scala:49) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.actor.Actor$class.aroundReceive(Actor.scala:465) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.HttpServerConnection.aroundReceive(HttpServerConnection.scala:29) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.actor.ActorCell.receiveMessage(ActorCell.scala:516) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.actor.ActorCell.invoke(ActorCell.scala:487) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:254) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.dispatch.Mailbox.run(Mailbox.scala:221) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.dispatch.Mailbox.exec(Mailbox.scala:231) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
Can anyone provide any insight as to why I am getting this error?
EDIT:
I upgraded the jdk to 1.8 as #Steffen Ullrich which yields a new error that I am receiving:
2015-09-15 15:14:51,717 - [ERROR] - from spray.can.server.HttpServerConnection in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-7
Aborting encrypted connection to my-ip due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common]
2015-09-15 15:14:51,881 - [ERROR] - from spray.can.server.HttpServerConnection in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-4
Aborting encrypted connection to my-ip due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common]
2015-09-15 15:14:52,029 - [ERROR] - from spray.can.server.HttpServerConnection in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-10
Aborting encrypted connection to my-ip due to [SSLHandshakeException:Client requested protocol TLSv1.1 not enabled or not supported] -> [SSLHandshakeException:Client requested protocol TLSv1.1 not enabled or not supported]
2015-09-15 15:14:52,184 - [ERROR] - from spray.can.server.HttpServerConnection in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-2
Aborting encrypted connection to my-ip due to [SSLHandshakeException:Client requested protocol TLSv1 not enabled or not supported] -> [SSLHandshakeException:Client requested protocol TLSv1 not enabled or not supported]
EDIT2:
I modified this line
engine.setEnabledCipherSuites(sslContext.getServerSocketFactory.getSupportedCipherSuites)
which gives me a list of cipher suites that includes
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
however I am still getting this error:
2015-09-15 18:43:55,690 - [INFO] - from org.apache.camel.util.jsse.SSLContextParameters in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-9
Available providers: SUN version 1.8.
2015-09-15 18:43:55,696 - [ERROR] - from spray.can.server.HttpServerConnection in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-4
Aborting encrypted connection to my-ip due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common]
more logs using a more granular debugging mode for -Djava.net.debug=ssl
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-42, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1
RandomCookie: GMT: -265533514 bytes = { 61, 40, 108, 219, 248, 171, 159, 143, 197, 121, 120, 2, 169, 117, 206, 251, 77, 174, 188, 36, 13, 240, 239, 104, 177, 132, 36, 253 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-868, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-42, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-868, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-42, SEND TLSv1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-42, WRITE: TLSv1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-42, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-38, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1
RandomCookie: GMT: -1569487286 bytes = { 25, 54, 227, 33, 169, 61, 202, 196, 56, 250, 139, 68, 8, 183, 153, 237, 234, 230, 40, 91, 244, 198, 29, 236, 243, 121, 109, 28 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-869, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-38, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-869, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-38, SEND TLSv1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-38, WRITE: TLSv1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-38, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-45, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1
RandomCookie: GMT: -1995784349 bytes = { 231, 253, 51, 160, 51, 83, 215, 117, 136, 228, 2, 249, 107, 133, 172, 213, 70, 200, 95, 170, 53, 5, 93, 19, 131, 185, 241, 92 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-870, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-45, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-870, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-45, SEND TLSv1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-45, WRITE: TLSv1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-45, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, READ: TLSv1 Handshake, length = 208
*** ClientHello, TLSv1.2
RandomCookie: GMT: -1327152795 bytes = { 83, 242, 3, 179, 176, 55, 11, 121, 181, 163, 83, 1, 237, 23, 101, 140, 177, 179, 40, 128, 77, 190, 63, 204, 162, 105, 4, 57 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:1b:08:73:70:64:79:2f:33:2e:31:05:68:32:2d:31:34:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Extension signature_algorithms, signature_algorithms: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA1withECDSA, Unknown (hash:0x4, signature:0x2), SHA1withDSA
***
%% Initialized: [Session-871, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-871, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, WRITE: TLSv1.2 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1
RandomCookie: GMT: -300410757 bytes = { 151, 231, 251, 170, 239, 146, 191, 87, 5, 9, 151, 64, 86, 10, 220, 175, 228, 71, 112, 41, 250, 35, 36, 140, 114, 28, 8, 130 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-872, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-872, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, SEND TLSv1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, WRITE: TLSv1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1.1
RandomCookie: GMT: -1944581904 bytes = { 65, 211, 112, 212, 209, 223, 205, 60, 175, 177, 83, 168, 139, 174, 78, 221, 40, 69, 103, 105, 117, 231, 103, 50, 53, 237, 22, 58 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-873, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-873, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, SEND TLSv1.1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, WRITE: TLSv1.1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1
RandomCookie: GMT: 584450856 bytes = { 254, 198, 84, 40, 79, 119, 157, 34, 77, 19, 234, 180, 195, 251, 21, 69, 247, 233, 184, 117, 184, 4, 179, 104, 68, 102, 84, 232 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-874, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-874, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, SEND TLSv1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, WRITE: TLSv1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 is a TLSv1.2 cipher suite.
