Why do I get a handshake failure (Java SSL)

Jakub Hlavatý picture Jakub Hlavatý · Feb 12, 2012 · Viewed 79k times · Source

I'm connecting to a web service over HTTPS. I've done all that I think is required to make it work, but in the end I get a handshake failure.

I found out that as a new user I can't post more than 2 links due to "spam protection" - thanx a lot stackoverflow...anyway here's a link to a pastebin post with all the links spelled out...so when I write "link#1" here it's a reference to these links: http://pastebin.com/y4zGNRC7

  • I verified the same behavior using HttpClient (GET on the service URL) and actually calling the web service via a CXF proxy
  • I'm setting both the keystore and truststore - I tried both the "in code" way ( link#1 ) and setting the system properties - i.e. System.setProperty("javax.net.ssl.keyStore", "mykeystore.jks");
  • SSL debug is on ( javax.net.debug=all )
  • SSL debug blurts out the contents of both keystore and truststore (i.e. looks like java "knows about them") - link#2
  • seems like there's some client-server communication going on, but then it crashes for some reason link#3
  • I successfully connected to the server using the client and CA certificates both in a browser (Chrome) and using openssl s_client
  • wireshark shows less client-server talk from java ( link#4 ) then for example from Chrome ( link#5 )

Another strange thing is, that I seem to be getting the same behavior when I set the keystore and when I don't (the only difference is that when I do the keystore contents get printed in the console, but that's it).

I tried googling the problem and I saw numerous similar posts here on stackoverflow, but nothing helped. I tried changing the protocol version ("TLSv1", "SSLv3", even the weird v2 Hello). Any help would be appreciated - maybe there's some fundamental thing I might have overlooked...I'm getting desperate here... Thanx

PS I'm running java 1.6 update 30 on Fedora Core 15 (64bit)

Answer

Jakub Hlavatý picture Jakub Hlavatý · Feb 15, 2012

The problem was that even though the keystore and truststore was set, java decided not to send the client certificate to the server. The reason for this was the fact, that the server requested a certificate signed by the RootCA authority, but the client certificate is signed by a SubCA authority (which is issued by the RootCA).

Originally the keystore only contained the client cert and the truststore the SubCA cert. I then tried to add the SubCA cert to the keystore too, but java just ignored it.

So this solves the hanshake failure mystery, but not my problem.

I created a separate question for that...sigh :-( why doesn't java send the client certificate during SSL handshake?