SSL connection on Java 7 based server fails with RECV TLSv1 ALERT: fatal, handshake_failure
Solution 1
Java 7 is old and does not have many of the newer and/or stronger ciphers built-in.
For me the solution was to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7
Solution 2
This is what worked for me finally:
SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(null,null,null);
SSLContext.setDefault(context);
Related videos on Youtube
16 : 09
02 : 24
07 : 51
![[SOLVED] How to Fix TLS Error Problem (100% Working)](https://i.ytimg.com/vi/8eo-fdMAG80/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBEOSFJoTnwm_lg5xvfZHXnoee0Wg)
07 : 00
03 : 26
31 : 33
06 : 34
Rodrigo Murillo
Updated on September 18, 2022Comments
-
Rodrigo Murillo almost 2 years
A client-side SSL connection on a Java 7 based server fails with RECV TLSv1 ALERT: fatal, handshake_failure. This client is trying to connect to https://www.iatspayments.com
The SSL debug log shows the following:
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1438043029 bytes = { 77, 33, 40, 115, 168, 242, 145, 193, 121, 154, 125, 158, 66, 181, 49, 10, 251, 113, 134, 200, 45, 171, 200, 108, 155, 99, 67, 176 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension server_name, server_name: [host_name: www.iatspayments.com] *** jrpp-1, WRITE: TLSv1 Handshake, length = 192 jrpp-1, READ: TLSv1 Alert, length = 2 jrpp-1, RECV TLSv1 ALERT: fatal, handshake_failure jrpp-1, called closeSocket() jrpp-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure jrpp-1, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failureI have upgraded encryption strength per Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download
Based on the Qualsys SSL Test, the server only accepts the TLS1.1 and the TLS1.2 protocols.
I have provided the JVM the following startup properties:
-Dhttps.protocols=TLSv1.2,TLSv1.1 -Ddeployment.security.SSLv2Hello=false -Ddeployment.security.SSLv3=false -Ddeployment.security.TLSv1=false -Ddeployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=trueIt appears from the debug log that the client is using TLSv1 for the handshake and the data session, which then fails.
Two questions:
Why does the client initiate with the TLSv1 protocol, when I have disabled that as a supported protocol?
What system setting can I make to make the server use TLSv1.1+ when establishing an SSL connection?
Note I have reviewed Enable TLS 1.1 and 1.2 for Clients on Java 7 and I have implemented those settings.
-
Awesome almost 5 yearsDid you find the solution?
