Handshake failure

Similar Messages

• SSL handshake failure

  Hi,
  I have to establish the connection from SAP WebAS to an Apache server via HTTPS.  The Apache authentication is based on client certificates. But I'm still unable to establish a connection. Everything runs fine via HTTPS if client certificate authentication is disabled on Apache (anonymous access). But as soon as client authentication is enabled, the icm log displays the following failure:
  [Thr 1800] *** ERROR during SecudeSSL_Read() from SSL_read()==SSL_ERROR_SSL                                                    
  [Thr 1800]    session uses PSE file "/usr/sap/E3T/DVEBMGS00/sec/SAPSSLC.pse";;                                                   
  [Thr 1800] SecudeSSL_Read: SSL_read() failed --                                                                               
  secude_error 536872195 (0x20000503) = "handshake failure"                                                                    
  [Thr 1800] >> ---------- Begin of Secude-SSL Errorstack ---------- >>                                                          
  [Thr 1800] ERROR in ssl3_read_bytes: (536872195/0x20000503) handshake failure                                                  
  WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer        
  [Thr 1800] << ---------- End of Secude-SSL Errorstack ----------                                                               
  [Thr 1800] <<- ERROR: SapSSLRead(sssl_hdl=0x115f8a310)==SSSLERR_SSL_READ                                                       
  [Thr 1800] ->> SapSSLErrorName(rc=-58)                                                                               
  [Thr 1800] <<- SapSSLErrorName()==SSSLERR_SSL_READ                                                                             
  [Thr 1800] *** ERROR => IcmReadFromConn(id=3/1967): SapSSLRead returned (-58): SSSLERR_SSL_READ [icxxthrio_mt 2539]            
  [Thr 1800] *** ERROR => IcmReadFromConn(id=3/1967): read failed (rc = -1) [icxxthrio_mt 2611]                                  
  [Thr 1800] *** ERROR => IcmHandleNetRead(id=3/1967): IcmReadFromConn failed (rc = -1) [icxxthrio_mt 1304]  
  In the Apache logs, it seems that SAP is not sending a client certificate. So Apache closes the connection. Do you have an idea how I can make SAP WebAS send the certificate ?
  Thanks in advance
  Christan

  Hi,
  >Because the third line in your log says that no PSE could be found?
  I'm not sure of that.
  Here is an extract of the log of an ICM starting without a client certificate in STRUST
  [Thr 4392] =  secudessl_Create_SSL_CTX():  PSE "D:\usr\sap\PPI\DVEBMGS74\sec\SAPSSLC.pse" not found,
  [Thr 4392] =      using PSE "D:\usr\sap\PPI\DVEBMGS74\sec\SAPSSLS.pse" as fallback
  [Thr 4392] ******** Warning ********
  [Thr 4392] *** No SSL-client PSE "SAPSSLC.pse" available
  [Thr 4392] ***    this will probably limit SSL-client side connectivity
  [Thr 4392] ********
  [Thr 4392] = Success    SapCryptoLib SSL ready!
  Here is an extract of the log of an ICM starting with a client certificate in STRUST.
  [Thr 9208] =================================================
  [Thr 9208] = SSL Initialization  on  PC with Windows NT
  [Thr 9208] =   (700_REL,Mar 19 2007,mt,ascii,SAP_UC/size_t/void* = 16/64/64)
  [Thr 9208]   SapISSLComposeFilename(): profile param "ssl/ssl_lib" = "I:\usr\sap\DXI\DVEBMGS68\exe\sapcrypto.dll"
             resulting Filename = "I:\usr\sap\DXI\DVEBMGS68\exe\sapcrypto.dll"
  [Thr 9208] =   found SAPCRYPTOLIB  5.5.5C pl17  (Aug 18 2005) MT-safe
  [Thr 9208] =   current UserID: BT0D0000\SAPServiceDXI
  [Thr 9208] =   found SECUDIR environment variable
  [Thr 9208] =   using SECUDIR=I:\usr\sap\DXI\DVEBMGS68\sec
  [Thr 9208] = Success    SapCryptoLib SSL ready!
  Christian,
  Could you restart the ICM and check the trace file to find out if you get the message about a missing SAPSSLC.pse ?
  Regards,
  Olivier
  [Thr 9208] =================================================

