Received fatal alert handshake failure through SSLHandshakeException

Question

I have a problem with authorized SSL connection  I have created Struts Action that connects to external server with Client Authorized SSL certificate  In my Action I am trying to send some data to bank server but without any luck  because I have as a result from server the following error    error  javax net ssl SSLHandshakeException  Received fatal alert  handshake failure   My Method from my Action class that sends data to server    Getting external IP from host     URL whatismyip   new URL  http   automation whatismyip com n09230945 asp        BufferedReader inIP   new BufferedReader new InputStreamReader whatismyip openStream           String IPStr   inIP readLine      IP as a String      Merchant merchant       System out println  amount      amount      currency      currency      clientIp      IPStr      description      description        try            merchant   new Merchant context getRealPath         merchant properties           catch  ConfigurationException e             Logger getLogger HomeAction class getName    log Level INFO   message   e           System err println  error      e getMessage             return ERROR             String result   merchant sendTransData amount  currency  IPStr  description        System out println  result      result        return SUCCESS    My merchant properties file   bank server url https   -servernameandport-  https cipher -cipher-  keystore file -key- jks keystore type JKS keystore password -password- ecomm server version 2 0  encoding source UTF-8 encoding native UTF-8   For the first time I thought this is a certificate problem  I converted it from  pfx to  jks  but I have the same error  with no changes

User · Answer

I am using com google api http client   When I communicate with an internal company site  I got this problem when I mistakenly used https  instead of http     main  READ  TLSv1 2 Alert  length   2 main  RECV TLSv1 2 ALERT   fatal  handshake failure main  called closeSocket   main  handling exception  javax net ssl SSLHandshakeException  Received fatal alert  handshake failure main  IOException in getSession     javax net ssl SSLHandshakeException  Received fatal alert  handshake failure main  called close   main  called closeInternal true  262  main  DEBUG org apache http impl conn DefaultClientConnection  - Connection shut down main  called close   main  called closeInternal true  263  main  DEBUG org apache http impl conn tsccm ThreadSafeClientConnManager  - Released connection is not reusable  263  main  DEBUG org apache http impl conn tsccm ConnPoolByRoute  - Releasing connection  HttpRoute  s - gt https    lt I-replaced gt    null  263  main  DEBUG org apache http impl conn tsccm ConnPoolByRoute  - Notifying no-one  there are no waiting threads Exception in thread  main  javax net ssl SSLPeerUnverifiedException  peer not authenticated     at sun security ssl SSLSessionImpl getPeerCertificates SSLSessionImpl java 431      at org apache http conn ssl AbstractVerifier verify AbstractVerifier java 128      at org apache http conn ssl SSLSocketFactory connectSocket SSLSocketFactory java 339      at org apache http impl conn DefaultClientConnectionOperator openConnection DefaultClientConnectionOperator java 123      at org apache http impl conn AbstractPoolEntry open AbstractPoolEntry java 147      at org apache http impl conn AbstractPooledConnAdapter open AbstractPooledConnAdapter java 108      at org apache http impl client DefaultRequestDirector execute DefaultRequestDirector java 415      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 641      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 576      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 554      at com google api client http apache ApacheHttpRequest execute ApacheHttpRequest java 67      at com google api client http HttpRequest execute HttpRequest java 960

User · Answer

In my case I had one issue with the version 1 1  I was reproducing the issue easily with curl  The server didn t support lower versions than TLS1 2   This received handshake issue   curl --insecure --tlsv1 1 -i https   youhost --noproxy       With version 1 2 it was working fine   curl --insecure --tlsv1 2 -i https   youhost --noproxy       The server was running a Weblogic  and adding this argument in setEnvDomain sh made it to work with TLSv1 1   -Dweblogic security SSL minimumProtocolVersion TLSv1 1

User · Answer

Installing Java Cryptography Extension  JCE  Unlimited Strength  for JDK7   for JDK8  might fix this bug  Unzip the file and follow the readme to install it

