Has anyone encountered this error before? I'm new to SSL, is there anything obviously wrong with my ClientHello that I'm missing? That exception is thrown with no ServerHello response. Any advice is appreciated.
*** ClientHello, TLSv1
RandomCookie: GMT: 1351745496 bytes = { 154, 151, 225, 128, 127, 137, 198, 245, 160, 35, 124, 13, 135, 120, 33, 240, 82, 223, 56, 25, 207, 231, 231, 124, 103, 205, 66, 218 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 75
0000: 01 00 00 47 03 01 51 92 00 D8 9A 97 E1 80 7F 89 ...G..Q.........
0010: C6 F5 A0 23 7C 0D 87 78 21 F0 52 DF 38 19 CF E7 ...#...x!.R.8...
0020: E7 7C 67 CD 42 DA 00 00 20 00 04 00 05 00 2F 00 ..g.B... ...../.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 00 FF 01 00 ...........
xxx, WRITE: TLSv1 Handshake, length = 75
[write] MD5 and SHA1 hashes: len = 101
0000: 01 03 01 00 3C 00 00 00 20 00 00 04 01 00 80 00 ....<... .......
0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...
0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
0040: 00 11 00 00 FF 51 92 00 D8 9A 97 E1 80 7F 89 C6 .....Q..........
0050: F5 A0 23 7C 0D 87 78 21 F0 52 DF 38 19 CF E7 E7 ..#...x!.R.8....
0060: 7C 67 CD 42 DA .g.B.
xxx, WRITE: SSLv2 client hello message, length = 101
[Raw write]: length = 103
0000: 80 65 01 03 01 00 3C 00 00 00 20 00 00 04 01 00 .e....<... .....
0010: 80 00 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A ....../..3..2...
0020: 07 00 C0 00 00 16 00 00 13 00 00 09 06 00 40 00 ..............@.
0030: 00 15 00 00 12 00 00 03 02 00 80 00 00 08 00 00 ................
0040: 14 00 00 11 00 00 FF 51 92 00 D8 9A 97 E1 80 7F .......Q........
0050: 89 C6 F5 A0 23 7C 0D 87 78 21 F0 52 DF 38 19 CF ....#...x!.R.8..
0060: E7 E7 7C 67 CD 42 DA ...g.B.
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 46 .F
{http://xml.apache.org/axis/}stackTrace:
javax.net.ssl.SSLException: Received fatal alert: protocol_version
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1806)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:986)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at
...
The answer is
I'm using apache-tomcat-7.0.70 with jdk1.7.0_45 and none of the solutions here and elsewhere on stackoverflow worked for me. Just sharing this solution as it hopefully might help someone as this is very high on Google's search
What worked is doing BOTH of these steps:
Starting my tomcat with "export JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.2" by adding it to tomcat/bin/setenv.sh (Syntax slightly different on Windows)
Manually building/forcing HttpClients or anything else you need with the TLS1.2 protocol:
Context ctx = SSLContexts.custom().useProtocol("TLSv1.2").build(); HttpClient httpClient = HttpClientBuilder.create().setSslcontext(ctx).build(); HttpPost httppost = new HttpPost(scsTokenVerificationUrl); List<NameValuePair> paramsAccessToken = new ArrayList<NameValuePair>(2); paramsAccessToken.add(new BasicNameValuePair("token", token)); paramsAccessToken.add(new BasicNameValuePair("client_id", scsClientId)); paramsAccessToken.add(new BasicNameValuePair("secret", scsClientSecret)); httppost.setEntity(new UrlEncodedFormEntity(paramsAccessToken, "utf-8")); //Execute and get the response. HttpResponse httpResponseAccessToken = httpClientAccessToken.execute(httppost); String responseJsonAccessToken = EntityUtils.toString(httpResponseAccessToken.getEntity());
I have got that error after update to JDK 1.8. But the JAVA_HOME variable was hard coded furthermore to JDK 1.7. Thew modification solved the problem:
set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_241
I ran into this issue while trying to install a PySpark package. I got around the issue by changing the TLS version with an environment variable:
echo 'export JAVA_TOOL_OPTIONS="-Dhttps.protocols=TLSv1.2"' >> ~/.bashrc
source ~/.bashrc
This is due to the fact that you send a TLSv1 handshake, but then you send a message using SSLv2 protocol;
xxx, WRITE: TLSv1 Handshake, length = 75
xxx, WRITE: SSLv2 client hello message, length = 101
This means that the server expects the TLSv1 protocol to be used and will not accept the connection. Try specifying which protocol to use, or post some relevant code so we can have a look
I was getting the same error. For Java version 7, following is working for me.