It can not be used with SSLv3 or TLSv1. Also, it might not be even available for the unknown version of Java you are using.
Edit: since it is now known that Java 1.7 is used:
According to the documentation from Oracle no GCM ciphers are available in Java 1.7 but they only got added to Java 1.8. Which explains the message about unsupported cipher.
The issue with this was that the key was generated incorrectly. I had to go on to support with COMODO and get help with the key generation.
We've recently updated a project from Java 6 to Java 8 and now we've hit a brick wall regarding SSL handshake.
The service layer uses a client to request and receive calls from a third party application. In the service layer, the keystore is initialized with
System.setProperty("javax.net.ssl.trustStore", keyStoreFile);
System.setProperty("javax.net.ssl.trustStorePassword", keyStorePassword);
and injected via applicationContext.xml:
<property name="keyStoreFile" value="/keystore/keystore.keystore" />
<property name="keyStorePassword" value="password" />
The client is supposed to trust all certificates in case of errors:
private void trustHttpsCertificates() throws Exception {
try {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
}
};
// Ignore differences between given hostname and certificate hostname
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) { return true; }
};
// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(hv);
} catch (KeyManagementException e) {
String errorMsg = "client initialization error: " + e.getMessage();
log.error(errorMsg);
throw new Exception(errorMsg, e);
}
}
I changed "SSL" above to "TLSv1" in the upgrade process, since SSL isn't supported on Java 8. Might that be a problem?
Debug logs
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-nio-9080-exec-6, setSoTimeout(0) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1423711122 bytes = { 237, 188, 53, 112, 79, 112, 248, 92, 164, 127, 178, 34, 205, 40, 245, 25, 77, 143, 116, 126, 203, 96, 61, 181, 114, 148, 66, 227 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
[write] MD5 and SHA1 hashes: len = 237
// ...
http-nio-9080-exec-6, READ: TLSv1 Alert, length = 2
http-nio-9080-exec-6, RECV TLSv1.2 ALERT: fatal, handshake_failure
http-nio-9080-exec-6, called closeSocket()
http-nio-9080-exec-6, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
// ...
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
Thoughts
There are mainly two things that stand out compared to the old version with Java 6:
In the logs for the old verison, when a successful attempt is made, it clealy presents the correct certificate:
http-9080-1, READ: TLSv1 Handshake, length = 1375
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: xxx
Signature Algorithm: MD5withRSA
Key: Sun RSA public key, 1024 bits
Validity: [From: Wed May 26 14:31:31 CEST 1999,
To: Thu May 25 14:31:31 CEST 2000]
Issuer: xxx
SerialNumber: [ 01]
]
Algorithm: [MD5withRSA]
This doesn't happen in the new Java 8 version.
Also, TLSv1 vs TLSv1.2?
http-nio-9080-exec-6, READ: TLSv1 Alert, length = 2
http-nio-9080-exec-6, RECV TLSv1.2 ALERT: fatal, handshake_failure
Is it saying I'm trying to connect with TLSv1.2? Or TLSv1? And it's not accepted? I don't really understand. Is there a way to find out what TLS versions are accepted by the server?
