Received fatal alert: handshake_failure through SSLHandshakeException

The handshake failure could have occurred due to various reasons:

  • Incompatible cipher suites in use by the client and the server. This would require the client to use (or enable) a cipher suite that is supported by the server.
  • Incompatible versions of SSL in use (the server might accept only TLS v1, while the client is capable of only using SSL v3). Again, the client might have to ensure that it uses a compatible version of the SSL/TLS protocol.
  • Incomplete trust path for the server certificate; the server’s certificate is probably not trusted by the client. This would usually result in a more verbose error, but it is quite possible. Usually the fix is to import the server’s CA certificate into the client’s trust store.
  • The cerificate is issued for a different domain. Again, this would have resulted in a more verbose message, but I’ll state the fix here in case this is the cause. The resolution in this case would be get the server (it does not appear to be yours) to use the correct certificate.

Since, the underlying failure cannot be pinpointed, it is better to switch on the -Djavax.net.debug=all flag to enable debugging of the SSL connection established. With the debug switched on, you can pinpoint what activity in the handshake has failed.

Update

Based on the details now available, it appears that the problem is due to an incomplete certificate trust path between the certificate issued to the server, and a root CA. In most cases, this is because the root CA’s certificate is absent in the trust store, leading to the situation where a certificate trust path cannot exist; the certificate is essentially untrusted by the client. Browsers can present a warning so that users may ignore this, but the same is not the case for SSL clients (like the HttpsURLConnection class, or any HTTP Client library like Apache HttpComponents Client).

Most these client classes/libraries would rely on the trust store used by the JVM for certificate validation. In most cases, this will be the cacerts file in the JRE_HOME/lib/security directory. If the location of the trust store has been specified using the JVM system property javax.net.ssl.trustStore, then the store in that path is usually the one used by the client library. If you are in doubt, take a look at your Merchant class, and figure out the class/library it is using to make the connection.

Adding the server’s certificate issuing CA to this trust store ought to resolve the problem. You can refer to my answer on a related question on getting tools for this purpose, but the Java keytool utility is sufficient for this purpose.

Warning: The trust store is essentially the list of all CAs that you trust. If you put in an certificate that does not belong to a CA that you do not trust, then SSL/TLS connections to sites having certificates issued by that entity can be decrypted if the private key is available.

Update #2: Understanding the output of the JSSE trace

The keystore and the truststores used by the JVM are usually listed at the very beginning, somewhat like the following:

keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: C:\Java\jdk1.6.0_21\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :

If the wrong truststore is used, then you’ll need to re-import the server’s certificate to the right one, or reconfigure the server to use the one listed (not recommended if you have multiple JVMs, and all of them are used for different needs).

If you want to verify if the list of trust certs contains the required certs, then there is a section for the same, that starts as:

adding as trusted cert:
  Subject: CN=blah, O=blah, C=blah
  Issuer:  CN=biggerblah, O=biggerblah, C=biggerblah
  Algorithm: RSA; Serial number: yadda
  Valid from SomeDate until SomeDate

You’ll need to look for if the server’s CA is a subject.

The handshake process will have a few salient entries (you’ll need to know SSL to understand them in detail, but for the purpose of debugging the current problem, it will suffice to know that a handshake_failure is usually reported in the ServerHello.

1. ClientHello

A series of entries will be reported when the connection is being initialized. The first message sent by the client in a SSL/TLS connection setup is the ClientHello message, usually reported in the logs as:

*** ClientHello, TLSv1
RandomCookie:  GMT: 1291302508 bytes = { some byte array }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***

Note the cipher suites used. This might have to agree with the entry in your merchant.properties file, for the same convention might be employed by the bank’s library. If the convention used is different, there is no cause of worry, for the ServerHello will state so, if the cipher suite is incompatible.

2. ServerHello

The server responds with a ServerHello, that will indicate if the connection setup can proceed. Entries in the logs are usually of the following type:

*** ServerHello, TLSv1
RandomCookie:  GMT: 1291302499 bytes = { some byte array}
Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Compression Method: 0
***

Note the cipher suite that it has chosen; this is best suite available to both the server and the client. Usually the cipher suite is not specified if there is an error. The certificate of the server (and optionally the entire chain) is sent by the server, and would be found in the entries as:

*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=server, O=server's org, L=server's location, ST =Server's state, C=Server's country
  Signature Algorithm: SHA1withRSA, OID = some identifer

.... the rest of the certificate
***

If the verification of the certificate has succeeded, you’ll find an entry similar to:

Found trusted certificate:
[
[
  Version: V1
  Subject: OU=Server's CA, O="Server's CA's company name", C=CA's country
  Signature Algorithm: SHA1withRSA, OID = some identifier

One of the above steps would not have succeeded, resulting in the handshake_failure, for the handshake is typically complete at this stage (not really, but the subsequent stages of the handshake typically do not cause a handshake failure). You’ll need to figure out which step has failed, and post the appropriate message as an update to the question (unless you’ve already understood the message, and you know what to do to resolve it).

