1

I have a Java application that's trying to connect over HTTPS to a web application. When I run it on my Windows box everything works great, but on an AWS Linux box I get a handshake error. Here's the versions of software that I'm using:

Windows Java

  • java version "1.8.0_101"
  • Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
  • Java HotSpot(TM) Client VM (build 25.101-b13, mixed mode, sharing)

AWS Linux Java

  • openjdk version "1.8.0_91"
  • OpenJDK Runtime Environment (build 1.8.0_91-b14)
  • OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

My initial guess was that the problem was due to SNI since that's how the webapp that I'm connecting to is set up. However, when I look at the debug log I see that on Linux it's saying:

Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]

This makes me think that SNI is being handled properly.

I'm beginning to think that the root of the problem is that my client and the server can't agree on a cipher suite which makes the handshake fail. I see that on Windows TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 is being used. I also see that this cipher suite seems to be absent on Linux.

I'm really not sure I fully understand everything that's happening in the debug dump, so hopefully someone can confirm my suspicions and suggest how to fully fix this problem.

Here's what's happening on Linux which fails with a handshake exception

2016/08/26 22:52:35:882 EDT [DEBUG] RequestAddCookies - -CookieSpec selected: best-match
2016/08/26 22:52:35:891 EDT [DEBUG] RequestAuthCache - -Auth cache not set in the context
2016/08/26 22:52:35:893 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection request: [route: {s}->https://www.abuseipdb.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2016/08/26 22:52:35:907 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection leased: [id: 0][route: {s}->https://www.abus      eipdb.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
2016/08/26 22:52:35:937 EDT [DEBUG] MainClientExec - -Opening connection {s}->https://www.abuseipdb.com:443
2016/08/26 22:52:36:038 EDT [DEBUG] HttpClientConnectionManager - -Connecting to www.abuseipdb.com/104.31.74.222:443
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1455489140 bytes = { 189, 42, 2, 83, 215, 159, 170, 114, 166, 145, 86, 76, 205, 19, 222, 103, 15, 89, 159, 24      , 126, 130, 219, 181, 48, 109, 132, 79 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RS      A_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_      DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_      SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES      _256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_R      SA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV      ]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withE      CDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
***
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 143
pool-1-thread-1, READ: TLSv1.2 Alert, length = 2
pool-1-thread-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure
pool-1-thread-1, called closeSocket()
pool-1-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2016/08/26 22:52:36:199 EDT [DEBUG] DefaultManagedHttpClientConnection - -http-outgoing-0: Shutdown connection
2016/08/26 22:52:36:200 EDT [DEBUG] MainClientExec - -Connection discarded
2016/08/26 22:52:36:200 EDT [DEBUG] DefaultManagedHttpClientConnection - -http-outgoing-0: Close connection
2016/08/26 22:52:36:200 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection released: [id: 0][route: {s}->https://www.ab      useipdb.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
Error: Received fatal alert: handshake_failure
Elapsed Time: 356 ms
2016/08/26 22:52:36:202 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection manager is shutting down
2016/08/26 22:52:36:202 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection manager shut down

Here's what happens on Windows that works:

2016/08/26 22:59:27:224 EDT [DEBUG] RequestAddCookies - -CookieSpec selected: best-match
2016/08/26 22:59:27:228 EDT [DEBUG] RequestAuthCache - -Auth cache not set in the context
2016/08/26 22:59:27:228 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection request: [route: {s}->https://www.abuseipd
b.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2016/08/26 22:59:27:258 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection leased: [id: 0][route: {s}->https://www.ab
useipdb.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
2016/08/26 22:59:27:286 EDT [DEBUG] MainClientExec - -Opening connection {s}->https://www.abuseipdb.com:443
2016/08/26 22:59:27:362 EDT [DEBUG] HttpClientConnectionManager - -Connecting to www.abuseipdb.com/104.31.74.222:443
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1455489551 bytes = { 69, 36, 118, 201, 252, 93, 212, 32, 99, 181, 94, 8, 249, 138, 165, 81, 11, 108, 104, 8
7, 246, 104, 115, 107, 240, 195, 111, 25 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256
, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DS
S_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_S
HA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_
AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA25
6, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_D
SS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_C
BC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DS
S_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1
, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp
192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256wit
hECDSA, SHA256withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
***
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 215
pool-1-thread-1, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -1114532124 bytes = { 84, 54, 245, 62, 187, 242, 188, 165, 192, 49, 29, 203, 96, 228, 212, 99, 190, 50, 149
, 219, 193, 146, 98, 47, 55, 155, 153, 148 }
Session ID:  {215, 1, 126, 144, 1, 117, 237, 244, 231, 139, 61, 205, 198, 118, 31, 104, 79, 113, 148, 163, 72, 102, 159, 154, 7
9, 160, 201, 174, 102, 35, 3, 107}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Sander Smith
  • 1,371
  • 4
  • 20
  • 30

1 Answers1

3

According to the SSLLabs report the site requires ECDHE ciphers. Your linux client does not support these ciphers while your windows client does.

ECDHE cipher suites not supported on OpenJDK 8 installed on EC2 Linux machine indicates that this might be a problem of OpenJDK vs. Oracle JDK.

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • I can't emphasis how correct this answer is, I've been working on this problem for a long time. As the link suggests, it can be fixed by installing Bouncy Castle and then everything magically works. – Sander Smith Aug 28 '16 at 02:33