SSL Handshake failure - HttpClient 4.1.2

Question

I am trying to make an API call on a server but getting an SSL handshake failure. The library i am using is httpclient 4.1.2.

Here is the how i am creating the httpClient object

System.setProperty("https.protocols","TLSv1");
SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(null, null, null);

SSLSocketFactory sslSocketFactory = new SSLSocketFactory(sslContext, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
Scheme httpsScheme = new Scheme("https", 443, sslSocketFactory);

SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(httpsScheme);

ClientConnectionManager cm = new SingleClientConnManager(schemeRegistry);

HttpClient httpClient = new DefaultHttpClient(cm);

Here are the SSL Handshake logs

trigger seeding of SecureRandom
done seeding SecureRandom
main, setSoTimeout(0) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1440191547 bytes = { 208, 238, 36, 204, 125, 170, 169, 142, 211, 115, 213, 236, 25, 69, 216, 182, 176, 189, 232, 38, 244, 13, 172, 17, 249, 254, 183, 21 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
main, WRITE: TLSv1 Handshake, length = 81
main, WRITE: SSLv2 client hello message, length = 110
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, IOException in getSession():  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

    at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
    at com.waseem.stuff.HttpClientExample2.sendPost(HttpClientExample2.java:107)
    at com.waseem.stuff.HttpClientExample2.main(HttpClientExample2.java:29)

Possible duplicate of [SSL "Peer Not Authenticated" error with HttpClient 4.1](http://stackoverflow.com/questions/11750413/ssl-peer-not-authenticated-error-with-httpclient-4-1) — Robert, Mar 03 '16 at 20:27
I don't think its a duplicate. I think this is different and has something to do with SSL protocol mismatch — Waseem Akram Malik, Mar 03 '16 at 20:38
If the server is internet facing, check its SSL capabilities via an online tool such as SSL Labs -- https://www.ssllabs.com/ssltest/index.html -- to determine if it supports TLS1.0 or greater. Depending on your version of Java, older protocols and insecure cipher suites may be blocked by default by your client. — Anand Bhat, Mar 03 '16 at 21:04
Server is not internet facing :( It is available on VPN. We tried setting a JVM setting System.setProperty("https.protocols","TLSv1"); and this has worked. But we cannot do this as it is project level change. I want some way to set the protocol to TLSv1 in httpclient 4.1.2 — Waseem Akram Malik, Mar 03 '16 at 23:53

score 2 · Answer 1 · answered Apr 03 '17 at 14:45

2

I was having the same issue using Rest Assured, and updating my HTTP Client library to 4.5.3 fixed it.

answered Apr 03 '17 at 14:45

Hazel T

859
1
8
22

SSL Handshake failure - HttpClient 4.1.2

1 Answers1