Tomcat 7 Web App gets SSL handshake_failure, desktop application doesn't

Question

Hey everyone, my web app is having problems with HTTPS connections, resulting in handshake_failure.

In order to troubleshoot it, I wrote a simple desktop application with the same parameters used inside the web app.

This is the source code of the desktop app:

public class Main {
    private final static String helperMsg = "java -jar SSLTest.jar url";

    public static void main(String[] args) {
        System.setProperty("https.protocols", "TLSv1.2,TLSv1.1");

        if(args.length < 1){
            System.out.println("Insufficient arguments: " + args.length);
            System.out.println(helperMsg);
            return;
        }
        String httpsTarget = args[0];
        URL url;
        try {
            url = new URL(httpsTarget);
            HttpsURLConnection connection = (HttpsURLConnection)url.openConnection();
            if(connection == null)
                throw new IOException("Connection null");

            SSLSocketFactoryEx factory = new SSLSocketFactoryEx(null,null,null);
            connection.setSSLSocketFactory(factory);

            connection.setRequestMethod("GET");
            connection.connect();
            System.out.println(connection.getResponseCode() + ": " + connection.getResponseMessage());
        } catch (Exception e) {
            System.out.println("Exception: " + e.getMessage());
        }
    }
}

Where SSLSocketFactoryEx is from this post.

After packaging this simple app to an executable JAR file and installing the required certificates to my trust store, my launch command is the following:

java -Djavax.net.ssl.trustStore=<trustStoreFile> -Djavax.net.debug=all -jar SSLTest.jar <httpsURL>

Inside the web application, the HTTPS connection commands are exactly the same, but while the desktop app successfully gets an HTTP response, the web app is stuck on the handshake_failure, just like when using the desktop application I didn't specify the usage of TLSv1.2 or TLSv1.1 as default via the System.setProperty("https.protocols", "TLSv1.2,TLSv1.1") instruction and wasn't using the SSLSocketFactoryEx as custom SSLSocketFactory for HttpsURLConnection.

That's why I'm giving the fault to the Tomcat configuration, but I can't understand what.

My Tomcat Java options already include the following VM arguments:

-Djavax.net.ssl.trustStore=<trustStoreFile>
-Dhttps.protocols=TLSv1.2,TLSv1.1
-Djavax.net.debug=all

and my server.xml contains the following fields:

<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
        keystoreFile=<keyStoreFile> keystorePass=<keyStorePW>
        truststoreFile=<trustStoreFile> truststorePass=<trustStorePW>
        sslEnabledProtocols="TLSv1.2,TLSv1.1"
        redirectPort="8443" />

I also tried setting the keystoreFile, keystorePass, truststoreFile and truststorePass properties, alongside the protocols one, in the web app via instructions, with no results at all, still getting handshake_failure.

I'm using Tomcat 7.0.59 and jdk1.7.0_80 and I'm unable to update anything.

Thanks for your efforts.