I've tried adding flags to startup:
-Dhttps.protocols=TLSv1
-Ddeployment.security.TLSv1=true
-Djavax.net.ssl.keyStore=C:\keystore\keystore.keystore
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=C:\keystore\keystore.keystore
-Djavax.net.ssl.trustStorePassword=password
Also adding a keystore Manager programmatically:
KeyStore ks = KeyStore.getInstance("JKS");
InputStream ksIs = new FileInputStream("/keystore/keystore.keystore");
try {
ks.load(ksIs, password.toCharArray());
} catch (Exception e) {
e.printStackTrace();
} finally {
if (ksIs != null) {
try {
ksIs.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, password.toCharArray());
and then initializing SSLContext with that:
sc.init(kmf.getKeyManagers(), trustAllCerts, new SecureRandom());
but the problem persists. Help, anyone?
Alright, so we've got it working now. I'll post the answer here in case someone might need it some day.
We have tried quite a few things, so I'm not exactly sure what actually needed to be done in order for it to work, but here are some of the things we changed in the process.
-Dhttps.protocols=SSLv3,TLSv1,SSLv2Hello
Adding this flag led to the certificate being presented in the javax.net.debug logs, but we were still getting SSLHandshakeException. It seems like the only cipher the server would accept was SSL_RSA_WITH_RC4_128_MD5. This was not picked automatically by our client.
-Dhttps.cipherSuites=SSL_RSA_WITH_RC4_128_MD5
We added this flag to restrict the cipher suits for the client. Together with setting the same restriction programmatically (not sure if both are needed):
socket.setEnabledCipherSuites(new String[] {"SSL_RSA_WITH_RC4_128_MD5"});
Restricting the available cipher suites to the only one that the client could use, made the client pick that cipher suite.
We also did the following changes the the jre/lib/security/java.security file to enable SSLv3 and the SSL_RSA_WITH_RC4_128_MD5 cipher:
remove SSLv3 from jdk.tls.disabledAlgorithms
add SSL_RSA_WITH_RC4_128_MD5 to jdk.tls.legacyAlgorithms
This is probably not recommended for production servers, since SSLv3 is obsolete, and the cipher is very old and outdated, but in this case security is not a huge concern (internal application use).
These posts were also helpful to me:
SSL connection failing for Java 7
Java 7 (acting as client) SSL handshake failure with keystore and truststore that worked in Java 6
Received fatal alert: handshake_failure through SSLHandshakeException
Java cipher suites
My guess is that your server is too broken to deal properly with TLS 1.2 handshakes. Usually a server which does not understand TLS 1.2 should reply with the best version it can but your server does not.
Broken servers like this exists and browsers try to work around these by retrying with a lower TLS version. Outside of browsers these retries are not common so these clients simply fail.
While I cannot say for sure that the server is broken the certificate which expired 15 years ago and was signed with the long broken MD5 algorithm suggest that you have to do with a very old and neglected installation. So chances are high that it never occurred to the developers of the original server that something like TLS 1.2 might ever exist or that the it croaks on one of the TLS extensions used in the TLS 1.2 handshake.
Since this issue is not related to the validation of the certificate all attempts to fix the issue by fiddling in the area of validation are useless. You might have more success if you enforce the use of TLS 1.1 or TLS 1.1 instead of TLS 1.2. You might try to do this with the -Dhttps.protocols=TLSv1,TLSv1.1 or -Dhttps.protocols=TLSv1 settings.
String testURL = "https://api.chargeio.com/status";
SSLContext sslcontext = SSLContext.getInstance("TLSv1.2");
sslcontext.init(null, null, null);
try {
SSLConnectionSocketFactory socketFactory = new
SSLConnectionSocketFactory(sslcontext,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER); // Socket
HttpClient client =
HttpClients.custom().setSSLSocketFactory(socketFactory).build();
HttpGet httpget = new HttpGet(testURL);
HttpResponse response = client.execute(httpget);
System.out.println(EntityUtils.toString(response.getEntity()));
System.out.println("Response Code (Apache): " + response.getStatusLine().getStatusCode());
} catch (Exception e) {
System.err.println("HttpsURLConnection Failed");
e.printStackTrace();
}