User · Answer

To troubleshoot from developer  item 1  and system admin  item 2 and 3  perspective    Enable SSL handshake debug at Java via -Djavax net debug ssl handshake verbose  Install ssldump at server via sudo apt install ssldump or compile from source by following this link if you observe Unknown value in cipher when you run below step  At server  sudo ssldump -k  lt your-private-key gt  -i  lt your-network-interface gt  Check the log about real reason of the failure    Example of not working handshake of ssldump log   New TCP connection  1  10 1 68 86 45308   lt - gt  10 1 68 83 5671  1 1  0 0111  0 0111   C gt S  Handshake       ClientHello         Version 3 3         cipher suites         TLS ECDHE ECDSA WITH AES 256 GCM SHA384         TLS ECDHE ECDSA WITH AES 128 GCM SHA256         TLS ECDHE RSA WITH AES 256 GCM SHA384         TLS RSA WITH AES 256 GCM SHA384         TLS ECDH ECDSA WITH AES 256 GCM SHA384         TLS ECDH RSA WITH AES 256 GCM SHA384         TLS DHE RSA WITH AES 256 GCM SHA384         TLS DHE DSS WITH AES 256 GCM SHA384         TLS ECDHE RSA WITH AES 128 GCM SHA256         TLS RSA WITH AES 128 GCM SHA256         TLS ECDH ECDSA WITH AES 128 GCM SHA256         TLS ECDH RSA WITH AES 128 GCM SHA256         TLS DHE RSA WITH AES 128 GCM SHA256         TLS DHE DSS WITH AES 128 GCM SHA256         TLS ECDHE ECDSA WITH AES 256 CBC SHA384         TLS ECDHE RSA WITH AES 256 CBC SHA384         TLS RSA WITH AES 256 CBC SHA256         TLS ECDH ECDSA WITH AES 256 CBC SHA384         TLS ECDH RSA WITH AES 256 CBC SHA384         TLS DHE RSA WITH AES 256 CBC SHA256         TLS DHE DSS WITH AES 256 CBC SHA256         TLS ECDHE ECDSA WITH AES 256 CBC SHA         TLS ECDHE RSA WITH AES 256 CBC SHA         TLS RSA WITH AES 256 CBC SHA         TLS ECDH ECDSA WITH AES 256 CBC SHA         TLS ECDH RSA WITH AES 256 CBC SHA         TLS DHE RSA WITH AES 256 CBC SHA         TLS DHE DSS WITH AES 256 CBC SHA         TLS ECDHE ECDSA WITH AES 128 CBC SHA256         TLS ECDHE RSA WITH AES 128 CBC SHA256         TLS RSA WITH AES 128 CBC SHA256         TLS ECDH ECDSA WITH AES 128 CBC SHA256         TLS ECDH RSA WITH AES 128 CBC SHA256         TLS DHE RSA WITH AES 128 CBC SHA256         TLS DHE DSS WITH AES 128 CBC SHA256         TLS ECDHE ECDSA WITH AES 128 CBC SHA         TLS ECDHE RSA WITH AES 128 CBC SHA         TLS RSA WITH AES 128 CBC SHA         TLS ECDH ECDSA WITH AES 128 CBC SHA         TLS ECDH RSA WITH AES 128 CBC SHA         TLS DHE RSA WITH AES 128 CBC SHA         TLS DHE DSS WITH AES 128 CBC SHA         TLS EMPTY RENEGOTIATION INFO SCSV         compression methods                   NULL 1 2  0 0122  0 0011   S gt C  Alert     level           fatal     value           insufficient security 1    0 0126  0 0004   S gt C  TCP RST   Example of successful handshake of ssldump log  New TCP connection  1  10 1 68 86 56558   lt - gt  10 1 68 83 8443  1 1  0 0009  0 0009   C gt S  Handshake       ClientHello         Version 3 3         cipher suites         TLS ECDHE ECDSA WITH AES 256 GCM SHA384         TLS ECDHE RSA WITH AES 256 GCM SHA384         TLS DHE RSA WITH AES 256 GCM SHA384         Unknown value 0xcca9         Unknown value 0xcca8         Unknown value 0xccaa         TLS ECDHE ECDSA WITH AES 128 GCM SHA256         TLS ECDHE RSA WITH AES 128 GCM SHA256         TLS DHE RSA WITH AES 128 GCM SHA256         TLS ECDHE ECDSA WITH AES 256 CBC SHA384         TLS ECDHE RSA WITH AES 256 CBC SHA384         TLS DHE RSA WITH AES 256 CBC SHA256         TLS ECDHE ECDSA WITH AES 128 CBC SHA256         TLS ECDHE RSA WITH AES 128 CBC SHA256         TLS DHE RSA WITH AES 128 CBC SHA256         TLS ECDHE ECDSA WITH AES 256 CBC SHA         TLS ECDHE RSA WITH AES 256 CBC SHA         TLS DHE RSA WITH AES 256 CBC SHA         TLS ECDHE ECDSA WITH AES 128 CBC SHA         TLS ECDHE RSA WITH AES 128 CBC SHA         TLS DHE RSA WITH AES 128 CBC SHA         TLS RSA WITH AES 256 GCM SHA384         TLS RSA WITH AES 128 GCM SHA256         TLS RSA WITH AES 256 CBC SHA256         TLS RSA WITH AES 128 CBC SHA256         TLS RSA WITH AES 256 CBC