TLS 1.2 was supported in Java 8 but not in Java 7

Question

When I tried to connect a URL (one of vendors URL which supports TLS 1.2 and worked fine previously with Java 7) by using Java 7, I found bellow Exception:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1943)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1087)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)

So that I have enabled -Dhttps.protocols=TLSv1.2, -Djavax.net.ssl.trustStore=<keystoreFilePath> and -Djavax.net.ssl.trustStorePassword=<password>

After that also I got the same issue. Then I have upgrade the Java version to 8 so it could connect to the URL without any SSL issue.

As per this blog, in Java 8, TLS 1.2 is default and TLS 1.2 can be tuned with the property -Dhttps.protocols in Java 7. In Java 7, I could be able to access a URL without a problem if I enable above properties through my past experiences.

But for the URL, I am requested to upgrade the Java version. What can be vendor side changes caused for the Exception mentioned above in Java 7? And without upgrading Java 8, can't I access the URL?

When try with -Djavax.net.debug=all I got below log

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
qtp11284997-17, setSoTimeout(0) called
qtp11284997-18, setSoTimeout(0) called
%% No cached client session
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  *** ClientHello, TLSv1.2
RandomCookie:  GMT: 1465902650 bytes = { GMT: 1465902650 bytes = { 113156, , 91, 215, 64, 8, 63, 32, 255, 223, 156, 170, 50, 244, 156, 18, 241, 241, 229, 169, 35, 160, 22, 15, 111, 204, 231, 28, 25, 203, 70, 164, 77, 14, 181, 126, 159, 152, 111, 221, 254, 59 }
Session ID:  {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: postprod1.ratetiger.com]
***
[write] MD5 and SHA1 hashes:  len = 211
0000: 01 00 00 CF 03 03 57 60   E6 3A 71 D7 40 08 3F FF  ......W`.:q.@.?.
0010: 9C 32 9C F1 E5 23 16 6F   E7 19 46 A4 4D 0E B5 7E  .2...#.o..F.M...
0020: 9F 98 6F DD FE 3B 00 00   2A 00 33 C0 04 00 16 00  ..o..;..*.3.....
0030: 05 C0 03 C0 11 C0 02 C0   07 C0 13 C0 08 C0 0C 00  ................
0040: FF C0 0D C0 0E C0 09 00   2F C0 12 00 04 00 32 00  ......../.....2.
0050: 13 00 0A 01 00 00 7C 00   0A 00 34 00 32 00 17 00  ..........4.2...
0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................
0070: 18 00 0B 00 0C 00 19 00   0D 00 0242, E119,  001,  0F19,  00164,  1081, 3,  0063,  176,  255, .42, .23, .252, .164 }
Session ID:  .{}
..Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { .0 }
........
0080: 11Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
 00Extension ec_point_formats, formats: [uncompressed]
 02Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: postprod1.ratetiger.com]
***
[write] MD5 and SHA1 hashes:  len = 211
0000: 01 00 00 CF 03 03 57 60   E6 3A 9C 5B 20 DF AA F4  ......W`.:.[ ...
0010: 12 F1 A9 A0 0F CC 1C CB   F2 77 01 13 A4 51 03 3F  .........w...Q.?
0020: B0 FF 2A 17 FC A4 00 00   2A 00 33 C0 04 00 16 00  ..*.....*.3.....
0030: 05 C0 03 C0 11 C0 02 C0    0700 C0  131 C02 0 008 0 C04 0C  000 0  .  0.5. .0.0 14 00 08 00 16 00  .......................
.0.0.4.0
0090: : 0BF 00F 0 C02 0 01D 0 C00 0 00E 0 C0D 0 009    1A0 000 1 8  2 06F 0 C03 1 062 0 001 0 05  ................
00A0: 03 05 01 04 03 04 01 03   03 03 01 02 03 02 01 02  ................
00B0: 02 01 01 00 00 00 1C 00   1A 00 00 17 70 6F 73 74  ............post
00C0: 70 72 6F 64 31 2E 72 61   74 65 74 69 67 65 72 2E  prod1.ratetiger.
00D0: 63 6F 6D                                           com
4 00 32 00  ......../.....2.
0050: 13 00 0A 01 00 00 7C 00   0A 00 34 00 32 00 17 00  ..........4.2...
0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................
