SSLException during handshake while resuming cached session

vanwil picture vanwil · Apr 17, 2012 · Viewed 7.4k times · Source

Possible Duplicate:
SSL handshake alert: unrecognized_name error since upgrade to Java 1.7.0

My J2SE app uses HttpsUrlConnection to access a secure location. It used to work just fine until I updated my JRE to 1.7. Now I get the "Remote host closed connection during handshake" SSLException. After running the app using -Djavax.net.debug=ssl:handshake, both under JRE 1.6 and JRE 1.7, my impression is that under 1.7 the cached client session fails to resume.

UPDATE: I have come to understand that under JRE 1.6 my client app uses SSLv2Hello encapsulation. However it does not do that under JRE 1.7, which is most probably what causes the exception. My question is now this: how do I enable SSLv2Hello encapsulation for clients running on JRE 1.7?

UPDATE #2: SSLv2Hello accomplished on JRE 7 via System.setProperty("https.protocols", "TLSv1,SSLv2Hello"). However this didn't make the handshake exception go away. Turns out that the true reason for the exception is the cipher suite. On JRE 6 the server picks SSL_RSA_WITH_RC4_128_MD5 out of the client's options, while on JRE 7 it always goes with TLS_DHE_RSA_WITH_AES_128_CBC_SHA. For some reason the server can't resume cached sessions using TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Problem patched using System.setProperty("https.cipherSuites", suggestedCipherSuites) where suggestedCipherSuites always starts with SSL_RSA_WITH_RC4_128_MD5. Any downsides with this approach?

UPDATE #3: The SNI extension of the client is what bothers the server. See "Server Name Indication (SNI) for JSSE client" at http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements7.html

Answer

vanwil picture vanwil · Apr 20, 2012

In the end it turns out that the problem was related to the SNI extension in the JSSE client 1.7. The solution is to disable sending SNI records, before any access to an https location:

System.setProperty ("jsse.enableSNIExtension", "false");

Many thanks to eckes for his solution (see SSL handshake alert: unrecognized_name error since upgrade to Java 1.7.0).