On server I've got a certificate which I am using to connect to other webservice.
Certificate is correctly installed on server, because when I am using curl to make a request, everything works fine. The problem is when I am using rest request through my webservice in Spring.
I've got exception:
handling exception: javax.net.ssl.SSLHandshakeException:
I was trying changing tls protocols and it didn't help.
What may cause the problem?
There is a code of a debugger:
https-jsse-nio-8080-exec-4, WRITE: TLSv1 Handshake, length = 120
https-jsse-nio-8080-exec-4, received EOFException: error
https-jsse-nio-8080-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
https-jsse-nio-8080-exec-4, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
https-jsse-nio-8080-exec-4, WRITE: TLSv1.2 Alert, length = 2
https-jsse-nio-8080-exec-4, called closeSocket()
https-jsse-nio-8080-exec-4, called close()
https-jsse-nio-8080-exec-4, called closeInternal(true)
Related
I have to read some emails in inbox from an email account. I need the TLSv1.2 like system update and when I send an email I can correctly do this but this methodology does not work when I have to read from the inbox folder.
Following my java code about connection preparation:
props.put("mail.pop3.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.put("mail.pop3.socketFactory.port", Integer.valueOf(extProperties.getPortInbox().trim()));
props.put("mail.pop3.ssl.protocols", "TLSv1.2");
props.put("mail.pop3.starttls.enable", Boolean.TRUE);
props.put("mail.pop3.ssl.enable", Boolean.FALSE);
props.put("mail.mime.multipart.ignoreexistingboundaryparameter", Boolean.TRUE);
props.put("mail.mime.parameters.strict", Boolean.FALSE);
the params that I have are:
Protocol Type: POP3
Inbox server: (my server url)
Port: 995
I have this errors when I try to connect and read from the inbox folder:
...
(SimpleAsyncTaskExecutor-1) SimpleAsyncTaskExecutor-1, received EOFException: error
(SimpleAsyncTaskExecutor-1) SimpleAsyncTaskExecutor-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
(SimpleAsyncTaskExecutor-1) SimpleAsyncTaskExecutor-1, SEND TLSv1 ALERT: fatal, description = handshake_failure
(SimpleAsyncTaskExecutor-1) SimpleAsyncTaskExecutor-1, WRITE: TLSv1 Alert, length = 2
(SimpleAsyncTaskExecutor-1) SimpleAsyncTaskExecutor-1, called closeSocket()
...
In the log above, we can see the handshake error and the tlsv1 instead of the tlsv1.2 that I have setted.
How can I solve my problem? I have tried many ways found on stakoverflow/internet but I didn't resolve my problem and now I have no idea about the next step to do.
Thank you for the help
I have a java program that is using RESTTemplate talking to a service. I am using client certificate for communicating with server. Getting following error
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
19:53:13.851 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown connection
19:53:13.852 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded
19:53:13.852 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://api.entrust.net:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
19:53:13.854 [main] ERROR com.x.y.z.provider.a.Client - exception I/O error on GET request for "https://api.entrust.net/enterprise/v2/application/version": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
19:53:13.858 [main] DEBUG com.x.y.z.provider.a.Client - Map the failure exception {}
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://api.entrust.net/enterprise/v2/application/version": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:744)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:670)
When I enable debug logs, I see initial handshake is done but it fails later with following error
*** CertificateVerify
Signature Algorithm SHA256withRSA
update handshake state: certificate_verify[15]
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 264
update handshake state: change_cipher_spec
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 101, 230, 249, 79, 106, 34, 167, 222, 44, 208, 111, 11 }
***
update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
**main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]**
main, called closeSocket()
Interestingly I am running it on laptop it works without issues but as soon as I run it on container it gives me handshake error
I am running oracle jdk on laptop but OpenJDK-1.8.0.212 version on my container. What could be possible issues?
In the container I do have truststore and keystore installed and I could see that it is being used since the place where it fails is the one that I showed in SSL debug logs.
