Search code examples
javahttpstomcat7handshakesslhandshakeexception

Tomcat 7 Web App gets SSL handshake_failure, desktop application doesn't

Hey everyone, my web app is having problems with HTTPS connections, resulting in handshake_failure.

In order to troubleshoot it, I wrote a simple desktop application with the same parameters used inside the web app.

This is the source code of the desktop app:

public class Main {
    private final static String helperMsg = "java -jar SSLTest.jar url";

    public static void main(String[] args) {
        System.setProperty("https.protocols", "TLSv1.2,TLSv1.1");

        if(args.length < 1){
            System.out.println("Insufficient arguments: " + args.length);
            System.out.println(helperMsg);
            return;
        }
        String httpsTarget = args[0];
        URL url;
        try {
            url = new URL(httpsTarget);
            HttpsURLConnection connection = (HttpsURLConnection)url.openConnection();
            if(connection == null)
                throw new IOException("Connection null");

            SSLSocketFactoryEx factory = new SSLSocketFactoryEx(null,null,null);
            connection.setSSLSocketFactory(factory);

            connection.setRequestMethod("GET");
            connection.connect();
            System.out.println(connection.getResponseCode() + ": " + connection.getResponseMessage());
        } catch (Exception e) {
            System.out.println("Exception: " + e.getMessage());
        }
    }
}

Where SSLSocketFactoryEx is from this post.

After packaging this simple app to an executable JAR file and installing the required certificates to my trust store, my launch command is the following:

java -Djavax.net.ssl.trustStore=<trustStoreFile> -Djavax.net.debug=all -jar SSLTest.jar <httpsURL>

Inside the web application, the HTTPS connection commands are exactly the same, but while the desktop app successfully gets an HTTP response, the web app is stuck on the handshake_failure, just like when using the desktop application I didn't specify the usage of TLSv1.2 or TLSv1.1 as default via the System.setProperty("https.protocols", "TLSv1.2,TLSv1.1") instruction and wasn't using the SSLSocketFactoryEx as custom SSLSocketFactory for HttpsURLConnection.

That's why I'm giving the fault to the Tomcat configuration, but I can't understand what.

My Tomcat Java options already include the following VM arguments:

-Djavax.net.ssl.trustStore=<trustStoreFile>
-Dhttps.protocols=TLSv1.2,TLSv1.1
-Djavax.net.debug=all

and my server.xml contains the following fields:

<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
        keystoreFile=<keyStoreFile> keystorePass=<keyStorePW>
        truststoreFile=<trustStoreFile> truststorePass=<trustStorePW>
        sslEnabledProtocols="TLSv1.2,TLSv1.1"
        redirectPort="8443" />

I also tried setting the keystoreFile, keystorePass, truststoreFile and truststorePass properties, alongside the protocols one, in the web app via instructions, with no results at all, still getting handshake_failure.

I'm using Tomcat 7.0.59 and jdk1.7.0_80 and I'm unable to update anything.

Thanks for your efforts.

-- EDIT --

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
http-apr-80-exec-47, called close()
http-apr-80-exec-47, called closeInternal(true)
http-apr-80-exec-47, called closeSocket(selfInitiated)
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
DOPO CHIAMATA 3
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1531997568 bytes = { 145, 51, 114, 234, 178, 6, 227, 30, 223, 175, 233, 64, 136, 117, 68, 227, 252, 207, 144, 188, 113, 85, 202, 197, 214, 163, 225, 65 }
Session ID:  {}
Cipher Suites: [TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: <hotsname>]
***
[write] MD5 and SHA1 hashes:  len = 140
0000: 01 00 00 88 03 03 5B 50   6E 80 91 33 72 EA B2 06  ......[Pn..3r...
0010: E3 1E DF AF E9 40 88 75   44 E3 FC CF 90 BC 71 55  [email protected]
0020: CA C5 D6 A3 E1 41 00 00   10 00 6A 00 33 00 32 00  .....A....j.3.2.
0030: 3D 00 35 00 3C 00 2F 00   FF 01 00 00 4F 00 0D 00  =.5.<./.....O...
0040: 1A 00 18 06 03 06 01 05   03 05 01 04 03 04 01 03  ................
0050: 03 03 01 02 03 02 01 02   02 01 01 00 00 00 2D 00  ..............-.
0060: 2B 00 00 28 63 6F 6C 6C   70 72 6F 78 79 6F 75 74  +..(XXXXXXXXXXX
0070: 2E 77 68 6F 6C 65 73 61   6C 65 2E 74 65 6C 65 63  XXXXXXXXXXXXXXX
0080: 6F 6D 69 74 61 6C 69 61   2E 63 6F 6D              XXXXXXXXXXXX
http-apr-80-exec-47, WRITE: TLSv1.2 Handshake, length = 140
[Raw write]: length = 145
0000: 16 03 03 00 8C 01 00 00   88 03 03 5B 50 6E 80 91  ...........[Pn..
0010: 33 72 EA B2 06 E3 1E DF   AF E9 40 88 75 44 E3 FC  [email protected]..
0020: CF 90 BC 71 55 CA C5 D6   A3 E1 41 00 00 10 00 6A  ...qU.....A....j
0030: 00 33 00 32 00 3D 00 35   00 3C 00 2F 00 FF 01 00  .3.2.=.5.<./....
0040: 00 4F 00 0D 00 1A 00 18   06 03 06 01 05 03 05 01  .O..............
0050: 04 03 04 01 03 03 03 01   02 03 02 01 02 02 01 01  ................
0060: 00 00 00 2D 00 2B 00 00   28 63 6F 6C 6C 70 72 6F  ...-.+..(XXXXXX
0070: 78 79 6F 75 74 2E 77 68   6F 6C 65 73 61 6C 65 2E  XXXXXXXXXXXXXXX
0080: 74 65 6C 65 63 6F 6D 69   74 61 6C 69 61 2E 63 6F  XXXXXXXXXXXXXXX
0090: 6D                                                 XXXXX
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
http-apr-80-exec-47, READ: TLSv1.2 Alert, length = 2
http-apr-80-exec-47, RECV TLSv1 ALERT:  fatal, handshake_failure
http-apr-80-exec-47, called closeSocket()
http-apr-80-exec-47, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Received fatal alert: handshake_failure
Solution

  • The only working option was to run Tomcat on an updated jvm.dll, which fixed the SSL errors since from jre 1.7.0_131-b31 TLSv1.1 and TLSv1.2 are enabled by default.