0
votes

Using java -version: 1.8.0_171,I am trying to connect to API gateway but getting an SSL handshake_failure with Java 8.Already runed command:

keytool -import -alias yan3 -file NBCO_YM_Root.cer -keystore /usr/jdk/jre/lib/security/cacerts  

this is my request code.

OkHttpClient client=new OkHttpClient.Builder()
                    .connectTimeout(90,TimeUnit.SECONDS)
                    .readTimeout(90,TimeUnit.SECONDS)
                    .writeTimeout(90,TimeUnit.SECONDS)
                    .build();
            log.info("SupportedCipherSuites is {} and DefaultCipherSuites is {}",
                    client.sslSocketFactory().getSupportedCipherSuites(),
                    client.sslSocketFactory().getDefaultCipherSuites()
            );

            RequestBody requestBody=new RequestBody() {
                @Override
                public MediaType contentType() {
                    return MediaType.parse(contentType);
                }

                @Override
                public void writeTo(BufferedSink sink) throws IOException {
                    sink.writeString(data,Charset.forName("utf-8"));
                }
            };
            Request request=new Request.Builder()
                    .url(url)
                    .post(requestBody).build();
            Response okResponse=client.newCall(request).execute();
            response=okResponse.body().string();
            return response;

log print [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5] and DefaultCipherSuites is [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

When I enabled -Djavax.net.debug=all I got the below info:

*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 102, 174, 65, 31, 164, 120, 177, 145, 20, 194, 229, 169, 146, 135, 72, 51, 133, 74, 46, 248, 110, 104, 154, 217, 12, 21, 84, 186, 80, 122, 237, 224, 3, 46, 164, 118, 211, 60, 131, 74, 182, 7, 186, 14, 42, 161, 155, 115, 99, 130, 76, 45, 122, 220, 150, 246, 56, 145, 226, 217, 216, 75, 124, 120 }
[write] MD5 and SHA1 hashes:  len = 77
0000: 0B 00 00 03 00 00 00 10   00 00 42 41 04 66 AE 41  ..........BA.f.A
0010: 1F A4 78 B1 91 14 C2 E5   A9 92 87 48 33 85 4A 2E  ..x........H3.J.
0020: F8 6E 68 9A D9 0C 15 54   BA 50 7A ED E0 03 2E A4  .nh....T.Pz.....
0030: 76 D3 3C 83 4A B6 07 BA   0E 2A A1 9B 73 63 82 4C  v.<.J....*..sc.L
0040: 2D 7A DC 96 F6 38 91 E2   D9 D8 4B 7C 78           -z...8....K.x
main, WRITE: TLSv1.2 Handshake, length = 77
[Raw write]: length = 82
0000: 16 03 03 00 4D 0B 00 00   03 00 00 00 10 00 00 42  ....M..........B
0010: 41 04 66 AE 41 1F A4 78   B1 91 14 C2 E5 A9 92 87  A.f.A..x........
0020: 48 33 85 4A 2E F8 6E 68   9A D9 0C 15 54 BA 50 7A  H3.J..nh....T.Pz
0030: ED E0 03 2E A4 76 D3 3C   83 4A B6 07 BA 0E 2A A1  .....v.<.J....*.
0040: 9B 73 63 82 4C 2D 7A DC   96 F6 38 91 E2 D9 D8 4B  .sc.L-z...8....K
0050: 7C 78                                              .x
SESSION KEYGEN:
PreMaster Secret:
0000: E7 91 B7 33 39 96 BC A7   64 CA 57 72 F0 F3 3D 55  ...39...d.Wr..=U
0010: 8D 92 46 09 14 EC FE 03   4C D4 5D 78 13 D9 71 F8  ..F.....L.]x..q.
CONNECTION KEYGEN:
Client Nonce:
0000: 5C 24 3A 99 79 97 E9 41   09 92 A2 B7 28 BC CF 49  \$:.y..A....(..I
0010: 51 DE 24 08 91 A0 AE 81   85 1C FC 1C 50 6E A6 D9  Q.$.........Pn..
Server Nonce:
0000: D2 E0 11 21 B8 1A 1A 53   9F 29 F3 FE 5F CD D4 9C  ...!...S.).._...
0010: 2D 81 F7 A7 99 9A BB E4   CA B4 21 1A F8 F1 26 66  -.........!...&f
Master Secret:
0000: 25 58 06 E2 09 FA BD 3F   5B 95 A0 DA 71 43 E2 37  %X.....?[...qC.7
0010: C5 49 02 7B 8D 34 08 72   61 5B 09 21 D2 65 56 88  .I...4.ra[.!.eV.
0020: A1 CD 53 AB 70 E0 FA 04   CD 9C A3 97 75 BC 77 92  ..S.p.......u.w.
... no MAC keys used for this cipher
Client write key:
0000: 04 D4 E6 FB DF F9 B5 E3   FC CA AD 34 7E 2D EB D0  ...........4.-..
Server write key:
0000: 92 8C CB AA EA 53 9D 5C   D7 30 E4 C5 EC 04 0A C5  .....S.\.0......
Client write IV:
0000: ED BC 50 EC                                        ..P.
Server write IV:
0000: 95 3C 80 3C                                        .<.<
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 03 00 01 01                                  ......
*** Finished
verify_data:  { 28, 130, 230, 116, 237, 69, 86, 36, 23, 9, 45, 129 }
***
[write] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 1C 82 E6 74   ED 45 56 24 17 09 2D 81  .......t.EV$..-.
Padded plaintext before ENCRYPTION:  len = 16
0000: 14 00 00 0C 1C 82 E6 74   ED 45 56 24 17 09 2D 81  .......t.EV$..-.
main, WRITE: TLSv1.2 Handshake, length = 40
[Raw write]: length = 45
0000: 16 03 03 00 28 00 00 00   00 00 00 00 00 01 41 1B  ....(.........A.
0010: 44 6C C3 A5 E1 A8 62 11   C6 85 9F 91 BA 8E 96 1D  Dl....b.........
0020: D9 30 07 0D 3B 3E B7 C2   84 5B AD E2 A5           .0..;>...[...
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)

update

*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=Yandex Money Root CA, O=PS Yandex.Money, C=RU>
<CN=Yandex Money Issuing CA, O=PS Yandex.Money, C=RU>
<CN=NBCO YM Root, O=Yandex.Money, L=Moscow, C=RU>
<CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE>
<CN=GlobalSign Domain Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE>
<CN=thawte DV SSL CA - G2, OU=Domain Validated SSL, O="thawte, Inc.", C=US>
<CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US>
<CN=NBCO YM Int, DC=yamoney, DC=ru>
1
are you sure that the jre being used to run the program is the same as the one where the cacert has been placed?mkjh
I'm running in jetbrains IDEA,run/debug configurations JRE:/usr/jdk/jre.i think thery are the same one.user10837276

1 Answers

0
votes

It can be seen from the debug output that server successfully picks a cipher from the ones the client offers and that the client seems to accept the servers certificate. It can also be seen that the handshake fails because the server sends a TLS alert. This suggests the problem is caused by something the server does not like and is not caused by something the client doesn't like.

It can also be seen (from the updated output) that the server requests a client certificate (CertificateRequest). But nothing in the information provided indicates that you have a client certificate in your key store - you show only that you've imported a new root CA. Since the reaction of the server (sending a fatal alert to the client) is exactly what would be expected when the client does not provide a client certificate although the server wants one, the missing client certificate is most likely the cause of your problem.