TLS 1.2 was supported in Java 8 but not in Java 7

java java-8 java-7 tls1.2
23,792

Solution 1

If you test the URL with SSLLabs, the website allow 4 ciphers :

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

But if you read ciphers list for Java 7, no cipher is not supported (can be seen in the debug message also). Even by enabling TLS 1.2 for Java 7, I think it doesn't find any valid ciphers. The site had to change its configuration.

Solution 2

Without upgrading to Java 8, you can upgrade your Java 7 version to 1.7.0_131-b31

For JRE 1.7.0_131-b31 in Oracle site :

TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 releases.
Share:
23,792
E Do
Author by

E Do

Familiar with java eclipse sql xml json maven wso2-esb javascript

Updated on July 09, 2022

Comments

  • E Do
    E Do almost 2 years

    When I tried to connect a URL (one of vendors URL which supports TLS 1.2 and worked fine previously with Java 7) by using Java 7, I found bellow Exception:

    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1943)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1087)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)

    So that I have enabled -Dhttps.protocols=TLSv1.2, -Djavax.net.ssl.trustStore=<keystoreFilePath> and -Djavax.net.ssl.trustStorePassword=<password>

    After that also I got the same issue. Then I have upgrade the Java version to 8 so it could connect to the URL without any SSL issue.

    As per this blog, in Java 8, TLS 1.2 is default and TLS 1.2 can be tuned with the property -Dhttps.protocols in Java 7. In Java 7, I could be able to access a URL without a problem if I enable above properties through my past experiences.

    But for the URL, I am requested to upgrade the Java version. What can be vendor side changes caused for the Exception mentioned above in Java 7? And without upgrading Java 8, can't I access the URL?

