1

i'm using java 8 for ssl connection got 8 RECV TLSv1.2 ALERT: fatal, handshake_failure the sever owner sent me three cert files i added them to key store and trust store. using System.setProperty("javax.net.ssl.keyStore", file); System.setProperty("javax.net.ssl.trustStore", file); error below is ssl debug output 

*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA
Cert Authorities:
<Empty>
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone

VWarning: no suitable certificate found - continuing without client authentication *** Certificate chain

appreciate if anyone can help

user207421
  • 305,947
  • 44
  • 307
  • 483
Mohamed Nabil
  • 11
  • 1
  • 3
  • 1
    Seems like the server is requesting client certificate authentication, and your client doesn't have a certificate to send. You'll need to specify a keystore in PKCS12, JKS, JCEKS format containing the client's keypair. – Boris the Spider Feb 06 '18 at 07:36
  • thanks for prompt reply.they gave three certificates files i imported them in KS file but it doesn't work.it there is another way to generate key from cert files – Mohamed Nabil Feb 06 '18 at 07:47
  • It would be worth adding that detail to the question. Also add how you have specified the keystore in your program. – Boris the Spider Feb 06 '18 at 07:53
  • thanks for reply i set set my key store file System.setProperty("javax.net.ssl.keyStore", "client_from_server2.jks"); – Mohamed Nabil Feb 06 '18 at 09:54

1 Answers1

3

The key to this is right here:

Cert Authorities:
     <Empty>

The server doesn't trust anybody. It has an empty truststore, or no truststore at all. The client can only send a certificate that is trusted by the Cert Authorities in the CertificateRequest message. There were no authorities, so no client certificate, so no TLS session.

Solution: fix the server truststore.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • EJP, I'm experiencing a similar problem as stated above in the question. But,I do have the Certificate Authorities as : `Certificate Authorities [read] MD5 and SHA1 hashes: len = 171 06 ...Chennai 1.0.. 0070: 6D 70 6F 73 65 72 31 19 30 17 0 *** ServerHelloDone [read] MD5 and SHA1 hashes: len = 4 0000: 0E 0 00 00 .... Warning: no suitable certificate found - continuing without client authentication *** Certificate chain ` – Raguram Jun 04 '18 at 13:04
  • Though I have the Certificate Authorities, I'm facing a similar issue . Can you please advise on this ? Your help would be greatly appreciated !!! – Raguram Jun 04 '18 at 13:08
  • @Raguram If you have non-empty certificate authorities you *aren't* facing a similar issue. – user207421 Jul 10 '18 at 12:08
  • I'm having empty cert authorities as posted above in the question. ----- `Cert Authorities: ` --- – Raguram Jul 10 '18 at 17:45
  • The list of Cert Authorities is not empty for my server. I don't why i still see the same error for my client. *** CertificateRequest Cert Types: RSA, DSS, ECDSA Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA Cert Authorities: [read] MD5 and SHA1 hashes: len = 363 – Ayaskant Nov 22 '18 at 06:49