-1

I am getting following error while accessing the our server..

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I have a .p12 certificate..

When i give the path of the ssl certificate and password in Soap UI. it is working perfectly.. I wanted to do it in Java/Eclipse

https://jackstromberg.com/2013/05/importing-a-ssl-certificate-into-a-java-keystore-via-a-pkcs12-file/

Followed the step 1, 2 and 4 to create keystore and import it..

placed mykeystore and mycertificate in C:\Program Files\Java\jdk1.8.0_261\jre\bin
while importing I am getting following message..

C:\Program Files\Java\jdk1.8.0_261\jre\bin>keytool -v -importkeystore -srckeystore mycertificate.p12 -srcstoretype PKCS12 -destkeystore mykeystore -deststoretype JKS
Importing keystore mycertificate.p12 to mykeystore...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias fcs certificate successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing mykeystore]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykeystore -destkeystore mykeystore -deststoretype pkcs12".

Added the following in eclipse config file

 -Djavax.net.ssl.trustStore="C:/Program Files/Java/jdk1.8.0_261/jre/lib/security/cacerts"
    -Djavax.net.ssl.trustStorePassword=changeit
Restarted the eclipse and trying to run that but still getting handshake failure..

Is all my procedure correct?

When debug enabled.. getting below error

javax.net.ssl|ALL|01|main|2020-11-09 18:28:51.118 IST|null:-1|No X.509 cert selected for RSA
javax.net.ssl|WARNING|01|main|2020-11-09 18:28:51.118 IST|null:-1|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|01|main|2020-11-09 18:28:51.118 IST|null:-1|No X.509 cert selected for EC

The other way , I tried this as well.

Exported certificate from the browser..

https://www.javasavvy.com/import-ssl-certificate-into-java-keystore/

still getting same error.

ChanGan
  • 4,254
  • 11
  • 74
  • 135
  • So, you imported the cert into `mykeystore` but does `mykeystore` reside in `C:/Program Files/Java/jdk1.8.0_261/jre/lib/security/cacerts`? – Smutje Nov 12 '20 at 10:13
  • i have imported that but how to check mykeystore is present in cacerts? – ChanGan Nov 12 '20 at 10:22

2 Answers2

4

I think your problem is that you are not configuring your trust store correctly.

You need to configure the javax.net.ssl.trustStore with the keystore created, something like:

-Djavax.net.ssl.trustStore=/path/to/mykeystore.jks

If you ran keytool from C:\Program Files\Java\jdk1.8.0_261\jre\bin, the keystore will be possibly in that directory. Try something similar to:

-Djavax.net.ssl.trustStore="/Program Files/Java/jdk1.8.0_261/jre/bin/mykeystore.jks" -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit

You can also indicate the keystore type:

-Djavax.net.ssl.trustStore="/Program Files/Java/jdk1.8.0_261/jre/bin/mykeystore.jks" -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit

Reviewing the article that you followed in your setup I think your keys are well suited for the use of secure communications, and that the actual problem is that Eclipse is not seeing the right keystore, but please, also consider the following stack overflow question: Java 11 and 12 SSL sockets fail on a handshake_failure error with TLSv1.3 enabled, perhaps if can be of help.

UPDATE

Although ideally suited for SSL client authentication, in this specific use case, configuring javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword solved the problem:

-Djavax.net.ssl.keyStore="C:\Users\3020722\OneDrive - FIS\Desktop\certificate\newjks.jks" \
-Djavax.net.ssl.keyStorePassword=changeit

Thank you very much for the feedback @ChanGan!!

