"Received fatal alert: handshake_failure" in jlinked JRE

Question

My Java program sends requests by java.net.http.HttpClient (Java 11).

It works when I am running it in Eclipse on OpenJDK 11's JRE.

On custom jlinked JRE, I get an error:

java.io.IOException: Received fatal alert: handshake_failure

I suppose the problem is with my custom JRE.

Answer 1

TL;DR jlink without jdk.crypto.ec cannot talk to a server that has an elliptic curve certificate. You get a handshake_failure error when trying to talk to a server running with this.

When you build a deployable jre, if you do not include the jdk.crypto.ec module, then it will be unable to talk to servers that only have an elliptic curve certificate. I mocked up one using:

out_dom=localhost
subj="/C=IE/CN=localhost"
openssl ecparam -name secp384r1 -genkey \
    -out $out_dom.key
openssl req -new \
    -subj "$subj" \
    -key $out_dom.key \
    -out $out_dom.csr
openssl req -x509 -nodes \
    -days 365 \
    -key $out_dom.key \
    -in $out_dom.csr \
    -out $out_dom.crt

When I talk to this server with the standard JRE, I get the error about PKIX path building failed - i.e. the cert isn't in the cacerts file.

When I created a jlink jre using:

jlink --module-path . --add-modules java.base --output jlinked

and ran: jlinked/bin/java with a test TLS app, I got the error: Received fatal alert: handshake_failure, which is the same as the OP's problem.

When I added:

jlink --module-path . \
    --add-modules java.base \
    --add-modules jdk.crypto.ec \
    --output jlinked

and re-ran, I experienced the PKIX path building failed error, which indicates that it's working properly.