CODEWITHSUNDEEP
javahttpsjava-7handshakeapache-httpcomponents
Claudio Resende
Claudio Resende

Reputation: 91

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure java 1.7_45

I have an https web page that I need to access and get some file, I am using Java 1.7_45 and apache httpclient 4.5.1 when I execute the client request I get the error(If I change to Java 8 it works, but I cannot change it to Java 8):

I tried everything that I found on the internet as add those VM arguments 

-Dhttps.protocols=SSLv2Hello,SSLv2,SSLv3,TLSv1.1,TLSv1.2
-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
-Ddeployment.security.SSLv2Hello=false 
-Ddeployment.security.SSLv3=false 
-Ddeployment.security.TLSv1=false 
-Ddeployment.security.TLSv1.1=true 
-Ddeployment.security.TLSv1.2=true

change the jars on the folder jre/lib/security

the funny thing is on the bug shows that the java is using TLSv1 but the server does not accept that, I believe that is why of the error but I tried everything to change it.


    main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
            javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
            at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
            at
            sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
            at
            org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
            at
            org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
            at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
            at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
            at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
            at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
            at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
            at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
            at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
            at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
            at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)

My block code that is getting the error basically is :


HttpGet httpGetRequest = new HttpGet(uri);
CloseableHttpClient client = HttpClients.createDefault();
CloseableHttpResponse httpResponse = null;
httpResponse = client.execute(httpGetRequest);

the result of debug mode is 


    keyStore is : 
        keyStore type is : jks
        keyStore provider is : 
        init keystore
        init keymanager of type SunX509
        trustStore is: C:\Program Files\Java\jdk1.7.0_45\jre\lib\security\cacerts
        trustStore type is : jks
        trustStore provider is : 
        init truststore

        trigger seeding of SecureRandom
        done seeding SecureRandom

        Received fatal alert: handshake_failure
        Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
        Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
        Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
        Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
        Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
        Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
        Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
        Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
        main, setSoTimeout(0) called
        Allow unsafe renegotiation: false
        Allow legacy hello messages: true
        Is initial handshake: true
        Is secure renegotiation: false
        %% No cached client session
        *** ClientHello, TLSv1
        RandomCookie:  GMT: 1540543037 bytes = { 231, 49, 252, 97, 250, 248, 100, 42, 169, 55, 229, 211, 3, 60, 228, 9, 116, 240, 119, 7, 189, 29, 9, 164, 233, 49, 92, 71 }
        Session ID:  {}
        Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
        Compression Methods:  { 0 }
        Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
        Extension ec_point_formats, formats: [uncompressed]
        Extension server_name, server_name: [host_name: services.swpc.noaa.gov]
        ***
        main, WRITE: TLSv1 Handshake, length = 194
        main, READ: TLSv1 Alert, length = 2
        main, RECV TLSv1 ALERT:  fatal, handshake_failure
        main, called closeSocket()
        main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        main, called close()enter code here
        main, called closeInternal(true)

Upvotes: 2

Views: 4069

Answers (3)

Fabrício Souto Cardoso
Fabrício Souto Cardoso

Reputation: 1

In Claudio's solution, change SSL_VERSION for "TLSv1.2".

Other possible values are:

enum ProtocolVersion {
    TLS13           (0x0304,    "TLSv1.3",      false),
    TLS12           (0x0303,    "TLSv1.2",      false),
    TLS11           (0x0302,    "TLSv1.1",      false),
    TLS10           (0x0301,    "TLSv1",        false),
    SSL30           (0x0300,    "SSLv3",        false),
    SSL20Hello      (0x0002,    "SSLv2Hello",   false),

    DTLS12          (0xFEFD,    "DTLSv1.2",     true),
    DTLS10          (0xFEFF,    "DTLSv1.0",     true),

    // Dummy protocol version value for invalid SSLSession
    NONE            (-1,        "NONE",         false);

Upvotes: 0

Claudio Resende
Claudio Resende

Reputation: 91

I solved this issue but using this snippet code 

if (hostType.getProtocol().equals(Protocol.HTTPS)) {

    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(SSLContexts.createDefault(),
            new String[] { SSL_VERSION }, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
    client = HttpClients.custom().setSSLSocketFactory(sslsf).build();
}

Upvotes: 1

Omoro
Omoro

Reputation: 972

Java 8 supports TLSv1.2 by default and is likely the server of the url you are calling is using TLSv1.2. While Java 7 supports TLSv1.2, TLSv1.0 is default for this version of Java. To use TLSv1.2 in Java 7, you indeed have to set the vm property -Djdk.tls.client.protocols=TLSv1.2. However the system property jdk.tls.client.protocols was introduced from Java 1.7.0_95. So your options are either using Java 8 or upgrading to a version of Java 7 that supports jdk.tls.client.protocols.

Upvotes: 1

Related Questions