Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Getting SSL Handshake Error

WP v.2Oct 14 2015 — edited Oct 15 2015

Hi all,

I'm invoking a RESTful webservice using JAX-RS and getting javax.net.ssl.SSLException: Received fatal alert: handshake_failure. I don't suspect it's the result of not having the server's certificate in the truststore because I imported it and I even tried supplying a TrustManager that will accept all certificates.

Here is the code with the custom TrustManager:

public class ElasticSearchService {


    private Client client;


    private WebTarget target;


    


    public ElasticSearchService() {


       final TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {


          @Override


          public void checkClientTrusted( final X509Certificate[] chain, final String authType ) {


          }


          @Override


          public void checkServerTrusted( final X509Certificate[] chain, final String authType ) {


          }


          @Override


          public X509Certificate[] getAcceptedIssuers() {


            return null;


          }


        } };


     


       final SSLContext sslContext;




       try {


          sslContext = SSLContext.getInstance("SSL");


          sslContext.init(null, trustAllCerts, new java.security.SecureRandom());


     


       } catch(Exception e) {


          e.printStackTrace();


          throw new RuntimeException(e);


       } 




       ClientBuilder clientBuilder = ClientBuilder.newBuilder();


       clientBuilder.sslContext(sslContext);




       client = clientBuilder.build();


       target = client.target("https://XXX");


    }


    


    public Response search(String searchString, int from, int size)  {




       return target.queryParam("q", searchString)


          .queryParam("from", 0)


          .queryParam("size", 1)


          .request(MediaType.APPLICATION_JSON)


          .header("Authorization", "Basic XXX")


          .get(Response.class);


    }

This is part of the output running with -Djavax.net.debug=ssl:handshake:verbose:

*** ClientHello, TLSv1.2


RandomCookie:  GMT: 1444790742 bytes = { 7, 96, 176, 12, 171, 160, 80, 103, 151, 75, 119, 185, 200, 5, 79, 251, 127, 253, 120, 118, 127, 30, 104, 243, 206, 146, 167, 212 }


Session ID:  {}


Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]


Compression Methods:  { 0 }


Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}


Extension ec_point_formats, formats: [uncompressed]


Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA


***


[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1.2 Handshake, length = 193


[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: SSLv2 client hello message, length = 143


[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', READ: TLSv1.2 Alert, length = 2


[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', RECV TLSv1 ALERT:  fatal, handshake_failure


[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure


[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure


[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', called closeOutbound()


[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', closeOutboundInternal()


[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', SEND TLSv1 ALERT:  warning, description = close_notify


[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1 Alert, length = 2

I'm wondering why there's a WRITE and READ using TLSv1.2 but it looks like the error occurs during RECV TLSv1.

Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure


  at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)


  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619)


  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1587)


  at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1756)


  at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1060)


  at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:884)


  at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)


  at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:664)


  at weblogic.security.SSL.jsseadapter.JaSSLEngine$5.run(JaSSLEngine.java:134)


  at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:734)


  at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)


  at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:603)


  at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:507)


  at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:96)


  at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:75)


  at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:219)


  at weblogic.net.http.HttpsClient.New(HttpsClient.java:563)


  at weblogic.net.http.HttpsClient.New(HttpsClient.java:534)


  at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:248)


  at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:636)


  at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)


  at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:1444)


  at org.glassfish.jersey.client.HttpUrlConnector._apply(HttpUrlConnector.java:276)


  at org.glassfish.jersey.client.HttpUrlConnector.apply(HttpUrlConnector.java:182)


  ... 119 more

I'm using JDeveloper 12.1.3

Thanks,

Bill
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Nov 12 2015
Added on Oct 14 2015
#java-secure-socket-extension-jsse
2 comments
10,032 views