How to make Java 6 which fails SSL connection with SSL peer shut down incorrectly succeed like Java 7

Question

I m seeing an SSL connection from a client running Java 6 fail with an exception like   Caused by  javax net ssl SSLHandshakeException  Remote host closed connection during handshake     at com sun net ssl internal ssl SSLSocketImpl readRecord SSLSocketImpl java 882      at com sun net ssl internal ssl SSLSocketImpl performInitialHandshake SSLSocketImpl java 1188      at com sun net ssl internal ssl SSLSocketImpl startHandshake SSLSocketImpl java 1215      at com sun net ssl internal ssl SSLSocketImpl startHandshake SSLSocketImpl java 1199      at sun net www protocol https HttpsClient afterConnect HttpsClient java 434      at sun net www protocol https AbstractDelegateHttpsURLConnection connect AbstractDelegateHttpsURLConnection java 166      at sun net www protocol https HttpsURLConnectionImpl connect HttpsURLConnectionImpl java 133          35 more Caused by  java io EOFException  SSL peer shut down incorrectly     at com sun net ssl internal ssl InputRecord read InputRecord java 462      at com sun net ssl internal ssl SSLSocketImpl readRecord SSLSocketImpl java 863          41 more   The server is a Tomcat 7-based app  running on Java 7  Linux  and on Amazon EC2  for what that s worth   I ve found a lot of suggestions on possible casues  including connecting accidentally to a non-SSL port  etc  I believe I ve ruled it all out  mostly because the exact same client works when running Java 7 with no change   OS X in both cases    Below I include the debug output from Java 6 s and Java 7 s SSL connection procedure  My question to experts is  does this suggest that some possible cipher or protocol setting  maybe a default in Java 7  could be enabled in Java 6 to make it work   Java 6   Allow unsafe renegotiation  false Allow legacy hello messages  true Is initial handshake  true Is secure renegotiation  false    No cached client session     ClientHello  TLSv1 RandomCookie   GMT  1363993281 bytes     77  153  100  72  45  178  253  243  195  167  17  151  39  247  148  102  213  129  39  17  26  139  157  154  63  88  41  160   Session ID      Cipher Suites   SSL RSA WITH RC4 128 MD5  SSL RSA WITH RC4 128 SHA  TLS RSA WITH AES 128 CBC SHA  TLS RSA WITH AES 256 CBC SHA  TLS DHE RSA WITH AES 128 CBC SHA  TLS DHE RSA WITH AES 256 CBC SHA  TLS DHE DSS WITH AES 128 CBC SHA  TLS DHE DSS WITH AES 256 CBC SHA  SSL RSA WITH 3DES EDE CBC SHA  SSL DHE RSA WITH 3DES EDE CBC SHA  SSL DHE DSS WITH 3DES EDE CBC SHA  SSL RSA WITH DES CBC SHA  SSL DHE RSA WITH DES CBC SHA  SSL DHE DSS WITH DES CBC SHA  SSL RSA EXPORT WITH RC4 40 MD5  SSL RSA EXPORT WITH DES40 CBC SHA  SSL DHE RSA EXPORT WITH DES40 CBC SHA  SSL DHE DSS EXPORT WITH DES40 CBC SHA  TLS EMPTY RENEGOTIATION INFO SCSV  Compression Methods     0       main  WRITE  TLSv1 Handshake  length   81 main  WRITE  SSLv2 client hello message  length   110 main  received EOFException  error main  handling exception  javax net ssl SSLHandshakeException  Remote host closed connection during handshake main  SEND TLSv1 ALERT   fatal  description   handshake failure main  WRITE  TLSv1 Alert  length   2 main  called closeSocket     Java 7   Ignoring unavailable cipher suite  TLS ECDHE RSA WITH AES 256 CBC SHA Ignoring unavailable cipher suite  TLS DHE RSA WITH AES 256 CBC SHA Ignoring unavailable cipher suite  TLS ECDH RSA WITH AES 256 CBC SHA Ignoring unsupported cipher suite  TLS DHE DSS WITH AES 128 CBC SHA256 Ignoring unsupported cipher suite  TLS DHE DSS WITH AES 256 CBC SHA256 Ignoring unsupported cipher suite  TLS DHE RSA WITH AES 128 CBC SHA256 Ignoring unsupported cipher suite  TLS ECDH RSA WITH AES 128 CBC SHA256 Ignoring unsupported cipher suite  TLS