javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
11,021
I downloaded the .cer file and did a keytool import ... But I continue to get an ssl handshake error.
A handshake error from the server is unrelated to the validation of the servers certificate by the client. Thus trusting the new certificate does not help with this error.
*** ClientHello, TLSv1
Your client sends only a TLS 1.0 request although the server can do only TLS 1.2 according to SSLLabs.
It does not matter in this case that you have configured TLS 1.2 for your tomcat server because the problem is that your TLS client cannot connect to the 3rd party server. See for example Enabled TLS 1.2 and TLS 1.1 on Java 7 on how to configure Java 7 to use TLS 1.2 on the client side.
Author by
springcorn
Updated on June 05, 2022Comments
-
springcorn almost 2 years
I am using Tomcat 7.065 with APR 1.1.33 on a linux server with Java 1.7.0_67.
My application has been happily connecting via SSL to a 3rd party site for years now. The 3rd party issued a new certificate. The 3rd part site is: https://its.changehealthcare.com/
I downloaded the .cer file and did a keytool import:
$JAVA_HOME/bin/keytool -import -trustcacerts -keystore cacerts -noprompt -file path\to\certificate.cerWhen I do a keytool list, I get:
Owner: CN=its.changehealthcare.com, OU=COMODO EV SSL, OU=Web Operations, O=Change Healthcare Inc, STREET=3055 Lebanon Pike, L=Nashville, ST=TN, OID.2.5.4.17=37221, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4237148 DNSName: its.changehealthcare.com DNSName: www.its.changehealthcare.comBut I continue to get an ssl handshake error.
My tomcat ssl config looks like so:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" SSLCertificateFile="mycert.crt" SSLCertificateKeyFile="mykey.key" SSLCertificateChainFile="gd_bundle-g2-g1.crt" keyAlias="tomcat" SSLCipherSuite="ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT:!DHE:!EDH:!ECDH" compression="on" compressableMimeType="text/xml" SSLHonorCipherOrder="true" />I am perplexed. Any insight appreciated. Here is the full readout of the error with debugging on -Djavax.net.debug=all :
INFO: Server startup in 26519 ms keyStore is : keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 trustStore is: /usr/lib/java/jdk1.7.0_67/jre/lib/security/cacerts trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH Algorithm: RSA; Serial number: 0x4eb200670c035d4f Valid from Wed Oct 25 03:36:00 CDT 2006 until Sat Oct 25 03:36:00 CDT 2036 ******THERE ARE LIKE 20 of these but I could fit it inside the character limit so just the first and last are shown adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: adding as trusted cert: ****THERE ARE LIKE 30 of these but I could fit it inside the character limit so just the first and last are shown** adding as trusted cert: Subject: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE Issuer: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE Algorithm: RSA; Serial number: 0x2e6a000100021fd752212c115c3b Valid from Thu Jan 12 08:38:43 CST 2006 until Wed Dec 31 16:59:59 CST 2025 trigger seeding of SecureRandom done seeding SecureRandom Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false http-apr-8443-exec-1, setSoTimeout(25000) called %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1458500800 bytes = { 168, 201, 205, 79, 149, 19, 79, 199, 46, 252, 11, 245, 12, 118, 202, 82, 232, 228, 105, 152, 123, 244, 31, 152, 229, 163, 180, 208 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension server_name, server_name: [host_name: its.changehealthcare.com] *** [write] MD5 and SHA1 hashes: len = 196 0000: 01 00 00 C0 03 01 57 EF F5 C0 A8 C9 CD 4F 95 13 ......W......O.. 0010: 4F C7 2E FC 0B F5 0C 76 CA 52 E8 E4 69 98 7B F4 O......v.R..i... 0020: 1F 98 E5 A3 B4 D0 00 00 38 C0 0A C0 14 00 35 C0 ........8.....5. 0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ....9.8...../... 0040: 0E 00 33 00 32 C0 07 C0 11 00 05 C0 02 C0 0C C0 ..3.2........... 0050: 08 C0 12 00 0A C0 03 C0 0D 00 16 00 13 00 04 00 ................ 0060: FF 01 00 00 5F 00 0A 00 34 00 32 00 17 00 01 00 ...._...4.2..... 0070: 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 18 00 ................ 0080: 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 11 00 ................ 0090: 02 00 12 00 04 00 05 00 14 00 08 00 16 00 0B 00 ................ 00A0: 02 01 00 00 00 00 1D 00 1B 00 00 18 69 74 73 2E ............its. 00B0: 63 68 61 6E 67 65 68 65 61 6C 74 68 63 61 72 65 changehealthcare 00C0: 2E 63 6F 6D .com http-apr-8443-exec-1, WRITE: TLSv1 Handshake, length = 196 [Raw write]: length = 201 0000: 16 03 01 00 C4 01 00 00 C0 03 01 57 EF F5 C0 A8 ...........W.... 0010: C9 CD 4F 95 13 4F C7 2E FC 0B F5 0C 76 CA 52 E8 ..O..O......v.R. 0020: E4 69 98 7B F4 1F 98 E5 A3 B4 D0 00 00 38 C0 0A .i...........8.. 0030: C0 14 00 35 C0 05 C0 0F 00 39 00 38 C0 09 C0 13 ...5.....9.8.... 0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 07 C0 11 00 05 ./.....3.2...... 0050: C0 02 C0 0C C0 08 C0 12 00 0A C0 03 C0 0D 00 16 ................ 0060: 00 13 00 04 00 FF 01 00 00 5F 00 0A 00 34 00 32 ........._...4.2 0070: 00 17 00 01 00 03 00 13 00 15 00 06 00 07 00 09 ................ 0080: 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F ................ 0090: 00 10 00 11 00 02 00 12 00 04 00 05 00 14 00 08 ................ 00A0: 00 16 00 0B 00 02 01 00 00 00 00 1D 00 1B 00 00 ................ 00B0: 18 69 74 73 2E 63 68 61 6E 67 65 68 65 61 6C 74 .its.changehealt 00C0: 68 63 61 72 65 2E 63 6F 6D hcare.com [Raw read]: length = 5 0000: 15 03 01 00 02 ..... [Raw read]: length = 2 0000: 02 28 .( http-apr-8443-exec-1, READ: TLSv1 Alert, length = 2 http-apr-8443-exec-1, RECV TLSv1 ALERT: fatal, handshake_failure http-apr-8443-exec-1, called closeSocket() http-apr-8443-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure http-apr-8443-exec-1, called close() http-apr-8443-exec-1, called closeInternal(true) -
springcorn over 7 yearsThanks for this great help. This solved my problem. Although I was wondering if you could set this property at a finer grained level like the HttpURLConnection
-
Steffen Ullrich over 7 years@springcorn: I'm not familiar enough with Java to answer this.