Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why do I get a handshake failure (Java SSL)

I'm connecting to a web service over HTTPS. I've done all that I think is required to make it work, but in the end I get a handshake failure.

I found out that as a new user I can't post more than 2 links due to "spam protection" - thanx a lot stackoverflow...anyway here's a link to a pastebin post with all the links spelled out...so when I write "link#1" here it's a reference to these links: http://pastebin.com/y4zGNRC7

  • I verified the same behavior using HttpClient (GET on the service URL) and actually calling the web service via a CXF proxy
  • I'm setting both the keystore and truststore - I tried both the "in code" way ( link#1 ) and setting the system properties - i.e. System.setProperty("javax.net.ssl.keyStore", "mykeystore.jks");
  • SSL debug is on ( javax.net.debug=all )
  • SSL debug blurts out the contents of both keystore and truststore (i.e. looks like java "knows about them") - link#2
  • seems like there's some client-server communication going on, but then it crashes for some reason link#3
  • I successfully connected to the server using the client and CA certificates both in a browser (Chrome) and using openssl s_client
  • wireshark shows less client-server talk from java ( link#4 ) then for example from Chrome ( link#5 )

Another strange thing is, that I seem to be getting the same behavior when I set the keystore and when I don't (the only difference is that when I do the keystore contents get printed in the console, but that's it).

I tried googling the problem and I saw numerous similar posts here on stackoverflow, but nothing helped. I tried changing the protocol version ("TLSv1", "SSLv3", even the weird v2 Hello). Any help would be appreciated - maybe there's some fundamental thing I might have overlooked...I'm getting desperate here... Thanx

PS I'm running java 1.6 update 30 on Fedora Core 15 (64bit)

like image 691
Jakub Hlavatý Avatar asked Feb 12 '12 13:02

Jakub Hlavatý


People also ask

What causes SSL handshake failure?

The SSL Handshake Error occurs if the read access has not been granted to the OS, thus preventing the web server from completing authentication. It indicates that the browser's connection to the web server isn't secure.

What happens if SSL handshake fails?

A TLS/SSL handshake failure occurs when a client and server cannot establish communication using the TLS/SSL protocol. When this error occurs in Apigee Edge, the client application receives an HTTP status 503 with the message Service Unavailable.

How do I fix TLS handshake failure?

The fastest way to fix this SSL/TLS handshake error-causing issue is just to reset your browser to the default settings and disable all your plugins. From there, you can configure the browser however you want, testing your connection with the site in question as you tweak things.


1 Answers

The problem was that even though the keystore and truststore was set, java decided not to send the client certificate to the server. The reason for this was the fact, that the server requested a certificate signed by the RootCA authority, but the client certificate is signed by a SubCA authority (which is issued by the RootCA).

Originally the keystore only contained the client cert and the truststore the SubCA cert. I then tried to add the SubCA cert to the keystore too, but java just ignored it.

So this solves the hanshake failure mystery, but not my problem.

I created a separate question for that...sigh :-( why doesn't java send the client certificate during SSL handshake?

like image 54
Jakub Hlavatý Avatar answered Oct 22 '22 17:10

Jakub Hlavatý