Java SSL handshake_failure

Question

I have a problem using a TLS connection to connect to a server that is programmed in LabVIEW. On the client side, Java 1.8.0_201 is used. I assume that my SSLContext is set up correctly and the respective certificates are loaded properly on both sides.

However, when I connect, especially when calling the sslSocket.startHandshake() method, I get the following error message:

Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at ssl.labview.test.Main.main(Main.java:79)

I have examined my program with the switch -Djavax.net.debug=all but I get no additional Information from that.

I followed these instructions https://techblog.telia.no/blog/troubleshooting-javax-net-ssl-sslhandshakeexception-received-fatal-alert-handshake-failure to solve my problem but it doesn't help. Also, copying the unlimited strength .jar files, as variously described in other posts, does not help me. For solutions or information on how I can narrow down the error, I would be very grateful.

Edit: Output of -Djavax.net.debug=all

H:\NB SSL LabVIEW Test\SSL LabVIEW Test\dist>java -Djavax.net.debug=all -jar "SSL_LabVIEW_Test.jar"
[INFO] Loading KeyStore
[INFO] Setting up KeyManager[] and TrustManager[]
adding as trusted cert:
  Subject: CN=Michael Ilgenfritz, OU=Unknown, O="Ilgenfritz Electronics ", L=Fuchsstadt, ST=Bayern, C=DE
  Issuer:  CN=Michael Ilgenfritz, OU=Unknown, O="Ilgenfritz Electronics ", L=Fuchsstadt, ST=Bayern, C=DE
  Algorithm: RSA; Serial number: 0x196ee5a9
  Valid from Mon Feb 18 13:06:18 CET 2019 until Sun May 19 14:06:18 CEST 2019

[INFO] Initializing SSLContext
System property jdk.tls.client.cipherSuites is set to 'null'
System property jdk.tls.server.cipherSuites is set to 'null'
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_RSA_WITH_NULL_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_MD5
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring disabled cipher suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
trigger seeding of SecureRandom
done seeding SecureRandom
[INFO] Creating secure socket
[INFO] Connecting to 192.168.0.108:1337
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
[INFO] Starting handshake
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1
RandomCookie:  GMT: 1550501329 bytes = { 144, 56, 218, 164, 7, 50, 54, 178, 71, 75, 41, 204, 245, 105, 227, 189, 232, 153, 163, 215, 18, 131, 110, 108, 91, 204, 4, 175 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension extended_master_secret
Extension renegotiation_info, renegotiated_connection: <empty>
***
[write] MD5 and SHA1 hashes:  len = 114
0000: 01 00 00 6E 03 01 5C 6B   C6 D1 90 38 DA A4 07 32  ...n..\k...8...2
0010: 36 B2 47 4B 29 CC F5 69   E3 BD E8 99 A3 D7 12 83  6.GK)..i........
0020: 6E 6C 5B CC 04 AF 00 00   1C C0 0A C0 14 00 35 C0  nl[...........5.
0030: 05 C0 0F 00 39 00 38 C0   09 C0 13 00 2F C0 04 C0  ....9.8...../...
0040: 0E 00 33 00 32 01 00 00   29 00 0A 00 16 00 14 00  ..3.2...).......
0050: 17 00 18 00 19 00 09 00   0A 00 0B 00 0C 00 0D 00  ................
0060: 0E 00 16 00 0B 00 02 01   00 00 17 00 00 FF 01 00  ................
0070: 01 00                                              ..
main, WRITE: TLSv1 Handshake, length = 114
[Raw write]: length = 119
0000: 16 03 01 00 72 01 00 00   6E 03 01 5C 6B C6 D1 90  ....r...n..\k...
0010: 38 DA A4 07 32 36 B2 47   4B 29 CC F5 69 E3 BD E8  8...26.GK)..i...
0020: 99 A3 D7 12 83 6E 6C 5B   CC 04 AF 00 00 1C C0 0A  .....nl[........
0030: C0 14 00 35 C0 05 C0 0F   00 39 00 38 C0 09 C0 13  ...5.....9.8....
0040: 00 2F C0 04 C0 0E 00 33   00 32 01 00 00 29 00 0A  ./.....3.2...)..
0050: 00 16 00 14 00 17 00 18   00 19 00 09 00 0A 00 0B  ................
0060: 00 0C 00 0D 00 0E 00 16   00 0B 00 02 01 00 00 17  ................
0070: 00 00 FF 01 00 01 00                               .......
[Raw read]: length = 5
0000: 15 03 01 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at ssl.labview.test.Main.main(Main.java:79)

On that contrary, the debugging information you get with `-Djavax.net.debug=all` should pinpoint precisely where in the handshake things go awry. Add the debug output to your question. — President James K. Polk, Feb 18 '19 at 19:30
Does the server speak TLSv1? It looks like it speaks TLSv1.2 only. If so, disable TLSv1 and TLSv1.1 as enabled protocols in the `SSLSocket`. — user207421, Sep 02 '19 at 08:02
Lukas: the unlimited strength jars are obsolete in 8u151 up; you may have been looking at answers more than a year old. @user207421: it is suspicious for j8 to offer max TLS1.0 (wire 03 01) in which case you need to _enable_ higher (not just disable lower), but it is also suspicious to not provide SNI, and there is also the possibility server doesn't have valid key&cert to use. Plus this was 6 months ago. — dave_thompson_085, Sep 02 '19 at 17:23

score -1 · Answer 1 · answered Feb 18 '19 at 16:35

-1

I had a similar problem. I was able to get valid response from particular URL from browser and was getting handshake exception when sent the same request from Java. What solved the problem for me was importing certificate from url using browser and then exporting it into keystore of the JVM that you are using. See question How to import a .cer certificate into a java keystore? As to how to import certificate from URL with Chrome -

Open The URL
Right Click on the small pic of the lock to the left side of the url
Choose Certificate
Go to "Details" tab and click on "Copy to file" button and follow the instructions. Once you r got your certificate (.cer) file export it into your JVM keystore as explained in the link above

answered Feb 18 '19 at 16:35

Michael Gantman

7,315
2
19
36

I use my own KeyStore or TrustStore. Loading the certificate from it works fine. If it was also a certificate problem, I would get a more detailed error message. – Lukas Nothhelfer Feb 19 '19 at 09:11
My problem was that I didn't have a certificate in my keystore and once I added it, it resolved my problem. But if you have needed certificate then you have a different problem – Michael Gantman Feb 19 '19 at 11:05
You had a different problem: unable to find valid certification path to requested target. This handshake has been failed by the server, not by the client. The server isn't going to fail its own certificate. – user207421 Sep 02 '19 at 08:01

score -1 · Answer 2 · edited Sep 02 '19 at 08:15

-1

I had a similar problem.
I fixed it by enabling Java Cryptography Unlimited Strength.
Edit file $JDK_HOME/jre/lib/security/java.security
Uncomment line:

#crypto.policy=unlimited

Save file. Try again.

edited Sep 02 '19 at 08:15

Hasta Dhana

4,699
7
17
26

answered Sep 02 '19 at 07:21

Thomas Lassauniere

29
1

There is no line like that – ibrahimgunes Oct 24 '19 at 13:08
Which version of the JDK are you using? This option is only available in Oracle JDK 8 – Thomas Lassauniere Oct 25 '19 at 14:17
just another random answer that will only work in particular cases – Drumnbass Feb 22 '22 at 16:48

Java SSL handshake_failure

2 Answers2