Clever Geek Handbook

Thread-6, RECV TLSv1 ALERT: fatal, handshake_failure

what is wrong with this code, it should trust all hosts, but it is not.

It works fine with google.com for example, but not with the API gateway service running locally on my machine, why?

SSL DEBUG OUTPUT

triggered seeding SecureRandom done seeding SecureRandom Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ... Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 seto true re-negotiate handwritten messages false TLS_RSA_WITH_AES_128_CBC_SHA256 seto true: false reset called %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1434280256 bytes = {216} 40 ... session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, .... SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] compression Methods : {0} Extension elliptic_curves, curve names: {secp256r1 .. secp256k1} Extension ec_point_formats, formats: [uncompressed]

Thread-6, WRITE: TLSv1 Handshake, length = 163 Thread-6, READ: TLSv1 Alert, length = 2 Thread-6, RECV TLSv1 ALERT: fatal, handshake_failure Thread-6, called closeSocket () Thread-6, handling Exception: javax.net.ssl.SSLHandshakeException: **

Fatal warning received: handshake_failure

**

import java.io.InputStreamReader;
import java.io.Reader;
import java.net.URL;
import java.net.URLConnection;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;

public class ConnectHttps {
  public static void main(String[] args) throws Exception {
    /*
     *  fix for
     *    Exception in thread "main" javax.net.ssl.SSLHandshakeException:
     *       sun.security.validator.ValidatorException:
     *           PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
     *               unable to find valid certification path to requested target
     */
    TrustManager[] trustAllCerts = [
        [ getAcceptedIssuers: { -> null },
          checkClientTrusted: { X509Certificate[] certs, String authType -> },
          checkServerTrusted: { X509Certificate[] certs, String authType -> } ] as X509TrustManager
    ]

    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

    // Create all-trusting host name verifier
    HostnameVerifier allHostsValid = new HostnameVerifier() {
        public boolean verify(String hostname, SSLSession session) {
          return true;
        }
    };
    // Install the all-trusting host verifier
    HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
    /*
     * end of the fix
     */

    //URL url = new URL("https://google.com"); //WORKS
    URL url = new URL("https://localhost:8090");   // DOES NOT WORK, WHY?
    URLConnection con = url.openConnection();
    Reader reader = new InputStreamReader(con.getInputStream());
    while (true) {
      int ch = reader.read();
      if (ch==-1) {
        break;
      }
      System.out.print((char)ch);
    }
  }
}

Running the code found here shows that TLSv1.2 is not enabled on the client side:

Supported protocols: 5
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2

Allowed Protocols: 2
SSLv3
TLSv1

+3


source to share


1 answer


.. it should trust all hosts, but it doesn't.

.. RECV TLSv1 ALERT: fatal, handshake_failure Thread-6

The server join confirmation rejection message is not related to server certificate validation on the client and therefore cannot be stopped by disabling certificate validation. Lots of things can cause such a failure, like regular ciphers, unsupported protocol version, lack of SNI extension (only supported since JDK7). Since the error is thrown by the server, you can find more information about the problem in the server log messages.

EDIT: From the server logs, the kind of problem is visible:

failed connection: SSL protocol error: 1408A0C1: SSL procedures: SSL3_GET_CLIENT_HELLO: no general encryption

This means that there is no shared encryption between client and server.

A typical reason for this is incorrect configuration of certificates on the server. If you do not configure any certificates, the server might require anonymous authentication using ADH ciphers, which are not usually supported on the client side. I suggest you check if you can connect to the browser.



Another common misconfiguration disables all SSLv3 ciphers on the server, believing that this is necessary to disable SSL3.0 (it is not). This effectively disables all ciphers except for some new ciphers introduced with TLS 1.2. Modern browsers will still be able to connect, but older clients won't. This misconfiguration can be seen in this case (from a comment):

From the server log, interface ciphers: FIPS :! SSLv3 :! aNULL,

!SSLv3

disables all ciphers available for SSL3.0 and higher . This actually leaves only the TLS1.2 ciphers, because there are no new ciphers with TLS1.0 and TLS1.1. Since the client seems to only support TLS1.0, there will be no generic ciphers:

... WRITE: TLSv1 Handshake

Use !SSLv3

in ciphers is usually caused by a lack of understanding of the difference between protocol version and ciphers. To disable SSLv3, you only have to install the protocol, not the ciphers.

+5


source






More articles:


All Articles