SSL HandShake exception

Question

I use SSL connection to connect web client to server. It works without any problem for a long time. But from yesterday it gives following error can anyone tell me the reason.

javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1172)
        at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:65)
        at net.schubart.fixme.internal.MessageInput.readExactly(MessageInput.java:166)
        at net.schubart.fixme.internal.MessageInput.readMessage(MessageInput.java:78)
        at cc.aot.itsWeb.ClientWriterThread.run(ClientWriterThread.java:241)
        at java.lang.Thread.run(Thread.java:619)
clientWriter.ready
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1586)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:865)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1029)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:621)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
        at java.io.OutputStream.write(OutputStream.java:58)
        at net.schubart.fixme.internal.Message.write(Message.java:267)
        at net.schubart.fixme.internal.MessageOutput.writeMessage(MessageOutput.java:53)

Answer 1

I fixed the SSL handshake exception by changing from jdk 1.7 to jdk 1.8.

Answer 2

When I received this error, the problem was that the server certificate was using signature algorithm SHA1withRSA and Android 8.0 client. Switching to server certificate based on SHA256withRSA fixed the issue.

Answer 3

I have spent more than 12 hours on this issue. After creating a self-signed certificate it is required to export that certificate to the cacert file. In my case it was located in /usr/lib/java/jre/lib/security/cacert. You can export the certificate by using the keytool (you probably have to have root access):

$ sudo keytool -exportcert -alias keyStoreAlias -keystore \
       keyStoreKeys.keys -file /usr/local/java/jre/lib/security/cacerts

Answer 4

This 'certificate_unknown' is a very misleading error message. This is the same error message thrown when a certificate has expired even if it is in the truststore. I suggest checking the expiration date of the certificate before you waste your time on anything else.

Answer 5

The problem you're having is with the certificates. Here is a list of things you might need to be familiar with before working with a secure SSL program. There must be a truststore, keystore, and the certs have to be added. To add the key to your cacerts file, as in step 6, the computer might ask you for a password that you don't know. It is "changeit" mostt likely

1) To create a new keystore and self-signed certificate with corresponding public/private keys:

 keytool -genkeypair -alias "username" -keyalg RSA -validity 7 -keystore keystore

2) To Examine the keystore:

keytool -list -v -keystore keystore

3) Export and examine the self-signed certificate:

keytool -export -alias "username" -keystore keystore -rfc -file "username".cer

4) Import the certificate into a new truststore:

keytool -import -alias "username" -file "username".cer -keystore truststore

5) Examine the truststore:

keytool -list -v -keystore truststore

6) Add to keystore (this is what your looking for):

sudo keytool -import -file "username".cer -alias "username" -keystore "path-to-keystore"

On some systems this is found in

/usr/lib/jvm/<java version folder>/jre/lib/security/cacerts

and on other systems it is something like

/etc/ssl/certs/java/cacerts

Check out this project on Git-Hub if you need more clarification: https://github.com/rabbitfighter81/JSSLInfoCollectionServer And here is a shell script that helps with keys. https://github.com/rabbitfighter81/SSLKeytool

Answer 6

I would first check to see if the cert in question has expired. Have run into this many times when working with vendors. They can update their certs without letting us know.

Answer 7

I think you have to add keystore in jre1.6 cacert. Then deploy again your server .By the way you can use to add keystore PORTECLE program . it is very useful.

Answer 8

If you really really need to, you can accept all certificates. But keep in mind that this is really ugly.

Hava a look at this.

Answer 9

You can check the certificate via the browser.

In Internet Explorer

Right Click >> Properties >> Certificates

Once in the Certificates Window you can view the entire certificate tree as well.

If you have an invalid certificate you may want to look into a solution using the keytool command.

Keytool Commands

Answer 10

The certificate presented by the server is not trusted. This may be due to the certificate being expired, or the trust manager not being able to establish a chain of trust to any of the certificates in your trust store.

Answer 11

Check the the cert is valid, you can do this with your browser.