SSL fatal error, handshake failure 40

3
votes

  1. Client sends the "Client Hello" msg with those ciphers included in the cipher suite.

            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
        Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
        Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
        Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
        Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
        Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
        Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
        Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

  2. In the server.xml none of these ciphers appear. Here is the catalina entry:

    Connector port="4443" SSLEnabled="true" acceptCount="20000" maxThreads="5000" allowTrace="false" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/usr/local/tomcat6/conf/Default-Cert.p12" keystoreType="PKCS12" keystorePass="uuuuuu" ciphers="..."

    and the ciphers are SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Server sends “Server Hello” selecting “TLS_RSA_WITH_AES_128_CBC_SHA 0x002f)” and after ~1,5 milliseconds Server sends a fatal alert (Handshake Failure (40)).

Can we explain the handshake failure? Is this due to the fact that TLS_RSA_WITH_AES_128_CBC_SHA is not included in the client cipher list?

1
tomcatsslcertificatetomcat6
It appears the client is not sending TLS_EMPTY_RENEGOTIATION_INFO_SCSV. The client is down level, and it should be upgraded for secure renegotiation. To test the server configuration, try openssl s_client -tls1 -connect <server>:<port> -servername <server>. -tls1 and -servername ensure SNI is used.jww
Just bike shedding: TLS_RSA_WITH_RC4_128_MD5 is probably not a good choice. RC4 is still broken for use in SSL/TLS (unlike the padding oracles in block ciphers, which could be fixed). If you need a couple of SSLv3 cipher suites, try SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA and SSL_RSA_WITH_3DES_EDE_CBC_SHA. 3DES_EDE is 3-key Triple-DES, and it provides 112-bits of security.jww
"...Is this due to the fact that TLS_RSA_WITH_AES_128_CBC_SHA is not included in the client cipher list" - it looks like it is included.jww
Do you have the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files installed?jww
To paraphrase: "... server cipher SSL_RSA_WITH_AES_128_CBC_SHA..." - you can test the server for this suite with $ openssl s_client -ssl3 -connect <server>:<port> -cipher "AES128-SHA" and $ openssl s_client -tls1 -connect <server>:<port> -cipher "AES128-SHA"jww

1 Answers

0
votes

SSL fatal error, handshake failure 40 indicates the secure connection failed to establish because the client and the server couldn't agree on connection settings. Usually because the client or the server is way too old, only supporting removed protocols/ciphers.

In historic order, the protocols are SSLv2, SSLv3, TLS 1.0, TLS 1.2, TLS 1.3.

From the debugging info and cipher names you gave:

  • The server only did SSL, don't know which subversion. SSL was obsolete since before the question was opened (before 2015), replaced by TLS.
  • The client wanted TLS. In 2015 it could have been TLS 1.0 and/or TLS 1.2.

In this specific case the server was running on abandoned SSL and in dire need of an upgrade. Looks like a tomcat 6 on java 6, indeed obsolete at the time (2015).

If you're reading this in 2020 or later. The absolute minimum version of java for https to work is java 8 (full support for TLS 1.2).

Try curl --tlsv1.2 https://example.org to test which version of TLS are supported by a web server, curl --help to find out what is supported by curl. Note that only TLS 1.2 is widely supported as of 2020 while TLS 1.3 is coming up gradually. It may be difficult to procure a version of curl/openssl that can do older SSL/TLS variants for testing, they were all phased-off due to (serious) security vulnerabilities.