SHA         TLS RSA WITH AES 128 CBC SHA         TLS EMPTY RENEGOTIATION INFO SCSV         compression methods                   NULL 1 2  0 0115  0 0106   S gt C  Handshake       ServerHello         Version 3 3         session id 0            cipherSuite         TLS ECDHE RSA WITH AES 256 GCM SHA384         compressionMethod                   NULL 1 3  0 0115  0 0000   S gt C  Handshake       Certificate 1 4  0 0115  0 0000   S gt C  Handshake       ServerKeyExchange Not enough data  Found 294 bytes  expecting 32767  1 5    0 0115    0 0000     S gt C    Handshake         ServerHelloDone 1 6    0 0141    0 0025     C gt S    Handshake         ClientKeyExchange Not enough data  Found 31 bytes  expecting 16384  1 7    0 0141    0 0000     C gt S    ChangeCipherSpec 1 8    0 0141    0 0000     C gt S      Handshake 1 9    0 0149    0 0008     S gt C    Handshake 1 10   0 0149    0 0000     S gt C    ChangeCipherSpec 1 11   0 0149    0 0000     S gt C      Handshake   Example of not working Java log  javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 778 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE ECDSA WITH AES 256 GCM SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 779 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE ECDSA WITH AES 128 GCM SHA256 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 779 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE RSA WITH AES 256 GCM SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 780 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS RSA WITH AES 256 GCM SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 780 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH ECDSA WITH AES 256 GCM SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 780 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH RSA WITH AES 256 GCM SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 781 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE RSA WITH AES 256 GCM SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 781 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE DSS WITH AES 256 GCM SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 781 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE RSA WITH AES 128 GCM SHA256 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 782 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS RSA WITH AES 128 GCM SHA256 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 782 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH ECDSA WITH AES 128 GCM SHA256 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 782 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH RSA WITH AES 128 GCM SHA256 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 782 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE RSA WITH AES 128 GCM SHA256 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 783 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE DSS WITH AES 128 GCM SHA256 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 783 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE ECDSA WITH AES 256 CBC SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 783 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE RSA WITH AES 256 CBC SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 783 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS RSA WITH AES 256 CBC SHA256 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 783 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH ECDSA WITH AES 256 CBC SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 784 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH RSA WITH AES 256 CBC SHA384 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 784 MYT HandshakeContext java 294 Ignore unsupported cipher suite  T LS DHE RSA WITH AES 256 CBC SHA256 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 784 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE DSS WITH AES 256 CBC SHA256 for TLS11 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 784 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE ECDSA WITH AES 256 GCM SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 784 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE ECDSA WITH AES 128 GCM SHA256 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 784 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE RSA WITH AES 256 GCM SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 784 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS RSA WITH AES 256 GCM SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 785 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH ECDSA WITH AES 256 GCM SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 785 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH RSA WITH AES 256 GCM SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 785 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE RSA WITH AES 256 GCM SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 785 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE DSS WITH AES 256 GCM SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 785 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE RSA WITH AES 128 GCM SHA256 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 785 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS RSA WITH AES 128 GCM SHA256 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 785 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH ECDSA WITH AES 128 GCM SHA256 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 785 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH RSA WITH AES 128 GCM SHA256 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 786 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE RSA WITH AES 128 GCM SHA256 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 786 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE DSS WITH AES 128 GCM SHA256 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 786 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE ECDSA WITH AES 256 CBC SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 786 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDHE RSA WITH AES 256 CBC SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 786 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS RSA WITH AES 256 CBC SHA256 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 786 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH ECDSA WITH AES 256 CBC SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 786 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS ECDH RSA WITH AES 256 CBC SHA384 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 786 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE RSA WITH AES 256 CBC SHA256 for TLS10 javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 787 MYT HandshakeContext java 294 Ignore unsupported cipher suite  TLS DHE DSS WITH AES 256 CBC SHA256 for TLS10 javax net ssl WARNING 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 818 MYT SignatureScheme java 282 Signature algorithm  ed25519  is not supported by the underlying providers javax net ssl WARNING 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 818 MYT SignatureScheme java 282 Signature algorithm  ed448  is not supported by the underlying providers javax net ssl ALL 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 822 MYT SignatureScheme java 358 Ignore disabled signature sheme  rsa md5 javax net ssl INFO 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 822 MYT AlpnExtension java 161 No available application protocols javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 823 MYT SSLExtensions java 256 Ignore  context unavailable extension  application layer protocol negotiation javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 823 MYT SSLExtensions java 256 Ignore  context unavailable extension  renegotiation info javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 825 MYT ClientHello java 651 Produced ClientHello handshake message    ClientHello        client version          TLSv1 2      random                  FB BC CD 7C 17 65 86 49 3E 1C 15 37 24 94 7D E7 60 44 1B B8 F4 18 21 D0 E1 B1 31 0D E1 80 D6 A7      