    When try with -Djavax.net.debug=all I got below log

    Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
qtp11284997-17, setSoTimeout(0) called
qtp11284997-18, setSoTimeout(0) called
%% No cached client session
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  *** ClientHello, TLSv1.2
RandomCookie:  GMT: 1465902650 bytes = { GMT: 1465902650 bytes = { 113156, , 91, 215, 64, 8, 63, 32, 255, 223, 156, 170, 50, 244, 156, 18, 241, 241, 229, 169, 35, 160, 22, 15, 111, 204, 231, 28, 25, 203, 70, 164, 77, 14, 181, 126, 159, 152, 111, 221, 254, 59 }
Session ID:  {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: postprod1.ratetiger.com]
***
[write] MD5 and SHA1 hashes:  len = 211
0000: 01 00 00 CF 03 03 57 60   E6 3A 71 D7 40 08 3F FF  ......W`.:q.@.?.
0010: 9C 32 9C F1 E5 23 16 6F   E7 19 46 A4 4D 0E B5 7E  .2...#.o..F.M...
0020: 9F 98 6F DD FE 3B 00 00   2A 00 33 C0 04 00 16 00  ..o..;..*.3.....
0030: 05 C0 03 C0 11 C0 02 C0   07 C0 13 C0 08 C0 0C 00  ................
0040: FF C0 0D C0 0E C0 09 00   2F C0 12 00 04 00 32 00  ......../.....2.
0050: 13 00 0A 01 00 00 7C 00   0A 00 34 00 32 00 17 00  ..........4.2...
0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................
0070: 18 00 0B 00 0C 00 19 00   0D 00 0242, E119,  001,  0F19,  00164,  1081, 3,  0063,  176,  255, .42, .23, .252, .164 }
Session ID:  .{}
..Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { .0 }
........
0080: 11Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
 00Extension ec_point_formats, formats: [uncompressed]
 02Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: postprod1.ratetiger.com]
***
[write] MD5 and SHA1 hashes:  len = 211
0000: 01 00 00 CF 03 03 57 60   E6 3A 9C 5B 20 DF AA F4  ......W`.:.[ ...
0010: 12 F1 A9 A0 0F CC 1C CB   F2 77 01 13 A4 51 03 3F  .........w...Q.?
0020: B0 FF 2A 17 FC A4 00 00   2A 00 33 C0 04 00 16 00  ..*.....*.3.....
0030: 05 C0 03 C0 11 C0 02 C0    0700 C0  131 C02 0 008 0 C04 0C  000 0  .  0.5. .0.0 14 00 08 00 16 00  .......................
.0.0.4.0
0090: : 0BF 00F 0 C02 0 01D 0 C00 0 00E 0 C0D 0 009    1A0 000 1 8  2 06F 0 C03 1 062 0 001 0 05  ................
00A0: 03 05 01 04 03 04 01 03   03 03 01 02 03 02 01 02  ................
00B0: 02 01 01 00 00 00 1C 00   1A 00 00 17 70 6F 73 74  ............post
00C0: 70 72 6F 64 31 2E 72 61   74 65 74 69 67 65 72 2E  prod1.ratetiger.
00D0: 63 6F 6D                                           com
4 00 32 00  ......../.....2.
0050: 13 00 0A 01 00 00 7C 00   0A 00 34 00 32 00 17 00  ..........4.2...
0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................
0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  qtp11284997-17, WRITE: TLSv1.2 Handshake, length = 211
.........[Raw write]: length = 216
......0.0
0000: 168 030 0: 113 0 000 D 023 0 010 0 120 00  040 000    05   00C 14F 0 030 0 083 00  165 007   6.0. .E6. .3.A. .7.1. . ..........
.0.0.9.0.: .W`0.:qB
 000 020 011 000 0: D70 4 0D0 00  0  1A8 00  183 06F 03  06F 01F 05  9 C. .3.2. .9.C. .  .F.1. .E.5. .2.3
00A0 : 031 056 0 6F1 E 047 0 193 4 046 01  0 3.@ .  03? 0.3.2 01. 02. 0.#3.o 02. 01. F02
 0 0.2.0.: .A.4. .4.D. .0.E. .B.5. .7E
 9F0 980 6FB 0  D: D02 FE 01  3B01  0000  0000  2A00  001C  3300     1A. M00. 00. 1.7..o .7.;0. .*6.3F
0030 : C07 043 0 740   1.6. .0.0. .0.5. .C.0. .post0
300C0 : 70   C072  6F1 641 3 C0 02 C0 07 C0 13  ................
0040: C0 08 C0 0C 00 FF C0 0D   C0 0E C0 09 00 2F C0 12  ............./..
0050: 00 04 00 32 00 13 00 0A   01 00 00 7C 00 0A 00 34  ...2...........4
0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............
0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................
0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ...1. .2...........
0090: 00 08 00 16 00 0B 00 02   01 00 00 0D 00 1A 00 18  ................
00A0: 06 03 06 01 05 03 05 01   04 03 04 01 03 03 03 01  ............E 72 61   74 65 74 69 67 65 72 2E  prod1.ratetiger.
00D0: 63 6F 6D                                           com
qtp11284997-18, WRITE: TLSv1.2 Handshake, length = 211
[Raw write]: length = 216
0000: 16 03 03 00 D3 01 00 00   CF 03 03 57 60 E6 3A 9C  ...........W`.:.
0010: 5B 20 DF AA F4 12 F1 A9   A0 0F CC 1C CB F2 77 01  [ ..............
00B0: 02 03 02 01 02 02 01 01   00 00 00 1C 00 1A 00 00  ................
00C0: 17 70 6F 73 74 70 72 6F   64 31 2E 72 61 74 65 74  .postprod1.ratet
00D0: 69 67 65 72 2E 63 6F 6D                            iger.com
..w.
0020: 13 A4 51 03 3F B0 FF 2A   17 FC A4 00 00 2A 00 33  ..Q.?..*.....*.3
0030: C0 04 00 16 00 05 C0 03   C0 11 C0 02 C0 07 C0 13  ................
0040: C0 08 C0 0C 00 FF C0 0D   C0 0E C0 09 00 2F C0 12  ............./..
0050: 00 04 00 32 00 13 00 0A   01 00 00 7C 00 0A 00 34  ...2...........4
0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............
0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................
0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ................
0090: 00 08 00 16 00 0B 00 02   01 00 00 0D 00 1A 00 18  ................
00A0: 06 03 06 01 05 03 05 01   04 03 04 01 03 03 03 01  ................
00B0: 02 03 02 01 02 02 01 01   00 00 00 1C 00 1A 00 00  ................
00C0: 17 70 6F 73 74 70 72 6F   64 31 2E 72 61 74 65 74  .postprod1.ratet
00D0: 69 67 65 72 2E 63 6F 6D                            iger.com
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
[Raw read]: length = 5
0000: 02000 280 : 15       03 03       00    02                                                            .(   
    ..qtp11284997-17, READ: TLSv1.2 Alert, length = 2
..qtp11284997-17, RECV TLSv1 ALERT:  fatal, handshake_failure
.
[Raw read]: length = 2
0000: 02 28qtp11284997-17, called closeSocket()
                           qtp11284997-17, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
                   qtp11284997-17, called close()
.(qtp11284997-17, called closeInternal(true)