0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  qtp11284997-17, WRITE: TLSv1.2 Handshake, length = 211
.........[Raw write]: length = 216
......0.0
0000: 168 030 0: 113 0 000 D 023 0 010 0 120 00  040 000    05   00C 14F 0 030 0 083 00  165 007   6.0. .E6. .3.A. .7.1. . ..........
.0.0.9.0.: .W`0.:qB
 000 020 011 000 0: D70 4 0D0 00  0  1A8 00  183 06F 03  06F 01F 05  9 C. .3.2. .9.C. .  .F.1. .E.5. .2.3
00A0 : 031 056 0 6F1 E 047 0 193 4 046 01  0 3.@ .  03? 0.3.2 01. 02. 0.#3.o 02. 01. F02
 0 0.2.0.: .A.4. .4.D. .0.E. .B.5. .7E
 9F0 980 6FB 0  D: D02 FE 01  3B01  0000  0000  2A00  001C  3300     1A. M00. 00. 1.7..o .7.;0. .*6.3F
0030 : C07 043 0 740   1.6. .0.0. .0.5. .C.0. .post0
300C0 : 70   C072  6F1 641 3 C0 02 C0 07 C0 13  ................
0040: C0 08 C0 0C 00 FF C0 0D   C0 0E C0 09 00 2F C0 12  ............./..
0050: 00 04 00 32 00 13 00 0A   01 00 00 7C 00 0A 00 34  ...2...........4
0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............
0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................
0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ...1. .2...........
0090: 00 08 00 16 00 0B 00 02   01 00 00 0D 00 1A 00 18  ................
00A0: 06 03 06 01 05 03 05 01   04 03 04 01 03 03 03 01  ............E 72 61   74 65 74 69 67 65 72 2E  prod1.ratetiger.
00D0: 63 6F 6D                                           com
qtp11284997-18, WRITE: TLSv1.2 Handshake, length = 211
[Raw write]: length = 216
0000: 16 03 03 00 D3 01 00 00   CF 03 03 57 60 E6 3A 9C  ...........W`.:.
0010: 5B 20 DF AA F4 12 F1 A9   A0 0F CC 1C CB F2 77 01  [ ..............
00B0: 02 03 02 01 02 02 01 01   00 00 00 1C 00 1A 00 00  ................
00C0: 17 70 6F 73 74 70 72 6F   64 31 2E 72 61 74 65 74  .postprod1.ratet
00D0: 69 67 65 72 2E 63 6F 6D                            iger.com
..w.
0020: 13 A4 51 03 3F B0 FF 2A   17 FC A4 00 00 2A 00 33  ..Q.?..*.....*.3
0030: C0 04 00 16 00 05 C0 03   C0 11 C0 02 C0 07 C0 13  ................
0040: C0 08 C0 0C 00 FF C0 0D   C0 0E C0 09 00 2F C0 12  ............./..
0050: 00 04 00 32 00 13 00 0A   01 00 00 7C 00 0A 00 34  ...2...........4
0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............
0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................
0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ................
0090: 00 08 00 16 00 0B 00 02   01 00 00 0D 00 1A 00 18  ................
00A0: 06 03 06 01 05 03 05 01   04 03 04 01 03 03 03 01  ................
00B0: 02 03 02 01 02 02 01 01   00 00 00 1C 00 1A 00 00  ................
00C0: 17 70 6F 73 74 70 72 6F   64 31 2E 72 61 74 65 74  .postprod1.ratet
00D0: 69 67 65 72 2E 63 6F 6D                            iger.com
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
[Raw read]: length = 5
0000: 02000 280 : 15       03 03       00    02                                                            .(   
    ..qtp11284997-17, READ: TLSv1.2 Alert, length = 2
..qtp11284997-17, RECV TLSv1 ALERT:  fatal, handshake_failure
.
[Raw read]: length = 2
0000: 02 28qtp11284997-17, called closeSocket()
                           qtp11284997-17, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
                   qtp11284997-17, called close()
.(qtp11284997-17, called closeInternal(true)

qtp11284997-18, READ: TLSv1.2 Alert, length = 2
qtp11284997-18, RECV TLSv1 ALERT:  fatal, handshake_failure
2016-06-15 10:53:06,722 WARN  [ride.intermediate.connect.ratetiger.ConnectRateTiger] -- Exception in InputStream Close--java.lang.NullPointerException
qtp11284997-17, called close()
qtp11284997-17, called closeInternal(true)
qtp11284997-18, called closeSocket()
qtp11284997-18, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
qtp11284997-18, called close()
qtp11284997-18, called closeInternal(true)

