Tomcat-to-tomcat connection gives SSLHandshakeException, while JavaApp-to-Tomcat works just fine

Question

I have a Tomcat 7 server which runs some servlet I need to access via post from another Tomcat 7 server.

The connection is a SSL connection for security reasons, and I use this code to connect:

/* Load the keyStore that includes self-signed cert as a "trusted" entry. */
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("myjks.jks"), "123456".toCharArray());
TrustManagerFactory tmf = 
    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLSv1");
ctx.init(null, tmf.getTrustManagers(), null);
SSLSocketFactory sslFactory = ctx.getSocketFactory();

HttpClientBuilder builder = HttpClientBuilder.create();
SSLConnectionSocketFactory sslConnectionFactory = 
    new SSLConnectionSocketFactory(ctx, 
        SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
builder.setSSLSocketFactory(sslConnectionFactory);

Registry<ConnectionSocketFactory> registry = 
    RegistryBuilder.<ConnectionSocketFactory>create()
        .register("https", sslConnectionFactory)
        .build();

HttpClientConnectionManager ccm = new BasicHttpClientConnectionManager(registry);

builder.setConnectionManager(ccm);
CloseableHttpClient client = builder.build();

HttpPost post = new HttpPost("https://myurl.com:9999/post");

/* post has parameters - omitted */

HttpResponse response = client.execute(post);
HttpEntity entity = response.getEntity();
String responseString = EntityUtils.toString(entity, "UTF-8");
int httpCode = response.getStatusLine().getStatusCode();
System.out.println(responseString);
System.out.println(httpCode);

There is problem: everytime I try to connect I get

Received fatal alert: handshake_failure

Now, the weird thing is that the exact same code run via a plain java application just works and outputs

<response data>
200

The code on the server runs on Apache Tomcat 7.0.42 with Java 6, and the java application runs on Java 6.

This is how the Tomcat-SSL server connector is configured:

<Connector port="${tomcat.ssl.port}" protocol="HTTP/1.1"
                    enableLookups="false"
                    SSLEnabled="true" scheme="https" sslProtocol="TLS" secure="true" clientAuth="false"
                    keystoreFile="${catalina.base}/conf/certstore/server.jks"
                    keystorePass="123456"
                    truststoreFile="${catalina.base}/conf/certstore/ca.jks"
                    truststorePass="123456"
                    URIEncoding="UTF-8"
                    ciphers="SSL_RSA_WITH_RC4_128_MD5,
                            SSL_RSA_WITH_RC4_128_SHA,
                            TLS_RSA_WITH_AES_128_CBC_SHA,
                            TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                            TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                            SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                            SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
                            SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
                            TLS_RSA_WITH_AES_256_CBC_SHA,
                            TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                            TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
                    />

These are the supported ciphers:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Why does the tomcat-to-tomcat connection give these problems? What should I do in order to make this code work?

Answer 1

Maybe because the JVM used by Tomcat is different from the JVM you use to execute this command manually. Newer Java versions are more strict regarding SSL connections. Some protocols are not allowed in newer versions that can throw this error.