24

I am posting this question after trying many options from two days. Below are the options I tried.

  1. Disable ssl certificate validation
  2. By downloading crt from browser and converting to .jks and importing keystore.

Still I am getting this issue, any help very much appreciated in advance.

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1943)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1296)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.honeywell.sensibo.api.NewMain.main(NewMain.java:73)
A B
  • 8,340
  • 2
  • 31
  • 35
Viks
  • 1,041
  • 1
  • 9
  • 15
  • Same question as here : https://stackoverflow.com/q/41971549/1579667 Answer is below (Viks' answer) – Benj Jun 27 '17 at 07:20

2 Answers2

73

Issue resolved.!!! Below are the solutions.

For Java 6: Add below jars into {JAVA_HOME}/jre/lib/ext. 1. bcprov-ext-jdk15on-154.jar 2. bcprov-jdk15on-154.jar

Add property into {JAVA_HOME}/jre/lib/security/java.security security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider

Java 7:download jar from below link and add to {JAVA_HOME}/jre/lib/security http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Java 8:download jar from below link and add to {JAVA_HOME}/jre/lib/security http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

Issue is that it is failed to decrypt 256 bits of encryption.

Viks
  • 1,041
  • 1
  • 9
  • 15
  • 1
    Amaznig and mos helpful solution – Sabyasachi Mar 06 '17 at 15:11
  • 1
    This indeed seems to solve the problem. I don't know whether to roll my eyes at Oracle or at Sourceforge for this. (Not that either one would notice.) My problem was that Eclipse was not able to download Jaspersoft Studio plugin updates and PMD plugin updates, which are both downloaded from the SourceForge download site. I was pointed here from [the jaspersoft site](http://community.jaspersoft.com/wiki/solving-installation-and-update-errors-related-update-site-jaspersoft-studio). – Pixelstix Mar 14 '17 at 16:20
  • 1
    did exact steps and no luck in Windows 10 64 bit – born2net May 15 '17 at 19:37
  • check if certificate imported. you shld have certificate for ssl connection. – Viks May 22 '17 at 08:52
  • This solution solves Eclipse Plugin Error installation. – Gonzalo Gallotti May 29 '17 at 16:31
  • 1
    On Windows 10, I had to do both Win7 and security.provider steps. Also I had to do the copy jars step by command line with Administrator credentials. – Benj Jun 27 '17 at 07:34
  • @Benj could you please clarify: did you mean "Java 7" instead of "Win7" ? And did you use BouncyCastleProvider jars together with Java 7 JCE jar ? Many thanks, Tim. – frostman Aug 23 '17 at 11:32
  • 1
    @frostmann Well, I had (memory... tell me what I did...) to do the `BouncyCastleProvider` step *and* the Java 8 step on a Windows Seven. Hope it helps, these problems seems to be a big mess to solve. – Benj Aug 23 '17 at 12:09
  • thanks for this solution. I followed the instructions for jdk8 I downloaded the mentioned jars (US_export_policy.jar, local_policy.jar) and copied them to {JAVA_HOME}/jre/lib/security and then magic happens – kvm006 Nov 13 '17 at 06:11
  • I tried the above steps but still the issue is not resolved. I still get the same error – Prasad May 17 '18 at 05:10
  • Exception in thread "main" java.lang.NoClassDefFoundError: Could not initialize class org.bouncycastle.jcajce.provider.drbg.DRBG$Default – Amr Ibrahim Sep 23 '18 at 15:48
  • Setting like this in Weblogic 11g, I get: java.lang.NoClassDefFoundError: com.sun.crypto.provider.SunJCE – Alessandro C Oct 23 '18 at 16:29
  • I followed the instructions for jdk7 I downloaded the mentioned jars (US_export_policy.jar, local_policy.jar) and copied them to {JAVA_HOME}/jre/lib/security and then magic **NOT HAPPENED**. I'm using Windows 10 jdk1.7.0_75 – ferreirabraga Feb 27 '19 at 15:50
  • Did you make the java.security file change suggested above.? – Viks Mar 01 '19 at 15:52
  • @ferreirabraga same here, have you found any solution? – Shambhu Mar 16 '19 at 06:09
  • @Viks isn't the security file changes only for jdk6? – Shambhu Mar 16 '19 at 06:10
  • @Shambhu please make security file changes for 7 or 8 versions of java as well, whichever you are using. – Viks Mar 17 '19 at 05:46
0

I am getting similar errors recently because recent JDKs (and browsers, and the Linux TLS stack, etc.) refuse to communicate with some servers in my customer's corporate network. The reason of this is that some servers in this network still have SHA-1 certificates.

Please see: https://www.entrust.com/understanding-sha-1-vulnerabilities-ssl-longer-secure/ https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know

If this would be your current case (recent JDK vs deprecated certificate encription) then your best move is to update your network to the proper encription technology.

In case that you should provide a temporal solution for that, please see another answers to have an idea about how to make your JDK trust or distrust certain encription algorithms:

How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections

Anyway I insist that, in case that I have guessed properly your problem, this is not a good solution to the problem and that your network admin should consider removing these deprecated certificates and get a new one.

Community
  • 1
  • 1
Jorge_B
  • 9,712
  • 2
  • 17
  • 22
  • Hi Jorge, as I am running standalone program tried second option. Still no luck. using Java 1.7.0_02. – Viks Jul 07 '16 at 05:23
  • Tried with 1.7.0_80 as suggested in above link. No luck.!!! – Viks Jul 07 '16 at 07:08
  • I would have expected it to work with 1.7.0_02 rather than 1.7.0_80. Both failing may mean my guess is totally wrong and your problem is different. Have you tried another test? For example, try to wget the offending URL or access it with a recent version of Chrome in order to see if other SSL stacks can handle it – Jorge_B Jul 07 '16 at 08:29
  • Yeah Jorge, The URL works absolutely fine with Chrome, Posters, J-meter, SoapUI. Impact i have python client which works absolutely no issues. But only Java client is failing. – Viks Jul 07 '16 at 10:28
  • Ok, in this case I would try to discard things. Are you positive sure about the importation process of the certificate to your keystore? How are you telling Java to use that keystore? You could try to import the certificate straight into your $JAVA_HOME/jre/lib/security/cacerts to make sure the JDK is using the certificate. If that worked, we could undo that test and focus on the way you import the .jks file into your application – Jorge_B Jul 07 '16 at 10:41
  • I am using below command to import .jks keytool -import -alias sensibo_new2 -file C:\Project\POC\home.sensibo.com_1.crt -keystore sensibo_new2.jks Which creates .jks under C:\\Users\\\\sensibo.jks and same I am using in my java class to refer from local. FYI i am writing Rest client to consume https://home.sensibo.com/api/v2/users/me/pods?apiKey= where is my device key registered. – Viks Jul 07 '16 at 10:50
  • And just for test purposes (I am not suggesting that you leave this like that in a real environment), have you tried to import it into the cacerts like in this answer? http://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-java-keystore-that-is-avail Does it work that way? – Jorge_B Jul 07 '16 at 10:53
  • Ya updated cacerts with kestore, still same issue. I appreciate your quick response. Can you please try once to write a Rest client for above url. ?https://home.sensibo.com/api/v2/users/me/pods?apiKey= – Viks Jul 07 '16 at 11:18
  • Now I must think that the certificate may be wrong in some way. Normally I export them through the web browser and then just follow the steps that the last question suggested... any ideas on that? – Jorge_B Jul 07 '16 at 12:30