session id                    cipher suites            TLS ECDHE ECDSA WITH AES 256 GCM SHA384 0xC02C   TLS ECDHE ECDSA WITH AES 128 GCM SHA256 0xC02B   TLS ECDHE RSA WITH AES 256 GCM SHA384 0xC030   TLS RSA WITH AES 256 GCM SHA384 0x009D   TLS ECDH ECDSA WITH AES 256 GCM SHA384 0xC02E   TLS ECDH RSA WITH AES 256 GCM SHA384 0xC032   TLS DHE RSA WITH AES 256 GCM SHA384 0x009F   TLS DHE DSS WITH AES 256 GCM SHA384 0x00A3   TLS ECDHE RSA WITH AES 128 GCM SHA256 0xC02F   TLS RSA WITH AES 128 GCM SHA256 0x009C   TLS ECDH ECDSA WITH AES 128 GCM SHA256 0xC02D   TLS ECDH RSA WITH AES 128 GCM SHA256 0xC031   TLS DHE RSA WITH AES 128 GCM SHA256 0x009E   TLS DHE DSS WITH AES 128 GCM SHA256 0x00A2   TLS ECDHE ECDSA WITH AES 256 CBC SHA384 0xC024   TLS ECDHE RSA WITH AES 256 CBC SHA384 0xC028   TLS RSA WITH AES 256 CBC SHA256 0x003D   TLS ECDH ECDSA WITH AES 256 CBC SHA384 0xC026   TLS ECDH RSA WITH AES 256 CBC SHA384 0xC02A   TLS DHE RSA WITH AES 256 CBC SHA256 0x006B   TLS DHE DSS WITH AES 256 CBC SHA256 0x006A   TLS ECDHE ECDSA WITH AES 256 CBC SHA 0xC00A   TLS ECDHE RSA WITH AES 256 CBC SHA 0xC014   TLS RSA WITH AES 256 CBC SHA 0x0035   TLS ECDH ECDSA WITH AES 256 CBC SHA 0xC005   TLS ECDH RSA WITH AES 256 CBC SHA 0xC00F   TLS DHE RSA WITH AES 256 CBC SHA 0x0039   TLS DHE DSS WITH AES 256 CBC SHA 0x0038   TLS ECDHE ECDSA WITH AES 128 CBC SHA256 0xC023   TLS ECDHE RSA WITH AES 128 CBC SHA256 0xC027   TLS RSA WITH AES 128 CBC SHA256 0x003C   TLS ECDH ECDSA WITH AES 128 CBC SHA256 0xC025   TLS ECDH RSA WITH AES 128 CBC SHA256 0xC029   TLS DHE RSA WITH AES 128 CBC SHA256 0x0067   TLS DHE DSS WITH AES 128 CBC SHA256 0x0040   TLS ECDHE ECDSA WITH AES 128 CBC SHA 0xC009   TLS ECDHE RSA WITH AES 128 CBC SHA 0xC013   TLS RSA WITH AES 128 CBC SHA 0x002F   TLS ECDH ECDSA WITH AES 128 CBC SHA 0xC004   TLS ECDH RSA WITH AES 128 CBC SHA 0xC00E   TLS DHE RSA WITH AES 128 CBC SHA 0x0033   TLS DHE DSS WITH AES 128 CBC SHA 0x0032   TLS EMPTY RENEGOTIATION INFO SCSV 0x00FF        compression methods     00     extensions                    server name  0            type host name  0   value mq tpc-ohcis moh gov my             status request  5             certificate status type   ocsp        OCSP status request              responder id    lt empty gt           request extensions                lt empty gt                                supported groups  10             versions    secp256r1  secp384r1  secp521r1  sect283k1  sect283r1  sect409k1  sect409r1  sect571k1  sect571r1  secp256k1  ffdhe2048  ffdhe3072  ffdhe4096  ffdhe6144  ffdhe8192              ec point formats  11             formats    uncompressed              signature algorithms  13             signature schemes    ecdsa secp256r1 sha256  ecdsa secp384r1 sha384  ecdsa secp512r1 sha512  rsa pss rsae sha256  rsa pss rsae sha384  rsa pss rsae sha512  rsa pss pss sha256  rsa pss pss sha384  rsa pss pss sha512  rsa pkcs1 sha256  rsa pkcs1 sha384  rsa pkcs1 sha512  dsa sha256  ecdsa sha224  rsa sha224  dsa sha224  ecdsa sha1  rsa pkcs1 sha1  dsa sha1              signature algorithms cert  50             signature schemes    ecdsa secp256r1 sha256  ecdsa secp384r1 sha384  ecdsa secp512r1 sha512  rsa pss rsae sha256  rsa pss rsae sha384  rsa pss rsae sha512  rsa pss pss sha256  rsa pss pss sha384  rsa pss pss sha512  rsa pkcs1 sha256  rsa pkcs1 sha384  rsa pkcs1 sha512  dsa sha256  ecdsa sha224  rsa sha224  dsa sha224  ecdsa sha1  rsa pkcs1 sha1  dsa sha1              status request v2  17             cert status request              certificate status type   ocsp multi          OCSP status request                responder id    lt empty gt             request extensions                  lt empty gt                                           extended master secret  23             lt empty gt              supported versions  43             versions    TLSv1 2  TLSv1 1  TLSv1                javax net ssl DEBUG 43 SimpleAsyncTaskExecutor-1 2019-07-03 17 35 01 829 MYT Alert java 238 Received alert message    Alert        level          fatal      description    insufficient security

