0

I have an SSL client certificate. It was working with my app up until one of the Java updates happened at some point in the recent past (maybe as far back as a year). It works with web browsers. It works with curl.

For example, I can do this and it is fine:

curl --cert example.pem https://example.net

Now I cannot get this cert to work with Java. I've gone as far as trying a very minimal app, like SSLPoke from https://gist.github.com/4ndrej/4547029

Putting the cert into the client certs from ControlPanel doesn't do it.

Importing the .pem into a keystore and then pointing at that keystore with -Djavax.net.ssl.trustStore or .keystore doesn't do it.

All I get out of Java is:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

So I can't figure out what is wrong - the way I'm invoking Java? The place I'm putting the certificate? The way I've imported the certificate?

The debug output using -Djava.security.debug=all does not show it using the trustStore/keyStore I specify. It doesn't even show anything about the URL I'm trying to reach.

I'm out of ideas.

robbie.huffman
  • 423
  • 4
  • 12

1 Answers1

0

Your server is likely using an outdated SSL protocol, that Java is no longer allowing, by default, for security reasons.

Try running Java with this option (e.g. needed for older SQL Server instances):

-Djsse.enableCBCProtection=false

If that doesn't work, maybe the server is using SSLv3, so see this SO question for How to enable SSL 3 in Java.

If any of those work, they are workarounds need to downgrade the SSL security, so you are strongly encouraged to upgrade the server instead, and remove these workarounds again.

Community
  • 1
  • 1
Andreas
  • 154,647
  • 11
  • 152
  • 247
  • I don't believe this is the problem - curl's verbose output shows it uses TLS1.2: `* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384` – robbie.huffman Sep 28 '15 at 15:00