Option 1 . You need to add your truststore/keystore to cacerts of the container or environment where you are testing it for handshake to go through successfully.
Option 2 . You can point your program to read the location of the keystore file inside your container/sandbox/environment.
I have a problem connecting from my .Net client to Java server, both were changed from TLS1 to TLS1.2.
Both client and server in the same machine, Windows10 64bits.
.Net client created under .Net Framework 4.5, using HttpWebRequest.
Previous the request call I set
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
.Net Error "The request was aborted: Could not create SSL/TLS secure channel."
Java using jdk1.8.0_25
Java Error log:
P-86, received EOFException: error
P-86, handling exception: javax.net.ssl.SSLHandshakeException: Remote host
closed connection during handshake
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
P-86, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
P-86, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 28 ......(
P-86, called closeSocket()
P-86, called close()
P-86, called closeInternal(true)
I have changed to different ciphers with no success. Any suggestion to follow ?
thanks
My problem was the certificate.I was using a very old one, I changed it and It works. I'm not clear why, I'm investigating.
Thanks to all.
Java 7u9
Error msg in title is: "fatal error: 80: problem unwrapping net record". SO wouldn't let me put "problem" in the title.
I am building a Java HTTPS client against Netty. The SSL handshake was working until I added added the "HTTPS" endpoint identification algorithm to enable server hostname verification:
SSLEngine engine = tcpHelper.getSSLContext().createSSLEngine();
SSLParameters sslParameters = engine.getSSLParameters();
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
engine.setSSLParameters(sslParameters);
engine.setUseClientMode(true);
After adding the algorithm, the SSL handshake hangs and the connection eventually times out. With SSL debugging enabled (javax.net.debug=all), I can see that the handshake now fails after ServerHello, after the server sends it's cert chain, after
*** ServerHelloDone
1761586552#qtp-1653588482-2, WRITE: TLSv1.2 Handshake, length = 3294
on the server. The client receives and displays the cert chain, and then fails with:
New I/O worker #3, fatal error: 80: problem unwrapping net record
java.lang.RuntimeException: Delegated task threw Exception/Error
%% Invalidated: [Session-1, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256]
New I/O worker #3, SEND TLSv1.2 ALERT: fatal, description = internal_error
New I/O worker #3, WRITE: TLSv1.2 Alert, length = 2
Java 7u9
First, thanks to Bruno for his help on this related question which lead me to final answer.
Answering my own question. Hard won knowledge.
The solution is to add the host and port of the request target to the constructor when you create the SSL Engine:
SSLEngine engine = tcpHelper.getSSLContext().createSSLEngine(targetHost, targetPort);
Without this, Java will ultimately throw a NullPointerException way down deep in the SSL libs (IPAddressUtil.textToNumericFormatV4), which results in the not-very-helpful error message in the SSL debug output.
I'm using:
not-yet-commons-ssl-0.3.9.jar
opensaml-2.3.1.jar
I'm getting the following error in my logs:
SSLException: Received fatal alert: unexpected_message
Turning on SSLDebug gives the following:
TP-Processor2, READ: TLSv1 Alert, length = 2
TP-Processor2, RECV TLSv1 ALERT: fatal, unexpected_message
TP-Processor2, called closeSocket()
TP-Processor2, handling exception: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
%% Client cached [Session-40, SSL_RSA_WITH_RC4_128_MD5]
%% Try resuming [Session-40, SSL_RSA_WITH_RC4_128_MD5] from port 2903
*** ClientHello, TLSv1
The behaviour is that SSL connections work for five minutes - and then they fail with the message above. My guess is that this is an SSL session cache issue.
Has anyone resolved this?
So it turned out that bouncy-castle (a jar dependency of opensaml) adds a bunch of extra ciphers into the SSL negotiation. The TIBCO server has a spew at these extra ciphers. Rolling back the Bouncy Castle Jar to 1.3.5 (pre-elliptic SLL Ciphers) solved this issue.