Reputation: 302
Tomcat - Java11 - Unable to present ECDSA certificate during SSL handshake as client
Recently, our organisation migrated one of our Java application codes from Java 8 to Java 11. Now, we are facing one unique issue with our application. Our tomcat server is running into a strange issue, where it is not able to present its self-signed ECDSA certificate to the 3rd party server(requested as part of mTLS SSL negotiation) is failing with the following error.
Error while invoking external url error: Client exception while GET:javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlertReceived: handshake_failure(40)","error-type":"java.lang.Exception","error-message":"Client exception while GET:javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlertReceived: handshake_failure(40)","error-stack-trace":"java.lang.Exception: Client exception while GET:javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlertReceived: handshake_failure(40)
My org uses BC-FIPS provider which doesn’t support -Djavax.net.debug debug param.
I did capture tcpdump, which indicates my application doesn’t present the valid certificate for the SSL negotiation. (Certificate length is 0 in the below snapshot)
Both the client and server ECDSA certificates are exchanged correctly and are valid. The server, in this case, is able to negotiate inbound ECDSA-based SSL requests (ECDSA cypher) without any issues. Also, the same code works absolutely fine if the cert type is RSA.
We are using the same trustStore that is used in the case of of Java8; there are no changes in the trustStore and the store is generated using the Java8 keytool command like before.
We use bc-fips-1.0.2.3.jar and all dependent libs such as bcpkix-fips.jar,bctls-fips.jar are already added. We have done no changes here, from Java8 to Java11.
The only major change is runtime changes from jre8 to jre 11.
Any pointers to debug or how to take it forward is appreciated.
The trustStore format is BCFKS.
Thanks, Brinal
Upvotes: 0
Views: 125
Answers (1)
Reputation: 302
The problem was with the ssl.KeyManagerFactory.algorithm property in java.security file. The value was set to SunX509 ,changing the value to PKIX did the trick.
Upvotes: 0
Related Questions
- Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- cURL error 60: SSL certificate: unable to get local issuer certificate
- why doesn't java send the client certificate during SSL handshake?
- Received fatal alert: handshake_failure through SSLHandshakeException
- curl: (60) SSL certificate problem: unable to get local issuer certificate
- My SSL client (Java) isn't sending a certificate back to the server in two-way SSL handshake
- Java SSL handshake failure - no client certificate
- Java Jersey not sending ssl client certificate
- Configure Apache tomcat to send SSL certificate to frontend server(act as client)