• AS2 using HTTPS - Handshake failure # null

  Hello,
  I have scenario IDoc - PI - AS2 using HTTPS.
  when i am trying to send data it is giving me "Handshake Failure" error.
  I have check certificate and configuration properly.
  Parnter is saying "your client doesnu2019t sent the requested client certificate"
  following are traces:
     20120102 061927 011 SECS  I SES_INIT  (83903899) Netprof : NP_AS2_CERT_Sender_TEST selected [src_addr="---Hostname/port"] [dest_addr="hostname/port"]
     20120102 061927 013 SECS  I SES_INIT  (83903899) Server TLS Security Profile : TLS_AS2_SRV_CERT_Port selected
     20120102 061927 103 NET   I CONN_RESP (17809) incoming connection response     [resp_add=""]
     20120102 061929 030 SECS  I C_BUILD   (83903899) Server Certificate sent: Receiver_Partner
     20120102 061929 030 SECS  I C_BUILD   (83903899) Server Certificate sent: VeriSign Class 3 International
     20120102 061929 030 SECS  I C_BUILD   (83903899) Server Certificate sent: VeriSign Class 3 Public Primary
     20120102 061929 014 SECS  I CA_BUILD  (83903899) Server Sending Accepted DN: AS2 KRAFT Root Prod CA
     20120102 061929 014 SECS  I CA_BUILD  (83903899) Server Sending Accepted DN: AS2 KRAFT Root Test CA
     20120102 061929 014 SECS  I CA_BUILD  (83903899) Server Sending Accepted DN: AS2 KnorrPrandel (SIGN) New
     20120102 061929 014 SECS  I CA_BUILD  (83903899) Server Sending Accepted DN: AS2 KnorrPrandel (SSL) New
     20120102 061929 014 SECS  I CA_BUILD  (83903899) Server Sending Accepted DN: AS2 MarkantSyntradeRoot
     20120102 061929 014 SECS  I CA_BUILD  (83903899) Server Sending Accepted DN: AS2 ProcterGambleProd
     20120102 061929 014 SECS  I CA_BUILD  (83903899) Server Sending Accepted DN: D-TRUST Root Class 2 CA 2007
     20120102 061929 014 SECS  I CA_BUILD  (83903899) Server Sending Accepted DN: Entrust.net CA
     20120102 061929 014 SECS  I CA_BUILD  (83903899) Server Sending Accepted DN: EquifaxSecure(4Bacardi)
     20120102 061929 014 SECS  I CA_BUILD  (83903899) Server Sending Accepted DN: Sender RootCA (Sender)
    20120102 061929 053 NET   W TLSALSND  (17809) alert 40 sent (handshake failure)
                 20120102 061929 105 NET   I DISC_REQ  (17809) disconnection request            [reason="0"]
  Please suggest.
  //Manisha

  Hello,
  have u downloaded the certificate from the vendor url and uploaded in STRUST.
  have u restarted ICM through SMICM.  did connection test in SM 59 ? what is the response ???
  Regards,
  Phani

• Erro SOAP Receiver: handshake failure

  Pessoal, boa tarde.
  Tenho um Canal de Comunicação SOAP Receiver, com autenticação por usuário e senha.
  Ao enviar a requisição para o Channel, é gerado o seguinte erro:
  <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
  - <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
    <SAP:Category>XIAdapterFramework</SAP:Category>
    <SAP:Code area="MESSAGE">GENERAL</SAP:Code>
    <SAP:P1 />
    <SAP:P2 />
    <SAP:P3 />
    <SAP:P4 />
    <SAP:AdditionalText>com.sap.aii.af.ra.ms.api.RecoverableException: Peer sent alert: Alert Fatal: handshake failure: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure</SAP:AdditionalText>
    <SAP:ApplicationFaultMessage namespace="" />
    <SAP:Stack />
    <SAP:Retry>M</SAP:Retry>
    </SAP:Error>
  mencionando problema de handshake.
  No log Java, encontrei as seguintes mensagens:
  p.aii.af.soapadapter#co
  ssl_debug(6603): Sending v3 client_hello message, requesting version 3.1...
  ssl_debug(6603): Received v3 server_hello handshake message.
  ssl_debug(6603): Server selected SSL version 3.1.
  ssl_debug(6603): Server created new session CA:23:B4:0E:C7:16:0A:8F...
  ssl_debug(6603): CipherSuite selected by server: TLS_RSA_WITH_AES_256_CBC_SHA
  ssl_debug(6603): CompressionMethod selected by server: NULL
  ssl_debug(6603): Received certificate handshake message with server certificate.
  ssl_debug(6603): Server sent a 1024 bit RSA certificate, chain has 1 elements.
  ssl_debug(6603): ChainVerifier: No trusted certificate found, OK anyway.
  ssl_debug(6603): Received server_hello_done handshake message.
  ssl_debug(6603): Sending client_key_exchange handshake message (1024 bit)...
  ssl_debug(6603): Sending change_cipher_spec message...
  ssl_debug(6603): Sending finished message...
  ssl_debug(6603): Received alert message: Alert Fatal: handshake failure
  ssl_debug(6603): SSLException while handshaking: Peer sent alert: Alert Fatal: handshake failure
  ssl_debug(6603): Shutting down SSL layer...
  Alguém já viu este erro e teria alguma informação a respeito?
  Desde já agradeço.
  Pedro Baroni

  Carlos,
  Em nosso cenário não utilizamos Certificado, porém em contato com o Fornecedor dos WebServices, identificamos o problema na aplicação dele, pois haviam configurado para somente aceitar conexões com Certificado. Porém o problema já foi corrigido na aplicação dele e a Interface voltou a funcionar.
  Obrigado.