qtp11284997-18, READ: TLSv1.2 Alert, length = 2
qtp11284997-18, RECV TLSv1 ALERT:  fatal, handshake_failure
2016-06-15 10:53:06,722 WARN  [ride.intermediate.connect.ratetiger.ConnectRateTiger] -- Exception in InputStream Close--java.lang.NullPointerException
qtp11284997-17, called close()
qtp11284997-17, called closeInternal(true)
qtp11284997-18, called closeSocket()
qtp11284997-18, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
qtp11284997-18, called close()
qtp11284997-18, called closeInternal(true)
  • E Do
    E Do almost 8 years
    Thanks, but I'm looking for an answer which can be applicable in a jboss or jetty servers. Not in any IDE.
  • E Do
    E Do almost 8 years
    This is helpful. Thank you
  • AbD_Riz
    AbD_Riz about 6 years
    This is probably the only post I found in the internet that says, since 1.7.0_131-b31, TLSv1.2 is enabled by default. Thanks a ton !!!
  • рüффп
    рüффп about 6 years
    People have to notice this update is provided by Oracle only with a Business contract, usual users can only download the version jdk/jre 7u80 which does not contains this settings by default. For me as well upgrading to update 171 (the latest one) did the trick without changing our code. Alternatively I was able to upgrade my CentOs JDK version using the OpenJdk version which is free to download.
  • dave_thompson_085
    dave_thompson_085 almost 6 years
    This was wrong. The SSLLabs list is for the default settings, with TLS1.2 disabled; when you enable 1.2, Java 7 does support the AES_128_CBC_SHA256 suite in your list, and also the AES_256_CBC_SHA384 suite if you add the 'unlimited strength policy' (also not default). These suites are implemented, but cannot be negotiated in 1.0, because SHA-2 HMACs are defined only for 1.2. OTOH the two GCM suites also require 1.2 but were not implemented in Java 7 even when 1.2 is enabled, at least in the free releases; the after-EOL paid versions may have added it. ...
  • dave_thompson_085
    dave_thompson_085 almost 6 years
    ... However the server seems to have changed since 2016; it now accepts protocols down to 1.0 and several weaker ciphers -- and not AES-256 at all! -- making it impractical to figure out now what the problem actually was.
  • HarsH
    HarsH over 4 years
    This is THE solution, wonder why it has so less votes. @Joby, you have provided the information which couldnt be found anywhere else. Thank you so very much!!!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unsupported major.minor version 52.0 - while using a lower version to compile. How is it still going bad?
RestTemplate SocketException: Connection Reset using Java 7 but not Java 8
Where is the java.security file located on Windows?
Creating distinct list from existing list in Java 7 and 8?
intellij feature (...) not supported at this language level. I can't compile
Properly installing java 8 along with java 7
What is the difference between PermGen and Metaspace?
How to set IntelliJ IDEA Project SDK
Is "Java Concurrency In Practice" still valid?
IntelliJ compile for Java 7 JRE using Java 8 SDK