Getting fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common on spring boot embedded jetty server

Question

I have spring boot appilcation containing rest APIs running on embedded jetty. I am trying to hit it by another java application which runs on TLSv1 but is getting below error:

fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common on spring boot embedded jetty server

I have checked the server certificate alias and it is correctly configured. On client side I am receiving below network debug logs:

pool-2-thread-1, READ: TLSv1 Alert, length = 2  
pool-2-thread-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure  
pool-2-thread-1, called closeSocket()  
pool-2-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure  

It seems client wants to connect on TLSv1 but server (spring boot jetty) wants to connect on TLSv1.2 I have tried to use TLSv1 on jetty using below configurations in application.properties file:

server.ssl.enabled=true
server.ssl.enabled-protocols=TLSv1
server.ssl.disabled-protocols=TLSv1.2
server.ssl.protocol=TLS
server.ssl.disabled-cipher-suites=

server.ssl.key-store-type=JKS  
server.ssl.keystore=keystore_path  
server.ssl.key-store-password=password  
server.ssl.key-alias=alias_name   
trust.store=truststore_path  
trust.store.password=password

But I guess they are not working. Please suggest. Below are network debug logs from server side:

Using SSLEngineImpl.  
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384  
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA  
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  
Allow unsafe renegotiation: false  
Allow legacy hello messages: true  
Is initial handshake: true  
Is secure renegotiation: false  
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1  
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256  
[Raw read]: length = 5  
0000: 16 03 01 00 63                                     ....c
[Raw read]: length = 99  
0000: 01 00 00 5F 03 01 63 AE   A7 33 45 C3 64 64 C9 BD  ..._..c..3E.dd..  
0010: BD 19 74 DA 21 29 8C 62   6B FB 32 67 86 C6 9A E0  ..t.!).bk.2g....  
0020: 91 04 3C 85 84 83 00 00   1E 00 FF C0 0A C0 14 00  ..<.............  
0030: 35 C0 05 C0 0F 00 39 00   38 C0 09 C0 13 00 2F C0  5.....9.8...../.  
0040: 04 C0 0E 00 33 00 32 01   00 00 18 00 0A 00 0A 00  ....3.2.........  
0050: 08 00 17 00 18 00 19 00   16 00 0B 00 02 01 00 00  ................  
0060: 17 00 00                                           ...  
qtp1209702763-21, READ: TLSv1 Handshake, length = 99  
*** ClientHello, TLSv1  
RandomCookie:  GMT: 1655547699 bytes = { 69, 195, 100, 100, 201, 189, 189, 25, 116, 218, 33,    41, 140, 98, 107, 251, 50, 103, 134, 198, 154, 224, 145, 4, 60, 133, 132, 131 }  
Session ID:  {}  
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA]  
Compression Methods:  { 0 }  
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, secp256k1}  
Extension ec_point_formats, formats: [uncompressed]  
Unsupported extension type_23, data:  
***  
[read] MD5 and SHA1 hashes:  len = 99  
0000: 01 00 00 5F 03 01 63 AE   A7 33 45 C3 64 64 C9 BD  ..._..c..3E.dd..  
0010: BD 19 74 DA 21 29 8C 62   6B FB 32 67 86 C6 9A E0  ..t.!).bk.2g....
0020: 91 04 3C 85 84 83 00 00   1E 00 FF C0 0A C0 14 00  ..<.............
0030: 35 C0 05 C0 0F 00 39 00   38 C0 09 C0 13 00 2F C0  5.....9.8...../.
0040: 04 C0 0E 00 33 00 32 01   00 00 18 00 0A 00 0A 00  ....3.2.........
0050: 08 00 17 00 18 00 19 00   16 00 0B 00 02 01 00 00  ................  
0060: 17 00 00                                           ...  
%% Initialized:  [Session-3, SSL_NULL_WITH_NULL_NULL]  
qtp1209702763-21, fatal error: 40: no cipher suites in common  
javax.net.ssl.SSLHandshakeException: no cipher suites in common  
%% Invalidated:  [Session-3, SSL_NULL_WITH_NULL_NULL]  
qtp1209702763-21, SEND TLSv1 ALERT:  fatal, description = handshake_failure  
qtp1209702763-21, WRITE: TLSv1 Alert, length = 2  
qtp1209702763-21, fatal: engine already closed.  Rethrowing  
 javax.net.ssl.SSLHandshakeException: no cipher suites in common  
qtp1209702763-21, called closeOutbound()  
qtp1209702763-21, closeOutboundInternal()  
 

Answer 1

TLSv1 is disabled by Java as well.

You'll need to do a lot more with enabling the TLSv1 protocol (and cipher suites that TLSv1 needs) on Java as well.

On the Jetty side, simply not specifying disabled cipher suites is not going to enable the already disabled Cipher Suites on the Java side.

See https://www.java.com/en/jre-jdk-cryptoroadmap.html for the state of Crypto on your specific Java version.

Your choices in your Server certificate (crypto used, bit length, etc) can also impact your ability to use TLS/1.0 or TLS/1.1 as the recommendations for modern browsers is increasingly incompatible with with the Cipher Suites that TLS/1.0 and TLS/1.1 need.