Java 8, TSL v1 and javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Question

When i try connect a Java 8 app to a webservice i get SSLHandshakeException.

www.ssllabs.com say me TLSv1.1 and TSLv1.2 is not supported by the webservice.

So i execute SSLPoke with:

java -Djavax.net.debug=all -Djdk.tls.client.protocols="TLSv1" -Dhttps.protocol="TLSv1"  SSLPoke ws.seur.com 443

and i get:

*** ClientHello, TLSv1
RandomCookie:  GMT: 1450188882 bytes = { 215, 201, 145, 239, 52, 121, 175, 184, 120, 99, 193, 227, 113, 25, 222, 207, 145, 219, 37, 4, 82, 26, 128, 21, 217, 243, 4, 139 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [type=host_name (0), value=ws.seur.com]
***
[write] MD5 and SHA1 hashes:  len = 171
0000: 01 00 00 A7 03 01 56 70   20 52 D7 C9 91 EF 34 79  ......Vp R....4y
0010: AF B8 78 63 C1 E3 71 19   DE CF 91 DB 25 04 52 1A  ..xc..q.....%.R.
0020: 80 15 D9 F3 04 8B 00 00   2C C0 0A C0 14 00 35 C0  ........,.....5.
0030: 05 C0 0F 00 39 00 38 C0   09 C0 13 00 2F C0 04 C0  ....9.8...../...
0040: 0E 00 33 00 32 C0 08 C0   12 00 0A C0 03 C0 0D 00  ..3.2...........
0050: 16 00 13 00 FF 01 00 00   52 00 0A 00 34 00 32 00  ........R...4.2.
0060: 17 00 01 00 03 00 13 00   15 00 06 00 07 00 09 00  ................
0070: 0A 00 18 00 0B 00 0C 00   19 00 0D 00 0E 00 0F 00  ................
0080: 10 00 11 00 02 00 12 00   04 00 05 00 14 00 08 00  ................
0090: 16 00 0B 00 02 01 00 00   00 00 10 00 0E 00 00 0B  ................
00A0: 77 73 2E 73 65 75 72 2E   63 6F 6D                 ws.seur.com
main, WRITE: TLSv1 Handshake, length = 171
[Raw write]: length = 176
0000: 16 03 01 00 AB 01 00 00   A7 03 01 56 70 20 52 D7  ...........Vp R.
0010: C9 91 EF 34 79 AF B8 78   63 C1 E3 71 19 DE CF 91  ...4y..xc..q....
0020: DB 25 04 52 1A 80 15 D9   F3 04 8B 00 00 2C C0 0A  .%.R.........,..
0030: C0 14 00 35 C0 05 C0 0F   00 39 00 38 C0 09 C0 13  ...5.....9.8....
0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 08 C0 12 00 0A  ./.....3.2......
0050: C0 03 C0 0D 00 16 00 13   00 FF 01 00 00 52 00 0A  .............R..
0060: 00 34 00 32 00 17 00 01   00 03 00 13 00 15 00 06  .4.2............
0070: 00 07 00 09 00 0A 00 18   00 0B 00 0C 00 19 00 0D  ................
0080: 00 0E 00 0F 00 10 00 11   00 02 00 12 00 04 00 05  ................
0090: 00 14 00 08 00 16 00 0B   00 02 01 00 00 00 00 10  ................
00A0: 00 0E 00 00 0B 77 73 2E   73 65 75 72 2E 63 6F 6D  .....ws.seur.com
[Raw read]: length = 5
0000: 15 03 01 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
at SSLPoke.main(SSLPoke.java:31)

Why do i get RECV TLSv1.2 ALERT: fatal, handshake_failure if i force TLSv1?

On Java 7 it works fine but Java 8 doesn't work.

Answer 1

As indicated by user1516873's answer , there are no common cipher suites supported by the client (Java 8u51 or later) and the server ( ws.seur.com ). Java 8 Update 51 removed support for RC4 ciphers by default in the client as RC4 is considered weak and compromised.

Area: security-libs/javax.net.ssl Synopsis: Prohibit RC4 cipher suites

RC4 is now considered as a compromised cipher. RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation. These cipher suites can still be enabled by SSLEngine.setEnabledCipherSuites() and SSLSocket.setEnabledCipherSuites() methods.

See JDK-8077109 (not public).

While the best course of action would be to contact the WebService provider and have them bring their TLS configuration up to date, the workaround of enabling RC4 in the client is described in the release note. Do note however, support for RC4 was removed for a reason and by reenabling it, you are exposing users of your client to a lower security standard.

Answer 2

client Cipher Suites:

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

server Cipher Suites:

SSL_CK_RC4_128_EXPORT40_WITH_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
SSL_CK_RC4_128_WITH_MD5
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

No match. You will get ssl handshake error even if you manually set protocol to TLS 1.0. There is no good solution, server is outdated and uses old unsecured protocols. If you absolutely necessary connect to this server with java 8, you can use BouncyCastle, i think.

Java 8, TSL v1 and javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Question

2 answers

solution1
4 ACCPTED 2015-12-15 16:13:15

solution2
3 2015-12-15 15:56:42

Java 8, TSL v1 and javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Question

2 answers

solution1 4 ACCPTED 2015-12-15 16:13:15

solution2 3 2015-12-15 15:56:42

solution1
4 ACCPTED 2015-12-15 16:13:15

solution2
3 2015-12-15 15:56:42