SSL connection failing for Java 7

Question

I am attempting to create an SSL connection to a remote server using Java 7 and I\'m receiving the following exception:

javax.net.ssl.SSLHandshakeException:          


        

Answer 1

did you include the truststore when you execute the client?

java -Djavax.net.ssl.trustStore=${resources}/localhost.truststore \
-Djavax.net.ssl.trustStorePassword=TRUSTSTORE_PASSWORD -jar client.jar com.acme.RunClient

Answer 2

From a glance at your server configuration (https://www.ssllabs.com/ssltest/analyze.html?d=login.solon.com) compared to your list of available cipher suites in Java7, it appears you have only two accepted options for your cipher suite:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Now, TLS_DHE_RSA_WITH_AES_128_CBC_SHA is considered weak, but since your server declares no preference for order, it may be picking this and then failing the handshake. For Java6, it's entirely possible it just happens to be picking a stronger suite. The more options you give it, the more chances you have of giving it a chance to pick a weak cipher, so when you specify a single suite to use, it succeeds. (Although in looking at your server configuration, I'm not sure how you were getting SSL_RSA_WITH_RC4_128_MD5 to succeed as it is apparently not supported.) On that train of thought, perhaps you should try limiting your cipher suites to only:

TLS_RSA_WITH_AES_128_CBC_SHA

Or more specifically:

sslsocket.setEnabledCipherSuites(new String[] {"TLS_RSA_WITH_AES_128_CBC_SHA"});

Answer 3

I have seen this sort of problem before when using an Ubuntu 12.04 server running a Java-based server using its OpenJDK package. (This may have been patched since, as I'm unable to reproduce the problem with the latest updates, but my configuration might be slightly different, I can't remember.)

This was essentially the problem described in this Ubuntu issue.

There was essentially an issue with the EC calculation on the server side, which prevented the connection to be established correctly.

There is a difference in the preference order for the cipher suites between Java 6 and Java 7 (see both tables).

Because TLS_RSA_WITH_AES_128_CBC_SHA is higher than any EC cipher suite in the preference order in Java 6 (and supported by both client and server), it will be chosen when you connect with a Java 6 client.

When you connect with a Java 7 client, some EC cipher suites (e.g. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA or TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) will be chosen and the server will start to proceed with this (you'd need to see the handshake debug log on the server side to confirm this). The server would then be done with the cipher suite selection process, but fail to go any further because of a subsequent bug when trying to use this cipher suite.

If you have some control over the server (and if it's indeed running a Java-based server), try to upgrade to the latest JRE packages. You can also try the fixes suggested in the Ubuntu issue (especially if it's not using PKCS#11) or to disable the ECDHE cipher suites in the server configuration.

Answer 4

It's Java 7's compatibility issue with keystores. Convert your keystore file into .p12 . It should work using that.