Could be a different root certificate or something similar. You could try to check whether at least one of the root and intermediate certificates used by the URL you're trying to access is present in the keystore. Java8 is very likely to contain newer certificates by default. — Thomas, Jun 14 '16 at 08:30
@Thomas, yes root and intermediate certificates used by the URL are also present in the keystore. — Estimate, Jun 14 '16 at 09:16
Are you sure Java 7 was connecting to the server using TLS 1.2? Try your connection with `-Djavax.net.debug=all`. See http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html — Andrew Henle, Jun 14 '16 at 09:35

score 10 · Answer 1 · answered Jan 06 '18 at 05:13

10

Without upgrading to Java 8, you can upgrade your Java 7 version to 1.7.0_131-b31

For JRE 1.7.0_131-b31 in Oracle site :

TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 releases.

answered Jan 06 '18 at 05:13

Joby Wilson Mathews

10,528
6
54
53

2

This is probably the only post I found in the internet that says, since 1.7.0_131-b31, TLSv1.2 is enabled by default. Thanks a ton !!! – AbD_Riz Mar 02 '18 at 18:58
2

People have to notice this update is provided by Oracle only with a Business contract, usual users can only download the version jdk/jre 7u80 which does not contains this settings by default. For me as well upgrading to update 171 (the latest one) did the trick without changing our code. Alternatively I was able to upgrade my CentOs JDK version using the OpenJdk version which is free to download. – рüффп Mar 06 '18 at 11:58
This is THE solution, wonder why it has so less votes. @Joby, you have provided the information which couldnt be found anywhere else. Thank you so very much!!! – HarsH Dec 23 '19 at 18:58

score 4 · Accepted Answer · answered Jun 15 '16 at 09:10

4

If you test the URL with SSLLabs, the website allow 4 ciphers :

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

But if you read ciphers list for Java 7, no cipher is not supported (can be seen in the debug message also). Even by enabling TLS 1.2 for Java 7, I think it doesn't find any valid ciphers. The site had to change its configuration.

answered Jun 15 '16 at 09:10

Limetics

141
7

This is helpful. Thank you – Estimate Jun 15 '16 at 09:21
This was wrong. The SSLLabs list is for the default settings, with TLS1.2 disabled; when you enable 1.2, Java 7 does support the AES_128_CBC_SHA256 suite in your list, and also the AES_256_CBC_SHA384 suite if you add the 'unlimited strength policy' (also not default). These suites are implemented, but cannot be negotiated in 1.0, because SHA-2 HMACs are defined only for 1.2. OTOH the two GCM suites also require 1.2 but were not implemented in Java 7 even when 1.2 is enabled, at least in the free releases; the after-EOL paid versions may have added it. ... – dave_thompson_085 Jun 08 '18 at 10:57
... However the server seems to have changed since 2016; it now accepts protocols down to 1.0 and several weaker ciphers -- and not AES-256 at all! -- making it impractical to figure out now what the problem actually was. – dave_thompson_085 Jun 08 '18 at 11:00

score 0 · Answer 3 · answered Jun 14 '16 at 12:07

0

I also faced the similar kind of problem while starting our swing based application. It seems that in some version of java 7, TLS1.2 is not enabled by default. I enabled it and then it worked fine.

You may enable it from Java Control Panel -> Advanced -> Click 'Use TLS 1.2'

Hopefully, it should work in your case also.

answered Jun 14 '16 at 12:07

Vinay

526
3
6

1

Thanks, but I'm looking for an answer which can be applicable in a jboss or jetty servers. Not in any IDE. – Estimate Jun 15 '16 at 06:07

TLS 1.2 was supported in Java 8 but not in Java 7

3 Answers3

Linked