javax.net.ssl.SSLException: Received fatal alert: protocol_version

Question

Has anyone encountered this error before? I'm new to SSL, is there anything obviously wrong with my ClientHello that I'm missing? That exception is thrown with no ServerHello response. Any advice is appreciated.

*** ClientHello, TLSv1
RandomCookie:  GMT: 1351745496 bytes = { 154, 151, 225, 128, 127, 137, 198, 245, 160, 35, 124, 13, 135, 120, 33, 240, 82, 223, 56, 25, 207, 231, 231, 124, 103, 205, 66, 218 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 75
0000: 01 00 00 47 03 01 51 92   00 D8 9A 97 E1 80 7F 89  ...G..Q.........
0010: C6 F5 A0 23 7C 0D 87 78   21 F0 52 DF 38 19 CF E7  ...#...x!.R.8...
0020: E7 7C 67 CD 42 DA 00 00   20 00 04 00 05 00 2F 00  ..g.B... ...../.
0030: 33 00 32 00 0A 00 16 00   13 00 09 00 15 00 12 00  3.2.............
0040: 03 00 08 00 14 00 11 00   FF 01 00                 ...........
xxx, WRITE: TLSv1 Handshake, length = 75
[write] MD5 and SHA1 hashes:  len = 101
0000: 01 03 01 00 3C 00 00 00   20 00 00 04 01 00 80 00  ....<... .......
0010: 00 05 00 00 2F 00 00 33   00 00 32 00 00 0A 07 00  ..../..3..2.....
0020: C0 00 00 16 00 00 13 00   00 09 06 00 40 00 00 15  ............@...
0030: 00 00 12 00 00 03 02 00   80 00 00 08 00 00 14 00  ................
0040: 00 11 00 00 FF 51 92 00   D8 9A 97 E1 80 7F 89 C6  .....Q..........
0050: F5 A0 23 7C 0D 87 78 21   F0 52 DF 38 19 CF E7 E7  ..#...x!.R.8....
0060: 7C 67 CD 42 DA                                     .g.B.
xxx, WRITE: SSLv2 client hello message, length = 101
[Raw write]: length = 103
0000: 80 65 01 03 01 00 3C 00   00 00 20 00 00 04 01 00  .e....<... .....
0010: 80 00 00 05 00 00 2F 00   00 33 00 00 32 00 00 0A  ....../..3..2...
0020: 07 00 C0 00 00 16 00 00   13 00 00 09 06 00 40 00  ..............@.
0030: 00 15 00 00 12 00 00 03   02 00 80 00 00 08 00 00  ................
0040: 14 00 00 11 00 00 FF 51   92 00 D8 9A 97 E1 80 7F  .......Q........
0050: 89 C6 F5 A0 23 7C 0D 87   78 21 F0 52 DF 38 19 CF  ....#...x!.R.8..
0060: E7 E7 7C 67 CD 42 DA                               ...g.B.
[Raw read]: length = 5
0000: 15 03 01 00 02                                     .....
[Raw read]: length = 2
0000: 02 46                                              .F

{http://xml.apache.org/axis/}stackTrace:

javax.net.ssl.SSLException: Received fatal alert: protocol_version
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1806)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:986)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at

...

What server are you using? – CloudyMarble May 14 '13 at 11:29 — CloudyMarble, May 14 '13 at 11:29

score 59 · Answer 1 · edited Oct 09 '21 at 08:52

59

On Java 1.8 default TLS protocol is v1.2. On Java 1.6 and 1.7 default is obsoleted TLS1.0. I get this error on Java 1.8, because url use old TLS1.0 (like Your - You see ClientHello, TLSv1). To resolve this error You need to use override defaults for Java 1.8.

System.setProperty("https.protocols", "TLSv1");

More info on the Oracle blog:Diagnosing TLS, SSL, and HTTPS.

edited Oct 09 '21 at 08:52

Rudy Vissers

5,267
4
35
37

answered Nov 03 '15 at 08:36

marioosh

27,328
49
143
192

10

You can specify it as command line parameter. I used `-Dhttps.protocols=TLSv1.2` – Oleg Rudenko Aug 30 '18 at 08:22

score 36 · Answer 2 · answered Dec 08 '17 at 15:39

marioosh's answer seems to on the right track. It didn't work for me. So I found:

Problems connecting via HTTPS/SSL through own Java client

which uses:

java.lang.System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");

Which seems to be necessary with Java 7 and a TLSv1.2 site.