User · Answer

Ugg  This turned out to simply be a Java version issue for me   I got the handshake error using JRE 1 6 and everything worked perfectly using JRE 1 8 0 144

User · Answer

In my case  cert is imported  error remains  solved this by adding System setProperty  https protocols    TLSv1 2 TLSv1 1 SSLv3    before connect

User · Answer

The handshake failure could have occurred due to various reasons    Incompatible cipher suites in use by the client and the server  This would require the client to use  or enable  a cipher suite that is supported by the server  Incompatible versions of SSL in use  the server might accept only TLS v1  while the client is capable of only using SSL v3   Again  the client might have to ensure that it uses a compatible version of the SSL TLS protocol  Incomplete trust path for the server certificate  the server s certificate is probably not trusted by the client  This would usually result in a more verbose error  but it is quite possible  Usually the fix is to import the server s CA certificate into the client s trust store  The cerificate is issued for a different domain  Again  this would have resulted in a more verbose message  but I ll state the fix here in case this is the cause  The resolution in this case would be get the server  it does not appear to be yours  to use the correct certificate    Since  the underlying failure cannot be pinpointed  it is better to switch on the  -Djavax net debug all flag to enable debugging of the SSL connection established  With the debug switched on  you can pinpoint what activity in the handshake has failed   Update  Based on the details now available  it appears that the problem is due to an incomplete certificate trust path between the certificate issued to the server  and a root CA  In most cases  this is because the root CA s certificate is absent in the trust store  leading to the situation where a certificate trust path cannot exist  the certificate is essentially untrusted by the client  Browsers can present a warning so that users may ignore this  but the same is not the case for SSL clients  like the HttpsURLConnection class  or any HTTP Client library like Apache HttpComponents Client    Most these client classes libraries would rely on the trust store used by the JVM for certificate validation  In most cases  this will be the cacerts file in the JRE HOME lib security directory  If the location of the trust store has been specified using the JVM system property javax net ssl trustStore  then the store in that path is usually the one used by the client library  If you are in doubt  take a look at your Merchant class  and figure out the class library it is using to make the connection   Adding the server s certificate issuing CA to this trust store ought to resolve the problem  You can refer to my answer on a related question on getting tools for this purpose  but the Java keytool utility is sufficient for this purpose   Warning  The trust store is essentially the list of all CAs that you trust  If you put in an certificate that does not belong to a CA that you do not trust  then SSL TLS connections to sites having certificates issued by that entity can be decrypted if the private key is available   Update  2  Understanding the output of the JSSE trace  The keystore and the truststores used by the JVM are usually listed at the very beginning  somewhat like the following   keyStore is    keyStore type is   jks keyStore provider is    init keystore init keymanager of type SunX509 trustStore is  C  Java jdk1 6 0 21 jre lib security cacerts trustStore type is   jks trustStore provider is      If the wrong truststore is used  then you ll need to re-import the server s certificate to the right one  or reconfigure the server to use the one listed  not recommended if you have multiple JVMs  and all of them are used for different needs    If you want to verify if the list of trust certs contains the required certs  then there is a section for the same  that starts as   adding as trusted cert    Subject  CN blah  O blah  C blah   Issuer   CN biggerblah  O biggerblah  C biggerblah   Algorithm  RSA  Serial number  yadda   Valid from SomeDate until SomeDate   You ll need to look for if the server s CA is a subject   The handshake process will have a few salient entries  you ll need to know SSL to understand them in detail  but for the purpose of debugging the current problem  it will suffice to know that a handshake failure is usually reported in the ServerHello   1  ClientHello  A series of entries will be reported when the connection is being initialized  The first message sent by the client in a SSL TLS connection setup is the ClientHello message  usually reported in the logs as       ClientHello  TLSv1 RandomCookie   GMT  1291302508 bytes     some byte array   Session ID      Cipher Suites   SSL RSA WITH RC4 128 MD5  SSL RSA WITH RC4 128 SHA  TLS RSA WITH AES 128 CBC SHA  TLS DHE RSA WITH AES 128 CBC SHA  TLS DHE DSS WITH AES 128 CBC SHA  SSL RSA WITH 3DES EDE CBC SHA  SSL DHE RSA WITH 3DES EDE CBC SHA  SSL DHE DSS WITH 3DES EDE CBC SHA  SSL RSA WITH DES CBC SHA  SSL DHE RSA WITH DES CBC SHA  SSL DHE DSS WITH DES CBC SHA  SSL RSA EXPORT WITH RC4 40 MD5  SSL RSA EXPORT WITH DES40 CBC SHA  SSL DHE RSA EXPORT WITH DES40 CBC SHA  SSL DHE DSS EXPORT WITH DES40 CBC SHA  Compression Methods     0         Note the cipher suites used  This might have to agree with the entry in your merchant properties file  for the same convention might be employed by the bank s library  If the convention used is different  there is no cause of worry  for the ServerHello will state so  if the cipher suite is incompatible   2  ServerHello  The server responds with a ServerHello  that will indicate if the connection setup can proceed  Entries in the logs are usually of the following type       ServerHello  TLSv1 RandomCookie   GMT  1291302499 bytes     some byte array  Cipher Suite  SSL RSA WITH RC4 128 SHA Compression Method  0       Note the cipher suite that it has chosen  this is best suite available to both the server and the client  Usually the cipher suite is not specified if there is an error  The certificate of the server  and optionally the entire chain  is sent by the server  and would be found in the entries as       Certificate chain chain  0          Version  V3   Subject  CN server  O server s org  L server s location  ST  Server s state  C Server s country   Signature Algorithm  SHA1withRSA  OID   some identifer       the rest of the certificate       If the verification of the certificate has succeeded  you ll find an entry similar to   Found trusted certificate        Version  V1   Subject  OU Server s CA  O  Server s CA s company name   C CA s country   Signature Algorithm  SHA1withRSA  OID   some identifier   One of the above steps would not have succeeded  resulting in the handshake failure  for the handshake is typically complete at this stage  not really  but the subsequent stages of the handshake typically do not cause a handshake failure   You ll need to figure out which step has failed  and post the appropriate message as an update to the question  unless you ve already understood the message  and you know what to do to resolve it

