TLS 1.2 was supported in Java 8 but not in Java 7
Solution 1
If you test the URL with SSLLabs, the website allow 4 ciphers :
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
But if you read ciphers list for Java 7, no cipher is not supported (can be seen in the debug message also). Even by enabling TLS 1.2 for Java 7, I think it doesn't find any valid ciphers. The site had to change its configuration.
Solution 2
Without upgrading to Java 8, you can upgrade your Java 7 version to 1.7.0_131-b31
For JRE 1.7.0_131-b31 in Oracle site :
TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 releases.
E Do
Familiar with java eclipse sql xml json maven wso2-esb javascript
Updated on July 09, 2022Comments
-
E Do almost 2 years
When I tried to connect a URL (one of vendors URL which supports TLS 1.2 and worked fine previously with Java 7) by using Java 7, I found bellow Exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1943) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1087) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
So that I have enabled
-Dhttps.protocols=TLSv1.2
,-Djavax.net.ssl.trustStore=<keystoreFilePath>
and-Djavax.net.ssl.trustStorePassword=<password>
After that also I got the same issue. Then I have upgrade the Java version to 8 so it could connect to the URL without any SSL issue.
As per this blog, in Java 8, TLS 1.2 is default and TLS 1.2 can be tuned with the property
-Dhttps.protocols
in Java 7. In Java 7, I could be able to access a URL without a problem if I enable above properties through my past experiences.But for the URL, I am requested to upgrade the Java version. What can be vendor side changes caused for the Exception mentioned above in Java 7? And without upgrading Java 8, can't I access the URL?
When try with
-Djavax.net.debug=all
I got below logIgnoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false qtp11284997-17, setSoTimeout(0) called qtp11284997-18, setSoTimeout(0) called %% No cached client session %% No cached client session *** ClientHello, TLSv1.2 RandomCookie: *** ClientHello, TLSv1.2 RandomCookie: GMT: 1465902650 bytes = { GMT: 1465902650 bytes = { 113156, , 91, 215, 64, 8, 63, 32, 255, 223, 156, 170, 50, 244, 156, 18, 241, 241, 229, 169, 35, 160, 22, 15, 111, 204, 231, 28, 25, 203, 70, 164, 77, 14, 181, 126, 159, 152, 111, 221, 254, 59 } Session ID: {} Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA Extension server_name, server_name: [host_name: postprod1.ratetiger.com] *** [write] MD5 and SHA1 hashes: len = 211 0000: 01 00 00 CF 03 03 57 60 E6 3A 71 D7 40 08 3F FF ......W`.:q.@.?. 0010: 9C 32 9C F1 E5 23 16 6F E7 19 46 A4 4D 0E B5 7E .2...#.o..F.M... 0020: 9F 98 6F DD FE 3B 00 00 2A 00 33 C0 04 00 16 00 ..o..;..*.3..... 0030: 05 C0 03 C0 11 C0 02 C0 07 C0 13 C0 08 C0 0C 00 ................ 0040: FF C0 0D C0 0E C0 09 00 2F C0 12 00 04 00 32 00 ......../.....2. 0050: 13 00 0A 01 00 00 7C 00 0A 00 34 00 32 00 17 00 ..........4.2... 0060: 01 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 ................ 0070: 18 00 0B 00 0C 00 19 00 0D 00 0242, E119, 001, 0F19, 00164, 1081, 3, 0063, 176, 255, .42, .23, .252, .164 } Session ID: .{} ..Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA] Compression Methods: { .0 } ........ 