I checked the site with:

openssl s_client -connect www.st.nmfs.noaa.gov:443

using

openssl version
OpenSSL 1.0.2l  25 May 2017

and got the result:

...
SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : ECDHE-RSA-AES256-GCM-SHA384
...

Please note that and older openssl version on my mac did not work and I had to use the macports one.

score 27 · Answer 3 · answered Aug 18 '18 at 01:35

27

I ran into this issue while trying to install a PySpark package. I got around the issue by changing the TLS version with an environment variable:

echo 'export JAVA_TOOL_OPTIONS="-Dhttps.protocols=TLSv1.2"' >> ~/.bashrc
source ~/.bashrc

answered Aug 18 '18 at 01:35

devinbost

4,658
2
44
57

This worked for me when running gradlew with java 7. Thanks – le hien Dec 17 '20 at 09:36

Yash · Answer 4 · 2021-03-25T15:31:02.090

@marioosh added some extra information regarding cipher suite encryption .

A cipher suite is a collection of symmetric and asymmetric encryption algorithms used by hosts to establish a secure communication in Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol.
Ciphers are algorithms, more specifically they’re a set of steps for both performing encryption as well as the corresponding decryption.

A cipher suite specifies one algorithm for each of the following tasks:

Key exchange
Bulk encryption
Message authentication

SocketFactory « Default handshaking protocols « To avoid SSLException use https.protocols system property.
This contains a comma-separated list of protocol suite names specifying which protocol suites to enable on this HttpsURLConnection. See the SSLSocket.setEnabledProtocols(String[]) method.

System.setProperty("https.protocols", "SSLv3");
// (OR)
System.setProperty("https.protocols", "TLSv1");

JAVA8 « TLS 1.1 and TLS 1.2 Enabled by Default: The SunJSSE provider enables the protocols TLS 1.1 and TLS 1.2 on the client by default.

System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");

Example for Java8 Network File:

public class SecureSocket {
    static {
        // System.setProperty("javax.net.debug", "all");
        System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
    }
    public static void main(String[] args) {
        String GhitHubSSLFile = "https://raw.githubusercontent.com/Yash-777/SeleniumWebDrivers/master/pom.xml";
        try {
            String str = readCloudFileAsString(GhitHubSSLFile);
                    // new String(Files.readAllBytes(Paths.get( "D:/Sample.file" )));
                    
            System.out.println("Cloud File Data : "+ str);
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
    public static String readCloudFileAsString( String urlStr ) throws java.io.IOException {
        if( urlStr != null && urlStr != "" ) {
            java.io.InputStream s = null;
            String content = null;
            try {
                URL url = new URL( urlStr );
                s = (java.io.InputStream) url.getContent();
                content = IOUtils.toString(s, "UTF-8");
            } finally {
                if (s != null) s.close(); 
            }
            return content.toString();
        }
        return null;
    }
}

JDK 8 Security You can customize some aspects of JSSE by setting system properties, By Specifying the below property you can check the encryption data from the file.

System.setProperty("javax.net.debug", "all");

Exception

javax.net.ssl.SSLException: Received fatal alert: protocol_version

If handshaking fails for any reason, the SSLSocket is closed, and no further communications can be done.

Observer LOG Sample for the above example:

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1505482843 bytes = { 12, 11, 111, 99, 8, 177, 101, 27, 84, 176, 147, 215, 116, 208, 31, 178, 141, 170, 29, 118, 29, 192, 61, 191, 53, 201, 127, 100 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: raw.githubusercontent.com]
***
[write] MD5 and SHA1 hashes:  len = 213
0000: 01 00 00 D1 03 03 5A BC   D8 5B 0C 0B 6F 63 08 B1  ......Z..[..oc..
0010: 65 1B 54 B0 93 D7 74 D0   1F B2 8D AA 1D 76 1D C0  e.T...t......v..
0020: 3D BF 35 C9 7F 64 00 00   2A C0 09 C0 13 00 2F C0  =.5..d..*...../.
0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........
0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................
0050: 04 00 FF 01 00 00 7E 00   0A 00 34 00 32 00 17 00  ..........4.2...
0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................
0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................
0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................
0090: 0B 00 02 01 00 00 0D 00   1A 00 18 06 03 06 01 05  ................
00A0: 03 05 01 04 03 04 01 03   03 03 01 02 03 02 01 02  ................
00B0: 02 01 01 00 00 00 1E 00   1C 00 00 19 72 61 77 2E  ............raw.
00C0: 67 69 74 68 75 62 75 73   65 72 63 6F 6E 74 65 6E  githubuserconten
00D0: 74 2E 63 6F 6D                                     t.com
main, WRITE: TLSv1.2 Handshake, length = 213
[Raw write]: length = 218
0000: 16 03 03 00 D5 01 00 00   D1 03 03 5A BC D8 5B 0C  ...........Z..[.
0010: 0B 6F 63 08 B1 65 1B 54   B0 93 D7 74 D0 1F B2 8D  .oc..e.T...t....
0020: AA 1D 76 1D C0 3D BF 35   C9 7F 64 00 00 2A C0 09  ..v..=.5..d..*..
0030: C0 13 00 2F C0 04 C0 0E   00 33 00 32 C0 08 C0 12  .../.....3.2....
0040: 00 0A C0 03 C0 0D 00 16   00 13 C0 07 C0 11 00 05  ................
0050: C0 02 C0 0C 00 04 00 FF   01 00 00 7E 00 0A 00 34  ...............4
0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............
0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................
0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ................
0090: 00 08 00 16 00 0B 00 02   01 00 00 0D 00 1A 00 18  ................
00A0: 06 03 06 01 05 03 05 01   04 03 04 01 03 03 03 01  ................
00B0: 02 03 02 01 02 02 01 01   00 00 00 1E 00 1C 00 00  ................
00C0: 19 72 61 77 2E 67 69 74   68 75 62 75 73 65 72 63  .raw.githubuserc
00D0: 6F 6E 74 65 6E 74 2E 63   6F 6D                    ontent.com
[Raw read]: length = 5
0000: 16 03 03 00 5D                                     ....]

Cryptography and Secure Communication with whatsapp^{Image from businesstoday.in}

WhatsApp SecurityEncryption

@See

score 7 · Answer 5 · answered May 21 '18 at 09:45

7

I was getting the same error. For Java version 7, following is working for me.

java.lang.System.setProperty("https.protocols", "TLSv1.2");

answered May 21 '18 at 09:45

Urja Ramanandi

199
2
5

CloudyMarble · Answer 6 · 2013-05-14T11:32:38.150

6

This seems like a protocol version mismatch, this exception normally happens when there is a mismatch between SSL protocol version used by the client and the server. your clients should use a proctocol version supported by the server.

edited May 14 '13 at 11:32

answered May 14 '13 at 11:20

CloudyMarble

36,908
70
97
130

Thanks for the explanation. I'll let you know if my problem is fixed :) – Matthias May 14 '13 at 11:38

score 4 · Answer 7 · answered Oct 28 '20 at 01:54

4

For those using the IBM JDK you need to provide this argument to the JVM. -Dcom.ibm.jsse2.overrideDefaultTLS=true

I was using Liberty, so I set this in the jvm.options file.

Reference Documentation

More information on protocols used with IBM Here

answered Oct 28 '20 at 01:54

vandepol

91
5

1

Thanks! The other settings dint come into effect unless i used this setting on IBM JDK – SI_ Apr 12 '21 at 06:20
How to set this, is it in the java code or in some java installation file? – Adindu Stevens May 10 '22 at 10:33
it's a JVM option, you can pass this in when you run the java command, or if you're using Liberty use the jvm.options file which you can place next to your server.xml – vandepol May 11 '22 at 14:12

John Snow · Answer 8 · 2013-05-14T11:31:31.257

3

This is due to the fact that you send a TLSv1 handshake, but then you send a message using SSLv2 protocol;

xxx, WRITE: TLSv1 Handshake, length = 75
xxx, WRITE: SSLv2 client hello message, length = 101

This means that the server expects the TLSv1 protocol to be used and will not accept the connection. Try specifying which protocol to use, or post some relevant code so we can have a look

edited May 14 '13 at 11:31

answered May 14 '13 at 11:21

John Snow

5,214
4
37
44

1

This seems to be normal according to http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html though – Matthias May 14 '13 at 11:35
What protocols is your server supporting? – John Snow May 14 '13 at 11:52

score 3 · Answer 9 · edited Oct 16 '19 at 20:47

3

You can try by adding following line to catalina.bat after last entry of JAVA_OPTS

set JAVA_OPTS=%JAVA_OPTS% -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2

edited Oct 16 '19 at 20:47

dota2pro

7,220
7
44
79

answered Dec 05 '18 at 06:19

mk-baku

342
3
7

score 2 · Answer 10 · answered Feb 26 '20 at 05:38

2

I have got that error after update to JDK 1.8. But the JAVA_HOME variable was hard coded furthermore to JDK 1.7. Thew modification solved the problem:

set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_241

answered Feb 26 '20 at 05:38

gotwo

663
8
16

score 2 · Answer 11 · answered Apr 15 '21 at 19:17

2

[Using JBoss]