User · Answer

In my case  the website just can use TLSv1 2  and i use apache httpclient 4 5 6  i use this code and install jce to solve this  JDK1 7    jce  jdk7 http   www oracle com technetwork java javase downloads jce-7-download-432124 html  jdk 8 http   www oracle com technetwork java javase downloads jce8-download-2133166 html  code   SSLContext sslContext   SSLContext getDefault       SSLConnectionSocketFactory sslConnectionFactory   new SSLConnectionSocketFactory        sslContext        new String    TLSv1 2       important       null        NoopHostnameVerifier INSTANCE      Registry lt ConnectionSocketFactory gt  registry   RegistryBuilder  lt ConnectionSocketFactory gt create          register  https   sslConnectionFactory         register  http   PlainConnectionSocketFactory INSTANCE         build       HttpClientConnectionManager ccm   new BasicHttpClientConnectionManager registry     httpclient   HttpClientBuilder create           setSSLSocketFactory sslConnectionFactory         setConnectionManager ccm         build

User · Answer

I meet the same problem today with OkHttp client to GET a https based url  It was caused by Https protocol version and Cipher method mismatch between server side and client side   1  check your website https Protocol version and Cipher method   openssl gt s client -connect your website com 443 -showcerts  You will get many detail info  the key info is listed as follows   SSL-Session      Protocol    TLSv1     Cipher      RC4-SHA   2  config your http client  for example  in OkHttp client case    Test   public void testHttpsByOkHttp         ConnectionSpec spec   new ConnectionSpec Builder ConnectionSpec MODERN TLS               tlsVersions TlsVersion TLS 1 0    protocol version              cipherSuites                      CipherSuite TLS RSA WITH RC4 128 SHA    cipher method                     CipherSuite TLS ECDHE ECDSA WITH AES 128 GCM SHA256                      CipherSuite TLS ECDHE RSA WITH AES 128 GCM SHA256                      CipherSuite TLS DHE RSA WITH AES 128 GCM SHA256               build         OkHttpClient client   new OkHttpClient        client setConnectionSpecs Collections singletonList spec        Request request   new Request Builder   url  https   your website com    build        try           Response response   client newCall request  execute            if response isSuccessful                 logger debug  result       response body   string                     catch  IOException e            e printStackTrace              This will get what we want

User · Answer

I found an HTTPS server which failed in this way if my Java client process was configured with  -Djsse enableSNIExtension false   The connection failed with handshake failure after the ServerHello had finished successfully but before the data stream started   There was no clear error message that identified the problem  the error just looked like  main  READ  TLSv1 2 Alert  length   2 main  RECV TLSv1 2 ALERT   fatal  handshake failure    Invalidated    Session-3  TLS ECDHE RSA WITH AES 256 GCM SHA384  main  called closeSocket   main  handling exception  javax net ssl SSLHandshakeException  Received fatal alert  handshake failure   I isolated the issue by trying with and without the  -Djsse enableSNIExtension false  option

User · Answer

Assuming you re using the proper SSL TLS protocols  properly configured your keyStore and trustStore  and confirmed that there doesn t exist any issues with the certificates themselves  you may need to strengthen your security algorithms   As mentioned in Vineet s answer  one possible reason you receive this error is due to incompatible cipher suites being used  By updating my local policy and US export policy jars in my JDK s security folder with the ones provided in the Java Cryptography Extension  JCE   I was able to complete the handshake successfully

User · Answer

Mine was a TLS version incompatible error   Previously it was TLSv1 I changed it TLSV1 2 this solved my problem

User · Answer

The handshake failure could be a buggy TLSv1 protocol implementation    In our case this helped with java 7     java -Dhttps protocols TLSv1 2 TLSv1 1 TLSv1    The jvm will negotiate in this order  The servers with the latest update will do 1 2  the buggy ones will go down to v1 and that works with the similar v1 in java 7

User · Answer

This issue is occurring because of the java version  I was using 1 8 0 231 JDK and getting this error  I have degraded my java version from 1 8 0 231 to 1 8 0 171  Now It is working fine

