SSL handshake_failure using jersey-apache-client-1.18

Question

I am using jersey-apache-client for a ssl connection.I am getting the handshake error at the time of verifying the connection. Below is the handshake error.

WRITE: TLSv1 Change Cipher Spec, length = 1
Finished
verify_data:  { 165, 117, 49, 237, 116, 71, 111, 175, 161, 237, 45, 30 }
WRITE: TLSv1 Handshake, length = 48
READ: TLSv1 Alert, length = 2
RECV TLSv1 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, TLS_DHE_RSA_WITH_AES_128_CBC_SHA]

The code works fine if I use jersey-client-1.13 and I do not get a handshake error.

SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), null);
final ClientConfig config = new DefaultClientConfig();
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(null, ctx));
Client create = Client.create(config);    
create.resource(targetUrl).post();

Since jersey-client.1.13 does not support proxy, I've used jersey-apache-client.1.18 . In the below code I've used DefaultApacheHttpClientConfig , added proxy support,created client using ApacheHttpClient .

SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), null);
final DefaultApacheHttpClientConfig apacheConfig = new DefaultApacheHttpClientConfig();
final Map<String, Object> properties = apacheConfig.getProperties();
properties.put(DefaultApacheHttpClientConfig.PROPERTY_PROXY_URI, "http://" + proxyHost + ":" + proxyPort);
properties.put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(null,ctx));   
apacheConfig.getState().setProxyCredentials(AuthScope.ANY_REALM, proxyHost,   Integer.parseInt(proxyPort),proxyUser, proxyPassword);
Client create = ApacheHttpClient.create(apacheConfig);
create.resource(targetUrl).post();

I could not find a solution. The certificates are all fine in both the cases.

Note : I have also tried the jersey apache client without proxy, still the error exists.

Do anyone find what went wrong? Thanks in advance.

Answer 1

The cause was the SSL socket factory was being configured for Jersey, however you are using the Jersey Apache connector, so the SSL socket factory should be configured directly on the Apache HttpClient. For later versions of Jersey (2.x) this might get done for you, but for the Apache connector and Jersey 1.x you need to configure this. Something like this:

Protocol apacheProtocol = new Protocol("https", socketFactory, 443);
HostConfiguration hostConfig = new HostConfiguration();
hostConfig.setHost("your.hostname.org", 443, apacheProtocol);
HttpClient httpClient = new HttpClient();
httpClient.setHostConfiguration(hostConfig);
ApacheHttpClientHandler handler = new ApacheHttpClientHandler(httpClient);
Client client = new ApacheHttpClient(handler);

Another catch here is if you use an absolute URI on the Jersey WebResource (set hostname and port) the HostConfiguration with your custom SSLSocketFactory will get overridden - and the HttpClient will default to using the JVM's CA certs (true for Apache Client 3.1 at least).

If this was working for you before, you may have been using a certificate trusted by the JVMs cacerts. Actually an option here is to manually add the certificate you are using to the JVMs cacerts file using the command line keytool (though for some apps this may not be an acceptable solution).

Answer 2

Basicly this problem is due to the mismatch cipher between your local JAVA and the https site. You may need to install JCE extension for you JVM.

Use https://www.ssllabs.com/ to check if your REST API supports java, check this image example

If it shows like this, you can download the files from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html . Once done, replace the two JARs (local_policy.jar, US_export_policy.jar) under your JRE's lib/security directory with the ones from the downloaded package.

If not, please provide more detail information so we can check in detail.

Check the solution here i just tired How to debug the ssl connection error , it works for me and save my day!