Error javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
15,863
The cause of java SSL problems like handshake_failure are usually these:
- Incompatible cipher suites: The client has to use a cipher suite enabled by the server
- Incompatible versions of SSL/TLS: The client have to ensure that it uses a compatible version. For example the server might force TLS1.2 that is not enabled by default in java7 (not is your case)
- Incomplete trust path for the server certificate: the server certificate is probably not trusted by the client. Usually the fix is to import the server certificate chain in into the client trust store.
- Bad server config, like certificate issued to a different domain or certificate chain incomplete. In the case the fix is on server part
In your case seems that has been selected TLSv1 when java8 use TLSv1.2 by default, so is possible that the server is not updated with latest versions.
I suggest to debug the protocol messages ClientHello and ServerHello to watch the selected protocol and cipher from the suite.
-Djavax.net.debug=ssl
Also you can check the status of your server in SSLLabs
Author by
Yosefarr
Updated on June 05, 2022Comments
-
Yosefarr almost 2 years
I'm trying to call POST Rest call using Spring RestTemplate:
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(); RestTemplate restTemplate = new RestTemplate(requestFactory); HttpHeaders headers = new HttpHeaders(); headers.setContentType(MediaType.APPLICATION_XML); HttpEntity<GetBalanceHistoryRequest> request1 = new HttpEntity<GetBalanceHistoryRequest>(request, headers); String result = restTemplate.postForObject("https://server.com/getBalance", request1, String.class);The https://server.com have a certificate :webapi.tartu-x86.p12 I import the certificate to C:\Java_8\jre\lib\security\cacerts usinf keytool
after running my code i get the following error:
SLF4J: Actual binding is of type [ch.qos.logback.classic.util.ContextSelectorStaticBinder] trustStore is: C:\Java_8\jre\lib\security\cacerts trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US Algorithm: RSA; Serial number: 0xc3517 Valid from Mon Jun 21 07:00:00 IDT 1999 until Mon Jun 22 07:00:00 IDT 2020 adding as trusted cert: Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US .... .... ** Finished verify_data: { 31, 64, 180, 145, 192, 1, 180, 119, 86, 70, 247, 140 } *** [write] MD5 and SHA1 hashes: len = 16 0000: 14 00 00 0C 1F 40 B4 91 C0 01 B4 77 56 46 F7 8C [email protected].. Padded plaintext before ENCRYPTION: len = 48 0000: 14 00 00 0C 1F 40 B4 91 C0 01 B4 77 56 46 F7 8C [email protected].. 0010: 3F 56 B1 14 65 F3 18 C6 B3 98 D3 50 65 AC 74 1A ?V..e......Pe.t. 0020: 48 11 50 C0 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B H.P............. main, WRITE: TLSv1 Handshake, length = 48 [Raw write]: length = 53 0000: 16 03 01 00 30 B6 A0 43 3D 91 3A C1 F6 34 F5 73 ....0..C=.:..4.s 0010: 54 A7 1A 46 84 42 1A DC 0D 4D B9 4A C1 3F CB A6 T..F.B...M.J.?.. 0020: 57 C6 5D DF C4 1D 62 22 92 FB 1F 3E F1 05 0C 5C W.]...b"...>...\ 0030: 56 9E 9B 02 2D V...- [Raw read]: length = 5 0000: 15 03 01 00 02 ..... [Raw read]: length = 2 0000: 02 28 .( main, READ: TLSv1 Alert, length = 2 main, RECV TLSv1 ALERT: fatal, handshake_failure %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] main, called closeSocket() main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure main, called close() main, called closeInternal(true)I'm using Java 1.8.0_91
any one can help here?
-
Yosefarr almost 8 yearsThanks for your replay, how could i tell java to use TLSv1 ?
-
pedrofb almost 8 yearsjava8 will use TLSv1.2 by default, but if it is not available, it will use TLSv1.1 or TLSv1. If the connection is selecting TLSv1 it is because the server does not support TLSv1.2 or no ciphers in common