Java 8 - javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

12/22/2019

My application is running on jdk1.8.0_221 & tomcat 8 on Kubernetes.

When I try to connect to the URL using wget with the same certificate able to complete the call. But when I try to connect using Java application its failing with error "Received fatal alert: handshake_failure".

Following are the ssl logs:

Is initial handshake: true
Is secure renegotiation: false
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, setSoTimeout(30000) called
Ignoring disabled protocol: SSLv3
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1560217405 bytes = { 75, 51, 117, 237, 75, 213, 47, 220, 209, 236, 129, 21, 83, 91, 45, 173, 87, 8, 4, 62, 50, 51, 160, 94, 255, 240, 62, 68 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
***
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, WRITE: TLSv1.2 Handshake, length = 119
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, READ: TLSv1.2 Alert, length = 2
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, RECV TLSv1.2 ALERT:  fatal, handshake_failure
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, called closeSocket()
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
22-Dec-2019 06:03:42.674 WARNING [Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370] org.jgroups.ping.kube.KubePing.doReadAll Problem getting Pod json from Kubernetes Client[masterUrl=https://10.100.0.1:443/api/v1, headers={}, connectTimeout=5000, readTimeout=30000, operationAttempts=3, operationSleep=1000, streamProvider=org.openshift.ping.common.stream.TokenStreamProvider@880aefb] for cluster [grails-cache-ehcache], namespace [default], labels [app=hushly]; encountered [java.lang.Exception: 3 attempt(s) with a 1000ms sleep to execute [OpenStream] failed. Last failure was [javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]]

Below is the code which used to prepare SSLSocketFactory:

X509Certificate cert = (X509Certificate)certFactory.generateCertificate(pemInputStream);
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load((LoadStoreParameter)null);
String alias = cert.getSubjectX500Principal().getName();
trustStore.setCertificateEntry(alias, cert);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);

SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(kmf.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

sslsocketfactory = sslContext.getSocketFactory();

What am I missing here ?

-- Awesome
grails
java
kubernetes
ssl
sslhandshakeexception

0 Answers