java.lang.System.setProperty("https.protocols", "TLSv1.2");
Not sure if you found an answer but I had this problem and needed to upgrade TLS version to 1.2
private HttpsURLConnection getSSlConnection(String url, String username, String password){
SSLContext sc = SSLContext.getInstance("TLSv1.2")
// Create a trust manager that accepts all SSL sites
TrustManager[] trustAllCerts = new TrustManager[1]
def tm = new X509TrustManager(){
@Override
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0]
}
}
trustAllCerts[0] = tm
sc.init(null, trustAllCerts, new SecureRandom())
HttpsURLConnection connection = (HttpsURLConnection) getConnection(url, username, password)
connection.setSSLSocketFactory(sc.getSocketFactory())
return connection
}
On Java 1.8 default TLS protocol is v1.2. On Java 1.6 and 1.7 default is obsoleted TLS1.0. I get this error on Java 1.8, because url use old TLS1.0 (like Your - You see ClientHello, TLSv1). To resolve this error You need to use override defaults for Java 1.8.
System.setProperty("https.protocols", "TLSv1");
More info on the Oracle blog.
@marioosh added some extra information regarding cipher suite encryption .
A cipher suite is a collection of symmetric and asymmetric encryption algorithms used by hosts to establish a secure communication in Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol.
Ciphers are algorithms, more specifically they’re a set of steps for both performing encryption as well as the corresponding decryption.
A cipher suite specifies one algorithm for each of the following tasks:
- Key exchange
- Bulk encryption
- Message authentication
SocketFactory « Default handshaking protocols « To avoid SSLException use https.protocols system property.
This contains a comma-separated list of protocol suite names specifying which protocol suites to enable on this HttpsURLConnection. See the SSLSocket.setEnabledProtocols(String[]) method.
System.setProperty("https.protocols", "SSLv3");
// (OR)
System.setProperty("https.protocols", "TLSv1");
JAVA8 « TLS 1.1 and TLS 1.2 Enabled by Default: The SunJSSE provider enables the protocols TLS 1.1 and TLS 1.2 on the client by default.
System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
Example for Java8 Network File:
public class SecureSocket {
static {
// System.setProperty("javax.net.debug", "all");
System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
}
public static void main(String[] args) {
String GhitHubSSLFile = "https://raw.githubusercontent.com/Yash-777/SeleniumWebDrivers/master/pom.xml";
try {
String str = readCloudFileAsString(GhitHubSSLFile);
// new String(Files.readAllBytes(Paths.get( "D:/Sample.file" )));
System.out.println("Cloud File Data : "+ str);
} catch (IOException e) {
e.printStackTrace();
}
}
public static String readCloudFileAsString( String urlStr ) throws java.io.IOException {
if( urlStr != null && urlStr != "" ) {
java.io.InputStream s = null;
String content = null;
try {
URL url = new URL( urlStr );
s = (java.io.InputStream) url.getContent();
content = IOUtils.toString(s, "UTF-8");
} finally {
if (s != null) s.close();
}
return content.toString();
}
return null;
}
}
System.setProperty("javax.net.debug", "all");
Exception
javax.net.ssl.SSLException: Received fatal alert: protocol_version
If handshaking fails for any reason, the SSLSocket is closed, and no further communications can be done.
Observer LOG Sample for the above example:
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1505482843 bytes = { 12, 11, 111, 99, 8, 177, 101, 27, 84, 176, 147, 215, 116, 208, 31, 178, 141, 170, 29, 118, 29, 192, 61, 191, 53, 201, 127, 100 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: raw.githubusercontent.com]
***
[write] MD5 and SHA1 hashes: len = 213
0000: 01 00 00 D1 03 03 5A BC D8 5B 0C 0B 6F 63 08 B1 ......Z..[..oc..
0010: 65 1B 54 B0 93 D7 74 D0 1F B2 8D AA 1D 76 1D C0 e.T...t......v..
0020: 3D BF 35 C9 7F 64 00 00 2A C0 09 C0 13 00 2F C0 =.5..d..*...../.
0030: 04 C0 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 ....3.2.........
