I wanted server and client communication to happen via SSL . I have followed this link.
It says generate keypair and then generate server.private and server.public. Now when I run my server and client program, the server program exits with:
*** ServerHelloDone
main, WRITE: TLSv1 Handshake, length = 679
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, certificate_unknown
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
I read many questions on SO and guessed I need to run :
keytool -import -alias example -keystore cacerts -file root.cer.
But what values do I give for the above command ? My private and public keys for server and client are server.public, server.private, client.public, client.private.
Related
I have a java program that is using RESTTemplate talking to a service. I am using client certificate for communicating with server. Getting following error
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
19:53:13.851 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown connection
19:53:13.852 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded
19:53:13.852 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://api.entrust.net:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
19:53:13.854 [main] ERROR com.x.y.z.provider.a.Client - exception I/O error on GET request for "https://api.entrust.net/enterprise/v2/application/version": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
19:53:13.858 [main] DEBUG com.x.y.z.provider.a.Client - Map the failure exception {}
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://api.entrust.net/enterprise/v2/application/version": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:744)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:670)
When I enable debug logs, I see initial handshake is done but it fails later with following error
*** CertificateVerify
Signature Algorithm SHA256withRSA
update handshake state: certificate_verify[15]
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 264
update handshake state: change_cipher_spec
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 101, 230, 249, 79, 106, 34, 167, 222, 44, 208, 111, 11 }
***
update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
**main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]**
main, called closeSocket()
Interestingly I am running it on laptop it works without issues but as soon as I run it on container it gives me handshake error
I am running oracle jdk on laptop but OpenJDK-1.8.0.212 version on my container. What could be possible issues?
In the container I do have truststore and keystore installed and I could see that it is being used since the place where it fails is the one that I showed in SSL debug logs.
Option 1 . You need to add your truststore/keystore to cacerts of the container or environment where you are testing it for handshake to go through successfully.
Option 2 . You can point your program to read the location of the keystore file inside your container/sandbox/environment.
I have this SSL issue, I get handshake_failure
http-bio-8080-exec-10, WRITE: TLSv1 Handshake, length = 191
http-bio-8080-exec-10, READ: TLSv1 Alert, length = 2
http-bio-8080-exec-10, RECV TLSv1 ALERT: fatal, handshake_failure
http-bio-8080-exec-10, called closeSocket()
http-bio-8080-exec-10, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Keep-Alive-Timer, called close()
Keep-Alive-Timer, called closeInternal(true)
Keep-Alive-Timer, SEND TLSv1.2 ALERT: warning, description = close_notify
Keep-Alive-Timer, WRITE: TLSv1.2 Alert, length = 48
Keep-Alive-Timer, called closeSocket(selfInitiated)
Code is Working with no issue on java version "1.8.0_05"
But same code with same SSL certificates is not working on java version "1.7.0_67"
I installed unlimited Crypto on the 1.7 and still facing the same issue.
Unfortunately I cannot upgrade the JDK, Is there any other way around this issue?
If I use the below in java.security (jdk 7 and even jdk 8) any update
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA,SHA,SHA1,SHA-1, DH keySize < 768
and I have no certificates in the chain that are sha signed certificates, I get the below exception:
main, handling exception: javax.net.ssl.SSLHandshakeException: Unsupported SignatureAndHashAlgorithm in ServerKeyExchange message
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
I am trying to disable using SHA/SHA1/SHA-1 as a message digest from the client side. Why do I get the above exception on SHA384.
If I remove the "SHAs" from the disabled algorithms in java.security all is fine.
Any ideas?
On server I've got a certificate which I am using to connect to other webservice.
Certificate is correctly installed on server, because when I am using curl to make a request, everything works fine. The problem is when I am using rest request through my webservice in Spring.
I've got exception:
handling exception: javax.net.ssl.SSLHandshakeException:
I was trying changing tls protocols and it didn't help.
What may cause the problem?
There is a code of a debugger:
https-jsse-nio-8080-exec-4, WRITE: TLSv1 Handshake, length = 120
https-jsse-nio-8080-exec-4, received EOFException: error
https-jsse-nio-8080-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
https-jsse-nio-8080-exec-4, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
https-jsse-nio-8080-exec-4, WRITE: TLSv1.2 Alert, length = 2
https-jsse-nio-8080-exec-4, called closeSocket()
https-jsse-nio-8080-exec-4, called close()
https-jsse-nio-8080-exec-4, called closeInternal(true)
I'm using:
not-yet-commons-ssl-0.3.9.jar
opensaml-2.3.1.jar
I'm getting the following error in my logs:
SSLException: Received fatal alert: unexpected_message
Turning on SSLDebug gives the following:
TP-Processor2, READ: TLSv1 Alert, length = 2
TP-Processor2, RECV TLSv1 ALERT: fatal, unexpected_message
TP-Processor2, called closeSocket()
TP-Processor2, handling exception: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
%% Client cached [Session-40, SSL_RSA_WITH_RC4_128_MD5]
%% Try resuming [Session-40, SSL_RSA_WITH_RC4_128_MD5] from port 2903
*** ClientHello, TLSv1
The behaviour is that SSL connections work for five minutes - and then they fail with the message above. My guess is that this is an SSL session cache issue.
Has anyone resolved this?
So it turned out that bouncy-castle (a jar dependency of opensaml) adds a bunch of extra ciphers into the SSL negotiation. The TIBCO server has a spew at these extra ciphers. Rolling back the Bouncy Castle Jar to 1.3.5 (pre-elliptic SLL Ciphers) solved this issue.