4

I have a java program that is using RESTTemplate talking to a service. I am using client certificate for communicating with server. Getting following error

main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
19:53:13.851 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown connection
19:53:13.852 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded
19:53:13.852 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://api.entrust.net:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
19:53:13.854 [main] ERROR com.x.y.z.provider.a.Client - exception I/O error on GET request for "https://api.entrust.net/enterprise/v2/application/version": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
19:53:13.858 [main] DEBUG com.x.y.z.provider.a.Client - Map the failure exception {}
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://api.entrust.net/enterprise/v2/application/version": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:744)
        at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:670)

When I enable debug logs, I see initial handshake is done but it fails later with following error

*** CertificateVerify
Signature Algorithm SHA256withRSA
update handshake state: certificate_verify[15]
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 264
update handshake state: change_cipher_spec
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 101, 230, 249, 79, 106, 34, 167, 222, 44, 208, 111, 11 }
***

update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
**main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]**
main, called closeSocket()

Interestingly I am running it on laptop it works without issues but as soon as I run it on container it gives me handshake error

I am running oracle jdk on laptop but OpenJDK-1.8.0.212 version on my container. What could be possible issues?

In the container I do have truststore and keystore installed and I could see that it is being used since the place where it fails is the one that I showed in SSL debug logs.

Milind
  • 531
  • 2
  • 12
  • 24
  • so you added a certificate on your host for example with "keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts..."? And then it fails in your docker container? Is the cacerts file available in your container? – Carlos Sep 26 '19 at 01:26
  • What version of Oracle JDK are you running on your laptop? What version of Java is the service running? – Stephen C Sep 27 '19 at 00:53
  • So why you do not put oracle jdk in your container? There might be differences on the ciphers available on each jdk --> https://stackoverflow.com/questions/9333504/how-can-i-list-the-available-cipher-algorithms . – Carlos Sep 30 '19 at 16:47

1 Answers1

-1

Option 1 . You need to add your truststore/keystore to cacerts of the container or environment where you are testing it for handshake to go through successfully.

Option 2 . You can point your program to read the location of the keystore file inside your container/sandbox/environment.

Karthik HG
  • 17
  • 3