0040: 0D 00 16 00 13 C0 07 C0 11 00 05 C0 02 C0 0C 00 ................
0050: 04 00 FF 01 00 00 7E 00 0A 00 34 00 32 00 17 00 ..........4.2...
0060: 01 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 ................
0070: 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 ................
0080: 11 00 02 00 12 00 04 00 05 00 14 00 08 00 16 00 ................
0090: 0B 00 02 01 00 00 0D 00 1A 00 18 06 03 06 01 05 ................
00A0: 03 05 01 04 03 04 01 03 03 03 01 02 03 02 01 02 ................
00B0: 02 01 01 00 00 00 1E 00 1C 00 00 19 72 61 77 2E ............raw.
00C0: 67 69 74 68 75 62 75 73 65 72 63 6F 6E 74 65 6E githubuserconten
00D0: 74 2E 63 6F 6D t.com
main, WRITE: TLSv1.2 Handshake, length = 213
[Raw write]: length = 218
0000: 16 03 03 00 D5 01 00 00 D1 03 03 5A BC D8 5B 0C ...........Z..[.
0010: 0B 6F 63 08 B1 65 1B 54 B0 93 D7 74 D0 1F B2 8D .oc..e.T...t....
0020: AA 1D 76 1D C0 3D BF 35 C9 7F 64 00 00 2A C0 09 ..v..=.5..d..*..
0030: C0 13 00 2F C0 04 C0 0E 00 33 00 32 C0 08 C0 12 .../.....3.2....
0040: 00 0A C0 03 C0 0D 00 16 00 13 C0 07 C0 11 00 05 ................
0050: C0 02 C0 0C 00 04 00 FF 01 00 00 7E 00 0A 00 34 ...............4
0060: 00 32 00 17 00 01 00 03 00 13 00 15 00 06 00 07 .2..............
0070: 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E ................
0080: 00 0F 00 10 00 11 00 02 00 12 00 04 00 05 00 14 ................
0090: 00 08 00 16 00 0B 00 02 01 00 00 0D 00 1A 00 18 ................
00A0: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ................
00B0: 02 03 02 01 02 02 01 01 00 00 00 1E 00 1C 00 00 ................
00C0: 19 72 61 77 2E 67 69 74 68 75 62 75 73 65 72 63 .raw.githubuserc
00D0: 6F 6E 74 65 6E 74 2E 63 6F 6D ontent.com
[Raw read]: length = 5
0000: 16 03 03 00 5D ....]
Cryptography and Secure Communication with whatsapp
@See
For those using the IBM JDK you need to provide this argument to the JVM.
-Dcom.ibm.jsse2.overrideDefaultTLS=true
I was using Liberty, so I set this in the jvm.options file.
This seems like a protocol version mismatch, this exception normally happens when there is a mismatch between SSL protocol version used by the client and the server. your clients should use a proctocol version supported by the server.
marioosh's answer seems to on the right track. It didn't work for me. So I found:
Problems connecting via HTTPS/SSL through own Java client
which uses:
java.lang.System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
Which seems to be necessary with Java 7 and a TLSv1.2 site.
I checked the site with:
openssl s_client -connect www.st.nmfs.noaa.gov:443
using
openssl version
OpenSSL 1.0.2l 25 May 2017
and got the result:
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
...
Please note that and older openssl version on my mac did not work and I had to use the macports one.
You can try by adding following line to catalina.bat after last entry of JAVA_OPTS
set JAVA_OPTS=%JAVA_OPTS% -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2
public class SecureSocket {
static {
// System.setProperty("javax.net.debug", "all");
System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
}
public static void main(String[] args) {
String GhitHubSSLFile = "https://raw.githubusercontent.com/Yash-777/SeleniumWebDrivers/master/pom.xml";
try {
String str = readCloudFileAsString(GhitHubSSLFile);
// new String(Files.readAllBytes(Paths.get( "D:/Sample.file" )));
System.out.println("Cloud File Data : "+ str);
} catch (IOException e) {
e.printStackTrace();
}
}
public static String readCloudFileAsString( String urlStr ) throws java.io.IOException {
if( urlStr != null && urlStr != "" ) {
java.io.InputStream s = null;
String content = null;
try {
URL url = new URL( urlStr );
s = (java.io.InputStream) url.getContent();
content = IOUtils.toString(s, "UTF-8");
}
}
return content.toString();
}
return null;
}
Source: Stackoverflow.com