Related Posts:

  1. Received fatal alert: handshake_failure through SSLHandshakeException
  2. Caused by: java.security.UnrecoverableKeyException: Cannot recover key
  3. Unable to find valid certification path to requested target – error even after cert imported
  4. Unable to find valid certification path to requested target – error even after cert imported
  5. “PKIX path building failed” and “unable to find valid certification path to requested target”
  6. “PKIX path building failed” and “unable to find valid certification path to requested target”
  7. What is .crt and .key files and how to generate them?
  8. How to connect to FTP over TLS/SSL (FTPS) server in Java
  9. SSL peer shut down incorrectly in Java
  10. How to solve javax.net.ssl.SSLHandshakeException Error?
  11. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  12. Error Importing SSL certificate : Not an X.509 Certificate
  13. keytool error bash: keytool: command not found
  14. javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake during web service communicaiton
  15. Java Keytool error after importing certificate , “keytool error: java.io.FileNotFoundException & Access Denied”
  16. javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake during web service communicaiton
  17. Problem with gif with transparent background
  18. Search for words with telephone numbers from 2-3-4 tree
  19. How to install OpenSSL in windows 10?
  20. Java 8 Iterable.forEach() vs foreach loop
  21. How to round a number to n decimal places in Java
  22. Java string to date conversion
  23. Creating a “logical exclusive or” operator in Java
  24. Cannot make a static reference to the non-static method fxn(int) from the type Two [duplicate]
  25. How can I use pointers in Java?
  26. JavaFX – Exception in Application start method?
  27. Is there a stopwatch in Java?
  28. com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
  29. Java Using Nodes with LinkedList
  30. When is the @JsonProperty property used and what is it used for?
  31. Why is there no SortedList in Java?
  32. How to convert any Object to String?
  33. How do I copy an object in Java?
  34. Unfortunately MyApp has stopped. How can I solve this?
  35. What is the significance of load factor in HashMap?
  36. Which HTML Parser is the best?
  37. What is the /= operator in Java?
  38. Gradle does not find tools.jar
  39. Constructor cannot be applied to given types?
  40. Mocking static methods with Mockito
  41. Finding the max/min value in an array of primitives using Java
  42. How to for each the hashmap?
  43. Why do I get SQLCODE=-204, SQLSTATE=42704 with DB2 LUW and WebSphere App Server?
  44. How to parse JSON in Java
  45. Declaring an unsigned int in Java
  46. Converting Hexadecimal String to Decimal Integer
  47. Required: Variable Found: Value
  48. What does the colon (:) operator do?
  49. Shifting array to the right – homework
  50. How to get rid of Checkstyle message ‘File does not end with a newline.’
  51. Uri not Absolute exception getting while calling Restful Webservice
  52. Very Basic Java
  53. SQLRecoverableException: I/O Exception: Connection reset
  54. What exactly is a Maven Snapshot and why do we need it?
  55. How to check if my string is equal to null?
  56. what is Ljava.lang.String;@
  57. “Could not find Java SE Runtime Environment.” after installing Java
  58. How can I create an utility class?
  59. JAVA_HOME should point to a JDK not a JRE
  60. This Activity already has an action bar supplied by the window decor?
  61. Convert hex string to int
  62. Orphaned Case Error in Java
  63. Proxy Error 502 : The proxy server received an invalid response from an upstream server
  64. Java double.MAX_VALUE?
  65. how to do a system pause in java for debugging?
  66. Immutable class?
  67. Is spring default scope singleton or not?
  68. Java Reflection – Object is not an instance of declaring class
  69. What does “AL lib: alc_cleanup: 1 device not closed” mean?
  70. (Java) Tic-Tac-Toe game using 2 dimensional Array
  71. Incompatible types List of List and ArrayList of ArrayList
  72. Dice Rolling java program
  73. int cannot be converted to int []
  74. Joda DateTime to Timestamp conversion
  75. break statement in “if else” – java
  76. What is the difference between JSF, Servlet and JSP?
  77. Get only part of an Array in Java?
  78. How to Get JSON Array Within JSON Object?
  79. What is a class constant?
  80. How to represent a fix number of repeats in regular expression?
  81. How to import a jar in Eclipse
  82. Java equivalent of unsigned long long?
  83. Getting “unixtime” in Java
  84. How do I break out of nested loops in Java?
  85. How do I convert this for loop into a while loop?
  86. Java switch statement: Constant expression required, but it IS constant
  87. Resolving File paths – ‘File not found’ error in Eclipse
  88. Simple Coin Toss using random class in Java. The do while loop doesn’t seem to generate random results
  89. Why I am getting DefaultHttpClient is deprecated?
  90. When should you use multithreading? And would multi threading be beneficial if the different threads execute mutually independent tasks?
  91. How to Convert Int to Unsigned Byte and Back
  92. Suggestions needed: Effective Java to C source code converter
  93. How do I autoindent in Netbeans?
  94. What is an attribute in Java?
  95. MessageBodyWriter not found for media type=application/json
  96. Conversion from Long to Double in Java
  97. Failed to find Java VM
  98. Java regex email
  99. Java Iterator on Doubly-linked-list
  100. Why “no projects found to import”?

Leave a Comment