0080: 11Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} 00Extension ec_point_formats, formats: [uncompressed] 02Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA Extension server_name, server_name: [host_name: postprod1.ratetiger.com] *** [write] MD5 and SHA1 hashes: len = 211 0000: 01 00 00 CF 03 03 57 60 E6 3A 9C 5B 20 DF AA F4 ......W`.:.[ ... 0010: 12 F1 A9 A0 0F CC 1C CB F2 77 01 13 A4 51 03 3F .........w...Q.? 0020: B0 FF 2A 17 FC A4 00 00 2A 00 33 C0 04 00 16 00 ..*.....*.3..... 0030: 05 C0 03 C0 11 C0 02 C0 0700 C0 131 C02 0 008 0 C04 0C 000 0 . 0.5. .0.0 14 00 08 00 16 00 ....................... .0.0.4.0 0090: : 0BF 00F 0 C02 0 01D 0 C00 0 00E 0 C0D 0 009 1A0 000 1 8 2 06F 0 C03 1 062 0 001 0 05 ................ 00A0: 03 05 01 04 03 04 01 03 03 03 01 02 03 02 01 02 ................ 00B0: 02 01 01 00 00 00 1C 00 1A 00 00 17 70 6F 73 74 ............post 00C0: 70 72 6F 64 31 2E 72 61 74 65 74 69 67 65 72 2E prod1.ratetiger. 00D0: 63 6F 6D com 4 00 32 00 ......../.....2. 0050: 13 00 0A 01 00 00 7C 00 0A 00 34 00 32 00 17 00 ..........4.2... 0060: 01 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 ................ 0070: 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 qtp11284997-17, WRITE: TLSv1.2 Handshake, length = 211 .........[Raw write]: length = 216 ......0.0 0000: 168 030 0: 113 0 000 D 023 0 010 0 120 00 040 000 05 00C 14F 0 030 0 083 00 165 007 6.0. .E6. .3.A. .7.1. . .......... .0.0.9.0.: .W`0.:qB 000 020 011 000 0: D70 4 0D0 00 0 1A8 00 183 06F 03 06F 01F 05 9 C. .3.2. .9.C. . .F.1. .E.5. .2.3 00A0 : 031 056 0 6F1 E 047 0 193 4 046 01 0 3.@ . 03? 0.3.2 01. 02. 0.#3.o 02. 01. F02 0 0.2.0.: .A.4. .4.D. .0.E. .B.5. .7E 9F0 980 6FB 0 D: D02 FE 01 3B01 0000 0000 2A00 001C 3300 1A. M00. 00. 1.7..o .7.;0. .*6.3F 0030 : C07 043 0 740 1.6. .0.0. .0.5. .C.0. .post0 300C0 : 70 C072 6F1 641 3 C0 02 C0 07 C0 13 ................ 0040: C0 08 C0 0C 00 FF C0 0D C0 0E C0 09 00 2F C0 12 ............./.. 0050: 00 04 00 32 00 13 00 0A 01 00 00 7C 00 0A 00 34 ...2...........4 0060: 00 32 00 17 00 01 00 03 00 13 00 15 00 06 00 07 .2.............. 0070: 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E ................ 0080: 00 0F 00 10 00 11 00 02 00 12 00 04 00 05 00 14 ...1. .2........... 0090: 00 08 00 16 00 0B 00 02 01 00 00 0D 00 1A 00 18 ................ 00A0: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ............E 72 61 74 65 74 69 67 65 72 2E prod1.ratetiger. 00D0: 63 6F 6D com qtp11284997-18, WRITE: TLSv1.2 Handshake, length = 211 [Raw write]: length = 216 0000: 16 03 03 00 D3 01 00 00 CF 03 03 57 60 E6 3A 9C ...........W`.:. 0010: 5B 20 DF AA F4 12 F1 A9 A0 0F CC 1C CB F2 77 01 [ .............. 00B0: 02 03 02 01 02 02 01 01 00 00 00 1C 00 1A 00 00 ................ 00C0: 17 70 6F 73 74 70 72 6F 64 31 2E 72 61 74 65 74 .postprod1.ratet 00D0: 69 67 65 72 2E 63 6F 6D iger.com ..w. 0020: 13 A4 51 03 3F B0 FF 2A 17 FC A4 00 00 2A 00 33 ..Q.?..*.....*.3 0030: C0 04 00 16 00 05 C0 03 C0 11 C0 02 C0 07 C0 13 ................ 0040: C0 08 C0 0C 00 FF C0 0D C0 0E C0 09 00 2F C0 12 ............./.. 0050: 00 04 00 32 00 13 00 0A 01 00 00 7C 00 0A 00 34 ...2...........4 0060: 00 32 00 17 00 01 00 03 00 13 00 15 00 06 00 07 .2.............. 