jccampanero
  • 50,989
  • 3
  • 20
  • 49
  • Creation of jks and import procedure in the post is given correct? – ChanGan Nov 12 '20 at 13:36
  • Yes, I think so, it looks find. In fact, it is working properly in SoapUI. Please, try to launch Eclipse with the indicated ```javax.net.ssl.trustStore``` configuration, I think it probably will work fine. – jccampanero Nov 12 '20 at 13:39
  • I am getting the following while importing C:\Program Files\Java\jdk1.8.0_261\jre\lib\security>"C:\Program Files\Java\jdk1.8.0_261\jre\bin\keytool" -importkeystore -srckeystore myclientkeystore.jks -destkeystore myclientkeystore.jks -deststoretype pkcs12 Enter source keystore password: Entry for alias mycertificate.p12 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Warning: Migrated "myclientkeystore.jks" to Non JKS/JCEKS. The JKS keystore is backed up as "myclientkeystore.jks.old". – ChanGan Nov 12 '20 at 14:09
  • Sorry @ChanGan, I am afraid that I did not explain myself very well. You already created your keystore fine, it is not necessary to create it again. I modified my answer: I wanted to say _if your ran ```keytool``` from the directory_, not that you need to run ```keytool``` again. Please, can you try it? – jccampanero Nov 12 '20 at 14:32
  • Not sure what s going wrong. It shows certificate already added when adding again but showing handshake error.. – ChanGan Nov 12 '20 at 14:56
  • The other post just says keyalg is needed and the keystore is generated with keyalg only – ChanGan Nov 12 '20 at 14:57
  • I am sorry to hear that it is not working. How are you passing these vm args yo eclipse? – jccampanero Nov 12 '20 at 15:42
  • Run configuration - vm arguments- the given command – ChanGan Nov 12 '20 at 16:15
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/224504/discussion-between-changan-and-jccampanero). – ChanGan Nov 13 '20 at 05:16
  • @ChanGan Were you finally able to solve the problem? – jccampanero Nov 19 '20 at 10:52
  • can you join me in the chat? – jccampanero Nov 19 '20 at 11:10
  • sure. i will join – ChanGan Nov 19 '20 at 11:11
  • @ChanGan Were you finally able to solve the problem? – jccampanero Nov 23 '20 at 23:47
  • still it is not working.. getting cipher suites problem .. – ChanGan Nov 27 '20 at 06:20
  • Fixed this.. -Djavax.net.ssl.keyStore="C:\Users\3020722\OneDrive - FIS\Desktop\certificate\newjks.jks" -Djavax.net.ssl.keyStorePassword=changeit – ChanGan Mar 03 '21 at 09:24
  • It is nice, I am happy to hear that you were able to solve the problem. Thank you very much for the feedback. ChanGan, then, the problem seems to be related with client authentication, it seems the server requires your client to authenticate itself as well. – jccampanero Mar 03 '21 at 09:31
  • your answer give the directions. so I am accepting this as answer. It would be good that if you add this option also to refer keystore.. so that it would be useful for other.. – ChanGan Mar 03 '21 at 10:33
  • Thank you very much @ChanGan. Please, see the updated the answer. Please, do not hesitate to contact me if you need further help. – jccampanero Mar 03 '21 at 13:48
  • Thank you very much @ChanGan!! – jccampanero Mar 03 '21 at 16:33
0

Few main points to consider before proceeding. I'm not sure if all of them have been addressed or not in your context. So these are the following points to check before going forward.

Let's say there are two applications App1 and App2 and these two are talking to each other.

If both have ssl disabled then no issues. But if we want to ensure traffic is encrypted between them we need SSL.

So for both of them to talk to each other the following should be checked properly.

One way SSL: Certificate of App2 has to be present in trust Store of App1. Certificate of App1 has to be present in trust store of App2.

Note that truststore is different from key store. A Keystore contains files which are related to application. In this App1, App2 context lets say C1 is certificate of App1 and C2 is certificate of App2.

So the key store and trust stores will be as follows:

KeyStore of App1: C1

TrustStore of App1: C2

KeyStore of App2: C2

Trust Store of App2: C1

To understand better lets introduce App3 with certificate C3 and all are mutually talking to each other.

Now the new scenario will be: KeyStore of App1: C1

Trust Store of App1: C2, C3

KeyStore of App2: C2

Trust Store of App2: C1, C3

KeyStore of App3: C3

Trust Store of App3: C1, C2

Make sure you get these concepts right.

So now you're trying to talk to some server from your local application. So you need to add the server's certificate to your local java cacerts (acts as local trust store) (which you mentioned is correct) and there is no need to mention the trust store separately if you're using the java cacerts.

Just try checking if you have configured correct java environment in eclipse. For example i have three versions of java on my machine. 1.8_201, 1.8_181 and java 11.

There is a chance that eclipse can use a latest version. So in that case check the project settings and check if you are using correct jdk (to which you have added the certs)

To add the certs to cacerts you can use something like this:

$JAVA_HOME/jre/bin/keytool -v -alias -import -file -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass -noprompt

First try to ensure that you're able to start the service from command line.

$JAVA_HOME/bin/java -jar your.jar

Inferno
  • 1
  • 1