DHE RSA WITH AES 256 CBC SHA256 Ignoring unsupported cipher suite  TLS ECDHE RSA WITH AES 256 CBC SHA384 Ignoring unsupported cipher suite  TLS ECDH ECDSA WITH AES 256 CBC SHA384 Ignoring unsupported cipher suite  TLS RSA WITH AES 256 CBC SHA256 Ignoring unavailable cipher suite  TLS ECDHE ECDSA WITH AES 256 CBC SHA Ignoring unsupported cipher suite  TLS ECDHE RSA WITH AES 128 CBC SHA256 Ignoring unsupported cipher suite  TLS ECDHE ECDSA WITH AES 256 CBC SHA384 Ignoring unavailable cipher suite  TLS DHE DSS WITH AES 256 CBC SHA Ignoring unsupported cipher suite  TLS ECDH RSA WITH AES 256 CBC SHA384 Ignoring unsupported cipher suite  TLS ECDHE ECDSA WITH AES 128 CBC SHA256 Ignoring unsupported cipher suite  TLS ECDH ECDSA WITH AES 128 CBC SHA256 Ignoring unavailable cipher suite  TLS ECDH ECDSA WITH AES 256 CBC SHA Ignoring unavailable cipher suite  TLS RSA WITH AES 256 CBC SHA Ignoring unsupported cipher suite  TLS RSA WITH AES 128 CBC SHA256 Allow unsafe renegotiation  false Allow legacy hello messages  true Is initial handshake  true Is secure renegotiation  false main  setSoTimeout 0  called    No cached client session     ClientHello  TLSv1 RandomCookie   GMT  1363993435 bytes     131  83  80  186  215  90  171  131  231  18  184  183  249  155  197  204  73  1  74  79  32  142  236  28  111  37  58  255   Session ID      Cipher Suites   TLS ECDHE ECDSA WITH AES 128 CBC SHA  TLS ECDHE RSA WITH AES 128 CBC SHA  TLS RSA WITH AES 128 CBC SHA  TLS ECDH ECDSA WITH AES 128 CBC SHA  TLS ECDH RSA WITH AES 128 CBC SHA  TLS DHE RSA WITH AES 128 CBC SHA  TLS DHE DSS WITH AES 128 CBC SHA  TLS ECDHE ECDSA WITH RC4 128 SHA  TLS ECDHE RSA WITH RC4 128 SHA  SSL RSA WITH RC4 128 SHA  TLS ECDH ECDSA WITH RC4 128 SHA  TLS ECDH RSA WITH RC4 128 SHA  TLS ECDHE ECDSA WITH 3DES EDE CBC SHA  TLS ECDHE RSA WITH 3DES EDE CBC SHA  SSL RSA WITH 3DES EDE CBC SHA  TLS ECDH ECDSA WITH 3DES EDE CBC SHA  TLS ECDH RSA WITH 3DES EDE CBC SHA  SSL DHE RSA WITH 3DES EDE CBC SHA  SSL DHE DSS WITH 3DES EDE CBC SHA  SSL RSA WITH RC4 128 MD5  TLS EMPTY RENEGOTIATION INFO SCSV  Compression Methods     0   Extension elliptic curves  curve names   secp256r1  sect163k1  sect163r2  secp192r1  secp224r1  sect233k1  sect233r1  sect283k1  sect283r1  secp384r1  sect409k1  sect409r1  secp521r1  sect571k1  sect571r1  secp160k1  secp160r1  secp160r2  sect163r1  secp192k1  sect193r1  sect193r2  secp224k1  sect239k1  secp256k1  Extension ec point formats  formats   uncompressed  Extension server name  server name   host name  ec2-xx-xx-xx-xx compute-1 amazonaws com

User · Answer

It seems that in the debug log for Java 6 the request is send in SSLv2 format        main  WRITE  SSLv2 client hello message  length   110     This is not mentioned as enabled by default in Java 7  Change the client to use SSLv3 and above to avoid such interoperability issues     Look for differences in JSSE providers in Java 7 and Java 6

User · Answer

Bruno s answer was the correct one in the end  This is most easily controlled by the https protocols system property  This is how you are able to control what the factory method returns  Set to  TLSv1  for example

User · Answer

update the server arguments from  -Dhttps protocols SSLv3 to -Dhttps protocols TLSv1 SSLv3

User · Answer

Do it like this   SSLSocket socket    SSLSocket  sslFactory createSocket host  port   socket setEnabledProtocols new String    SSLv3    TLSv1

User · Answer

Remove  SSLv2ClientHello  from the enabled protocols on the client SSLSocket or HttpsURLConnection

[java] How to make Java 6, which fails SSL connection with "SSL peer shut down incorrectly", succeed like Java 7?

Examples related to java

Examples related to ssl

Examples related to handshake

Examples related to sslhandshakeexception