0070: 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E ................ 0080: 00 0F 00 10 00 11 00 02 00 12 00 04 00 05 00 14 ................ 0090: 00 08 00 16 00 0B 00 02 01 00 00 0D 00 1A 00 18 ................ 00A0: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ................ 00B0: 02 03 02 01 02 02 01 01 00 00 00 1C 00 1A 00 00 ................ 00C0: 17 70 6F 73 74 70 72 6F 64 31 2E 72 61 74 65 74 .postprod1.ratet 00D0: 69 67 65 72 2E 63 6F 6D iger.com [Raw read]: length = 5 0000: 15 03 03 00 02 ..... [Raw read]: length = 2 [Raw read]: length = 5 0000: 02000 280 : 15 03 03 00 02 .( ..qtp11284997-17, READ: TLSv1.2 Alert, length = 2 ..qtp11284997-17, RECV TLSv1 ALERT: fatal, handshake_failure . [Raw read]: length = 2 0000: 02 28qtp11284997-17, called closeSocket() qtp11284997-17, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure qtp11284997-17, called close() .(qtp11284997-17, called closeInternal(true) qtp11284997-18, READ: TLSv1.2 Alert, length = 2 qtp11284997-18, RECV TLSv1 ALERT: fatal, handshake_failure 2016-06-15 10:53:06,722 WARN [ride.intermediate.connect.ratetiger.ConnectRateTiger] -- Exception in InputStream Close--java.lang.NullPointerException qtp11284997-17, called close() qtp11284997-17, called closeInternal(true) qtp11284997-18, called closeSocket() qtp11284997-18, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure qtp11284997-18, called close() qtp11284997-18, called closeInternal(true)
-
E Do almost 8 yearsThanks, but I'm looking for an answer which can be applicable in a jboss or jetty servers. Not in any IDE.
-
E Do almost 8 yearsThis is helpful. Thank you
-
AbD_Riz about 6 yearsThis is probably the only post I found in the internet that says, since 1.7.0_131-b31, TLSv1.2 is enabled by default. Thanks a ton !!!
-
рüффп about 6 yearsPeople have to notice this update is provided by Oracle only with a Business contract, usual users can only download the version jdk/jre 7u80 which does not contains this settings by default. For me as well upgrading to update 171 (the latest one) did the trick without changing our code. Alternatively I was able to upgrade my CentOs JDK version using the OpenJdk version which is free to download.
-
dave_thompson_085 almost 6 yearsThis was wrong. The SSLLabs list is for the default settings, with TLS1.2 disabled; when you enable 1.2, Java 7 does support the AES_128_CBC_SHA256 suite in your list, and also the AES_256_CBC_SHA384 suite if you add the 'unlimited strength policy' (also not default). These suites are implemented, but cannot be negotiated in 1.0, because SHA-2 HMACs are defined only for 1.2. OTOH the two GCM suites also require 1.2 but were not implemented in Java 7 even when 1.2 is enabled, at least in the free releases; the after-EOL paid versions may have added it. ...
-
dave_thompson_085 almost 6 years... However the server seems to have changed since 2016; it now accepts protocols down to 1.0 and several weaker ciphers -- and not AES-256 at all! -- making it impractical to figure out now what the problem actually was.
-
HarsH over 4 yearsThis is THE solution, wonder why it has so less votes. @Joby, you have provided the information which couldnt be found anywhere else. Thank you so very much!!!