User · Answer

I don t think this solves the problem to the first questioner  but for googlers coming here for answers   On update 51  java 1 8 prohibited 1  RC4 ciphers by default  as we can see on the Release Notes page   Bug Fix  Prohibit RC4 cipher suites RC4 is now considered as a compromised cipher  RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation  These cipher suites can still be enabled by SSLEngine setEnabledCipherSuites   and SSLSocket setEnabledCipherSuites   methods  See JDK-8077109  not public    If your server has a strong preference for this cipher  or use only this cipher  this can trigger a handshake failure on java  You can test connecting to the server enabling RC4 ciphers  first  try without enabled argument to see if triggers a handshake failure  then set enabled  import javax net ssl SSLSocket  import javax net ssl SSLSocketFactory  import java io     import java util Arrays       Establish a SSL connection to a host and port  writes a byte and    prints the response  See    http   confluence atlassian com display JIRA Connecting to SSL services     public class SSLRC4Poke       public static void main String   args            String   cyphers          if  args length  lt  2                System out println  quot Usage   quot  SSLRC4Poke class getName    quot   lt host gt   lt port gt  enable quot                System exit 1                     try               SSLSocketFactory sslsocketfactory    SSLSocketFactory  SSLSocketFactory getDefault                SSLSocket sslsocket    SSLSocket  sslsocketfactory createSocket args 0   Integer parseInt args 1                          cyphers   sslsocketfactory getSupportedCipherSuites                if  args length   3                   sslsocket setEnabledCipherSuites new String                         quot SSL DH anon EXPORT WITH RC4 40 MD5 quot                        quot SSL DH anon WITH RC4 128 MD5 quot                        quot SSL RSA EXPORT WITH RC4 40 MD5 quot                        quot SSL RSA WITH RC4 128 MD5 quot                        quot SSL RSA WITH RC4 128 SHA quot                        quot TLS ECDHE ECDSA WITH RC4 128 SHA quot                        quot TLS ECDHE RSA WITH RC4 128 SHA quot                        quot TLS ECDH ECDSA WITH RC4 128 SHA quot                        quot TLS ECDH RSA WITH RC4 128 SHA quot                        quot TLS ECDH anon WITH RC4 128 SHA quot                        quot TLS KRB5 EXPORT WITH RC4 40 MD5 quot                        quot TLS KRB5 EXPORT WITH RC4 40 SHA quot                        quot TLS KRB5 WITH RC4 128 MD5 quot                        quot TLS KRB5 WITH RC4 128 SHA quot                                                      InputStream in   sslsocket getInputStream                OutputStream out   sslsocket getOutputStream                    Write a test byte to get a reaction                out write 1                while  in available    gt  0                    System out print in read                               System out println  quot Successfully connected quot               catch  Exception exception                exception printStackTrace                       1 - https   www java com en download faq release changes xml

User · Answer

I had a similar issue  upgrading to Apache HTTPClient 4 5 3 fixed it

User · Answer

This can also happend when the client needs to present a certificate  After the server lists the certificate chain  the following can happen   3  Certificate Request The server will issue a certificate request from the client  The request will list all of the certificates the server accepts       CertificateRequest Cert Types  RSA Cert Authorities   lt CN blah  OU blah  O blah  L blah  ST blah  C blah gt   lt CN yadda  DC yadda  DC yadda gt   lt CN moreblah  OU moreblah  O moreblah  C moreblah gt   lt CN moreyada  OU moreyada  O moreyada  C moreyada gt      the rest of the request     ServerHelloDone   4  Client Certificate Chain This is the certificate the client is sending to the server        Certificate chain chain  0          Version  V3   Subject  EMAILADDRESS client s email  CN client  OU client s ou  O client s Org  L client s location  ST client s state  C client s Country   Signature Algorithm  SHA1withRSA  OID   1 2 840 113549 1 1 5       the rest of the certificate     ClientKeyExchange  RSA PreMasterSecret  TLSv1         key exchange info    If there isn t a certificate in the chain and the server requires one  you ll get the handshake error here  A likely cause is the path to your certificate wasn t found   5  Certificate Verify The client asks the server to verify the certificate          CertificateVerify     payload of verify check   This step will only happen if you are sending a certificate   6  Finished The server will respond with a verify response      Finished verify data     345

User · Answer

Disclaimer   I am not aware if the answer will be helpful for many people just sharing because it might    I was getting this error while using Parasoft SOATest to send request XML SOAP     The issue was that I had selected the wrong alias from the dropdown after adding the certificate and authenticating it

User · Answer

I have this error while I tried to use JDK 1 7  When I upgraded my JDK to jdk1 8 0 66 all started to work fine    So the simplest solution for this problem could be - upgrade your JDK and it could start to work well

[java] Received fatal alert: handshake_failure through SSLHandshakeException

Examples related to java

Examples related to ssl

Examples related to ssl-certificate

Examples related to sslhandshakeexception