CODEWITHSUNDEEP
javassljsse
avmohan
avmohan

Reputation: 2000

SSL Handshake fatal error after Client Hello

I am trying to make an https call to a server signed by an internal CA. I couldn't get it working in spite of adding the root certificates in the truststore so I've set the trustManager to trust all certificates and disabled hostname verification for now.
curl --insecure call works.
With -Djavax.net.debug=all, the handshake fails after client hello

*** ClientHello, TLSv1 ... ... main, READ: TLSv1 Alert, length = 2 main, RECV TLSv1 ALERT: fatal, handshake_failure main, called closeSocket() main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure main, called close() main, called closeInternal(true)

The stack trace is:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)

I am getting the SSL Context using 

SSLContext sslContext = SSLContext.getInstance("TLS");

Any help would be highly appreciated.

PS: I am using java7

Upvotes: 1

Views: 3139

Answers (1)

avmohan
avmohan

Reputation: 2000

Adding an answer to my own question after 4 years.

I don't recall what the exact issue was but there is no single reason for handshake failure - most likely reason for why handshake failure occurs right after ClientHello would be that the client & server are not able to agree upon a common protocol or cipher suite for continuing the handshake.

The easiest option for debugging SSL issues like this is capturing the network traffic with tcpdump and analyzing it in Wireshark. We can inspect the ClientHello and figure out what is the protocol being used, the cipher suites that it advertises support for etc.

Upvotes: 0

Related Questions