SSL Handshake fatal error after Client Hello

1
votes

I am trying to make an https call to a server signed by an internal CA. I couldn't get it working in spite of adding the root certificates in the truststore so I've set the trustManager to trust all certificates and disabled hostname verification for now.
curl --insecure call works.
With -Djavax.net.debug=all, the handshake fails after client hello

*** ClientHello, TLSv1 ... ... main, READ: TLSv1 Alert, length = 2 main, RECV TLSv1 ALERT: fatal, handshake_failure main, called closeSocket() main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure main, called close() main, called closeInternal(true)

The stack trace is:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)

I am getting the SSL Context using 

SSLContext sslContext = SSLContext.getInstance("TLS");

Any help would be highly appreciated.

PS: I am using java7

1
javassljsse
A handshake failure would occur before certificate trust is verified. Check TLS is enabled on both ends and that there is a common cipher suite. Look at the logs on the server end, inspect the negotiation with wireshark.Alex K.
Please run your client with -Djavax.net.debug=ssl,handshake and post the results in your question.user207421

1 Answers

0
votes

Adding an answer to my own question after 4 years.

I don't recall what the exact issue was but there is no single reason for handshake failure - most likely reason for why handshake failure occurs right after ClientHello would be that the client & server are not able to agree upon a common protocol or cipher suite for continuing the handshake.

The easiest option for debugging SSL issues like this is capturing the network traffic with tcpdump and analyzing it in Wireshark. We can inspect the ClientHello and figure out what is the protocol being used, the cipher suites that it advertises support for etc.