Open Config Path:

JBOSS_HOME/standalone/configuration/standalone.xml OR

JBOSS_HOME/standalone/configuration/standalone-full.xml

Inside "<system-properties>" tag, add following line:

<property name="https.protocols" value="TLSv1,TLSv1.1,TLSv1.2"/>

It solved the problem for me.

answered Apr 15 '21 at 19:17

Matheus Santz

538
6
7

1

`jboss-fuse-6.3.0.redhat-187/etc/system.properties` for JBOSS 6.3 Add in a new line `https.protocols=TLSv1,TLSv1.1,TLSv1.2` This didn't solve my problem though. But getting diff error now – Ashwani Agarwal May 14 '21 at 07:39

score 2 · Answer 12 · answered Nov 08 '21 at 14:11

I was getting the same error when I was trying to use TLS1.2 on Java 7. I solved this problem with SSLContext. This is my code. I have tested this code on Java 7.

 String url = "--add-url-here--"
 URL url = new URL("https://" + url);
 //sslcontext
 SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
 sslContext.init(null, null, new SecureRandom());
 HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
 connection.setRequestMethod("POST");
 connection.setSSLSocketFactory(sslContext.getSocketFactory());
 System.out.println(connection.getResponseCode());

score 1 · Answer 13 · answered May 09 '19 at 22:29

Not sure if you found an answer but I had this problem and needed to upgrade TLS version to 1.2

private HttpsURLConnection getSSlConnection(String url, String username, String password){
    SSLContext sc = SSLContext.getInstance("TLSv1.2")
    // Create a trust manager that accepts all SSL sites
    TrustManager[] trustAllCerts = new TrustManager[1]
    def tm = new X509TrustManager(){
        @Override
        public void checkClientTrusted(X509Certificate[] certs, String authType) {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
        }

        @Override
        X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0]
        }
    }
    trustAllCerts[0] = tm

    sc.init(null, trustAllCerts, new SecureRandom())
    HttpsURLConnection connection = (HttpsURLConnection) getConnection(url, username, password)
    connection.setSSLSocketFactory(sc.getSocketFactory())
    return connection
}

Vyrnach · Answer 14 · 2020-10-01T02:54:52.030

I'm using apache-tomcat-7.0.70 with jdk1.7.0_45 and none of the solutions here and elsewhere on stackoverflow worked for me. Just sharing this solution as it hopefully might help someone as this is very high on Google's search

What worked is doing BOTH of these steps:

Starting my tomcat with "export JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.2" by adding it to tomcat/bin/setenv.sh (Syntax slightly different on Windows)

Manually building/forcing HttpClients or anything else you need with the TLS1.2 protocol:

Context ctx = SSLContexts.custom().useProtocol("TLSv1.2").build();
HttpClient httpClient = HttpClientBuilder.create().setSslcontext(ctx).build();
HttpPost httppost = new HttpPost(scsTokenVerificationUrl);

List<NameValuePair> paramsAccessToken = new ArrayList<NameValuePair>(2);
paramsAccessToken.add(new BasicNameValuePair("token", token));
paramsAccessToken.add(new BasicNameValuePair("client_id", scsClientId));
paramsAccessToken.add(new BasicNameValuePair("secret", scsClientSecret));
httppost.setEntity(new UrlEncodedFormEntity(paramsAccessToken, "utf-8"));

//Execute and get the response.
HttpResponse httpResponseAccessToken = httpClientAccessToken.execute(httppost);

String responseJsonAccessToken = EntityUtils.toString(httpResponseAccessToken.getEntity());

score 0 · Answer 15 · answered Mar 02 '21 at 23:49

In my case only the below solution worked

private static CloseableHttpClient buildHttpClient() {
        System.setProperty("https.protocols", "TLSv1.2");
        SSLContext ctx = null;
        try {
            ctx = SSLContexts.custom().useProtocol("TLSv1.2").build();
        } catch (KeyManagementException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
        CloseableHttpClient httpClient = 
            HttpClientBuilder.create().setSslcontext(ctx).build();
        return httpClient;
    }

Please read [answer] and always remember that you are not merely solving the problem at hand, but also educating the OP and any future readers of this question and answer. Thus, please [edit] the answer to include an explanation as to why it works. — Adriaan, Apr 12 '22 at 06:40

javax.net.ssl.SSLException: Received fatal alert: protocol_version

15 Answers15

Linked

Related