Java 8 SSL Handshake failure

Question

We are using SSL for our database (12c) traffic. While connecting to database using JDBC client (Java 1.8.0_65, ojdbc7), we are getting handshake failure. Our database server is using SSL_RSA_WITH_AES_128_CBC_SHA256 cipher.

java.sql.SQLRecoverableException: IO Error: Received fatal alert: handshake_failure
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:752) ~[ojdbc7.jar:12.1.0.2.0]
        at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:666) ~[ojdbc7.jar:12.1.0.2.0]
        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32) ~[ojdbc7.jar:12.1.0.2.0]
        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:566) ~[ojdbc7.jar:12.1.0.2.0]
        at java.sql.DriverManager.getConnection(DriverManager.java:664) ~[?:1.8.0_65]
        at java.sql.DriverManager.getConnection(DriverManager.java:247) ~[?:1.8.0_65]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_65]
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[?:1.8.0_65]
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) ~[?:1.8.0_65]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) ~[?:1.8.0_65]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_65]
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) ~[?:1.8.0_65]
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) ~[?:1.8.0_65]
        at oracle.net.ns.Packet.send(Packet.java:419) ~[ojdbc7.jar:12.1.0.2.0]
        at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:241) ~[ojdbc7.jar:12.1.0.2.0]
        at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:157) ~[ojdbc7.jar:12.1.0.2.0]
        at oracle.net.ns.NSProtocol.connect(NSProtocol.java:264) ~[ojdbc7.jar:12.1.0.2.0]
        at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1452) ~[ojdbc7.jar:12.1.0.2.0]
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:496) ~[ojdbc7.jar:12.1.0.2.0]

In order to analyse we have enabled ssl debug and found the below:

 *** ClientHello, TLSv1
RandomCookie:  GMT: 1491604703 bytes = { 8, 77, 210, 159, 243, 108, 135, 13, 187, 223, 121, 238, 236, 46, 76, 255, 76, 12, 130, 135, 233, 99, 154, 136, 70, 38, 132, 176 }
Session ID:  {223, 118, 94, 151, 92, 90, 47, 206, 76, 197, 24, 27, 241, 230, 236, 184, 87, 216, 9, 178, 99, 207, 38, 169, 193, 168, 99, 17, 211, 45, 239, 31}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 183
main, READ: TLSv1 Handshake, length = 81

We could see is java client does not support the SSL_RSA_WITH_AES_128_CBC_SHA256 cipher. So we have installed JDK8 Unlimited Strength Jars. Even after that also Java client does not support the SSL_RSA_WITH_AES_128_CBC_SHA256 cipher.

My queries are:

1. Since the cipher is using a 256 bit algorithm, once I have provided the Unlimited Strength Jars, why Java client is still not supporting the above cipher.

2. As I could see from Oracle Docs here, it says the above cipher is supported by default in JDK 1.8. Then also why the Java client is not showing that it is ignoring the above cipher.

I am not getting what am I missing here. Any guidance on this is much appreciated.

EDIT

As suggested in the comment to use ojdbc1.8 resolved the issue. However, I got couple of more questions on this:

1. I can see, the handshake is now happening with TLSv1.2, previously it was happening with TLSv1. What I understood from this link is JDK 1.8 by default supports TLSv1.2. Why it was not using the same previously.

2. Related to Cipher Suite, now with ojdbc8, additional ciphers are being passed which includes SSL_RSA_WITH_AES_128_CBC_SHA256 cipher as well, which was previously not there with ojdbc7 jar. This Oracle link says JDK 1.8 by default supports this cipher. But initially, it did not supported with ojdbc7. I did not understand this as well how making ojdbc8 makes the difference.

Answer 1

The patched ojdbc7.jar for the bug 19030178 is located on OTN. You can download this and also, using 12.2 driver will also work.

Also, refer to this post "Database Connectivity over TLSv1.2 using JDBC thin and JKS"

Answer 2

The above error is due to Oracle bug 19030178. This SO link explains the steps in details.

In ojdbc7 jar we had applied the patch for bug 19030178 and added the required -D parameters. With these changes, it worked properly.

Answer 3

Changing the used library to ojdbc8 resolved the issue.