-- EDIT --

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
http-apr-80-exec-47, called close()
http-apr-80-exec-47, called closeInternal(true)
http-apr-80-exec-47, called closeSocket(selfInitiated)
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
DOPO CHIAMATA 3
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1531997568 bytes = { 145, 51, 114, 234, 178, 6, 227, 30, 223, 175, 233, 64, 136, 117, 68, 227, 252, 207, 144, 188, 113, 85, 202, 197, 214, 163, 225, 65 }
Session ID:  {}
Cipher Suites: [TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: <hotsname>]
***
[write] MD5 and SHA1 hashes:  len = 140
0000: 01 00 00 88 03 03 5B 50   6E 80 91 33 72 EA B2 06  ......[Pn..3r...
0010: E3 1E DF AF E9 40 88 75   44 E3 FC CF 90 BC 71 55  .....@.uD.....qU
0020: CA C5 D6 A3 E1 41 00 00   10 00 6A 00 33 00 32 00  .....A....j.3.2.
0030: 3D 00 35 00 3C 00 2F 00   FF 01 00 00 4F 00 0D 00  =.5.<./.....O...
0040: 1A 00 18 06 03 06 01 05   03 05 01 04 03 04 01 03  ................
0050: 03 03 01 02 03 02 01 02   02 01 01 00 00 00 2D 00  ..............-.
0060: 2B 00 00 28 63 6F 6C 6C   70 72 6F 78 79 6F 75 74  +..(XXXXXXXXXXX
0070: 2E 77 68 6F 6C 65 73 61   6C 65 2E 74 65 6C 65 63  XXXXXXXXXXXXXXX
0080: 6F 6D 69 74 61 6C 69 61   2E 63 6F 6D              XXXXXXXXXXXX
http-apr-80-exec-47, WRITE: TLSv1.2 Handshake, length = 140
[Raw write]: length = 145
0000: 16 03 03 00 8C 01 00 00   88 03 03 5B 50 6E 80 91  ...........[Pn..
0010: 33 72 EA B2 06 E3 1E DF   AF E9 40 88 75 44 E3 FC  3r........@.uD..
0020: CF 90 BC 71 55 CA C5 D6   A3 E1 41 00 00 10 00 6A  ...qU.....A....j
0030: 00 33 00 32 00 3D 00 35   00 3C 00 2F 00 FF 01 00  .3.2.=.5.<./....
0040: 00 4F 00 0D 00 1A 00 18   06 03 06 01 05 03 05 01  .O..............
0050: 04 03 04 01 03 03 03 01   02 03 02 01 02 02 01 01  ................
0060: 00 00 00 2D 00 2B 00 00   28 63 6F 6C 6C 70 72 6F  ...-.+..(XXXXXX
0070: 78 79 6F 75 74 2E 77 68   6F 6C 65 73 61 6C 65 2E  XXXXXXXXXXXXXXX
0080: 74 65 6C 65 63 6F 6D 69   74 61 6C 69 61 2E 63 6F  XXXXXXXXXXXXXXX
0090: 6D                                                 XXXXX
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
http-apr-80-exec-47, READ: TLSv1.2 Alert, length = 2
http-apr-80-exec-47, RECV TLSv1 ALERT:  fatal, handshake_failure
http-apr-80-exec-47, called closeSocket()
http-apr-80-exec-47, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Received fatal alert: handshake_failure

I'm confused here, you mention a web app - that traditionally is the server - and also some client code. You say the web app cannot connect to some server but the client can. You then have some code from a server.xml, which is presumably from a diffetent web app? Finally you have `javax.net.debug=all` but beyond `handshake_failure` you don't give us any output from the debug logging to diagnose the problem. Can you explain how many different applications are involved here and what fails to connect to what? — Boris the Spider, Jul 19 '18 at 10:18
There is a web app running on Tomcat 7.0.59 as a client which needs to connect to another server which gives the handshake_failure error, which is incredibly **everything I got from debug=all**. In order to test if there were any other problems regarding the Java connection, I wrote a standard Java desktop application client which connects to the same other server, which fully works. — Emanuele Giona, Jul 19 '18 at 10:36
That is certainly not the only thing you got - you got a lot of output to stdout, loads. If you didn't, then you've done it wrong... Please read, and post, the last few dozen lines of that log before the handshake failure output. — Boris the Spider, Jul 19 '18 at 10:50
That's client side? Looks to me like the server doesn't support any of the ciphers your client is offering to use. To confirm, look at the server side. — Boris the Spider, Jul 19 '18 at 11:15
Unfortunately, I'm not able to look at the server side. Problem is that the desktop application I pasted the source code here works, with the same parameters. — Emanuele Giona, Jul 19 '18 at 11:17
Different versions of Java at a guess, perhaps one with the [unlimited strength policy files installed](http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html). — Boris the Spider, Jul 19 '18 at 11:20
The only installed Java version is JDK 1.7.0_80 and its relative JRE (1.7.0_80-b15). Funny fact: copying JDK 1.8.0_111 files and running the same Tomcat version on this Java 8 jvm.dll makes it work, but it's not a solution I intend to use — Emanuele Giona, Jul 19 '18 at 12:23
So, the version of Java you are running is too old to connect to the server - it doesn't have the cipher suites required to connect. Your options are somewhat limited - you could try using [bouncycastle](https://www.bouncycastle.org/) as your JCE provider. But really, you need to either update Java or use an SSL terminating proxy. — Boris the Spider, Jul 19 '18 at 12:25

score 0 · Accepted Answer · answered Jul 20 '18 at 09:12

0

The only working option was to run Tomcat on an updated jvm.dll, which fixed the SSL errors since from jre 1.7.0_131-b31 TLSv1.1 and TLSv1.2 are enabled by default.

answered Jul 20 '18 at 09:12

Emanuele Giona

781
1
8
20

Tomcat 7 Web App gets SSL handshake_failure, desktop application doesn't

1 Answers1