• IMAPS handshake failure

  I am trying to configure e-mail on NSD 7.0.3 appliance. Our mail server is Lotus Domino 9.0.1 and it supports imaps protocol. A mailbox has been created for NSD and I can successfully connect to it using Thunderbird. I can also connect by using "openssl s_client" from the command line of NSD appliance. But when I configure relevant fields in NSD:
  Incoming server: ourserver.ourdomain.com
  Protocol: IMAPS
  Port: <blank>
  Username: ServiceDesk
  Password: <correct_password>
  ...and press Test, I receive an error message:
  Error connecting to host: Server chose SSLv3, but that protocol version is not enabled or not supported by the client.
  (I ran tcpdump on the appliance while pressing Test, and the dump output shows NSD server connecting to IMAP server on port 993, IMAP server sending back the certificate and then NSD server responding with "Handshake failure".
  IMAP server admin has enabled the use of SSLv2 on server side, but that doesn't seem to change the situation.
  Is there anything that we can do on NSD side to get this working? Obviously we could try using plain IMAP (port 143) with all the security impliactions, but we prefer the traffic to be encrypted.

  vatson,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• URGENT: handshake failure

  I'm trying to connect to a site (https://secure.web.telia.com) using URLConnection in J2SDK1.4rc1. No problem loading the page in IE6, but with JSSE, I get:
  ��javax.net.ssl.SSLException: error while writing to socket
  End of handshake:
  ��init context
  ��trigger seeding of SecureRandom
  ��done seeding SecureRandom
  ��%% No cached client session
  ��*** ClientHello, v3.1
  ��RandomCookie: GMT: 1012760556 bytes = { 102, 53, 25, 80, 221, 29, 6, 175, 85, 97, 24, 116, 33, 6, 88, 150, 96, 57, 222, 232, 51, 91, 136, 253, 219, 227, 46, 105 }
  ��Session ID: {}
  ��Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
  ��Compression Methods: { 0 }
  ��***
  ��[write] MD5 and SHA1 hashes: len = 59
  ��0000: 01 00 00 37 03 01 3C 5E 80 EC 66 35 19 50 DD 1D ...7..<^..f5.P..
  ��0010: 06 AF 55 61 18 74 21 06 58 96 60 39 DE E8 33 5B ..Ua.t!.X.`9..3[
  ��0020: 88 FD DB E3 2E 69 00 00 10 00 05 00 04 00 09 00 .....i..........
  ��0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
  ��main, WRITE: SSL v3.1 Handshake, length = 59
  ��[write] MD5 and SHA1 hashes: len = 77
  ��0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
  ��0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
  ��0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 3C 5E 80 .............<^.
  ��0030: EC 66 35 19 50 DD 1D 06 AF 55 61 18 74 21 06 58 .f5.P....Ua.t!.X
  ��0040: 96 60 39 DE E8 33 5B 88 FD DB E3 2E 69 .`9..3[.....i
  ��main, WRITE: SSL v2, contentType = 22, translated length = 16310
  ��main, SEND SSL v3.1 ALERT: fatal, description = close_notify
  ��main, WRITE: SSL v3.1 Alert, length = 2
  Please help me if you can! I can't find any workaround for this!
  Bye,
  ��Dag

  Certainly,
  Here's the code:
    URL url = new URL("https://secure.web.telia.com");
    URLConnection uCon = url.openConnection();
    BufferedReader br = new BufferedReader(new InputStreamReader(uCon.getInputStream()));
    StringBuffer page = new StringBuffer(4096);
    String line;
    while ((line = br.readLine()) != null) {
      page.append( line ).append("\n");
    System.out.println(page);
    br.close();
  and here's the trace:
    javax.net.ssl.SSLException: error while writing to socket
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
      at java.io.OutputStream.write(OutputStream.java:58)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:556)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)
      at TestGET.main(TestGET.java:67) (the third bodeline above)

• Handshake failure with client authentication

  Hi,
  I am using the JDK1.4 beta 3 to accomplish the following: I want to request an HTML page on an Apache webserver configured with SSL and client-authentication. It works with Netscape and Internet Explorer (and also with the openssl s_client test program)...
  But now I want to try it using Java... So, I wrote a very simple program based on some examples found on this forum... But i keep getting the following error (excerpt from the javax.net.debug=all command)
  As you can see the server request a client certificate that's issued by the certificate authority mentioned...
  *** CertificateRequest
  Cert Types: RSA, DSS,
  Cert Authorities:
  <[email protected], CN=Andy Zaidman, OU=stage, O=Kava's Certif
  icate Authority, L=Antwerp, ST=Antwerp, C=BE>
  [read] MD5 and SHA1 hashes: len = 180
  0000: 0D 00 00 B0 02 01 02 00 AB 00 A9 30 81 A6 31 0B ...........0..1.
  0010: 30 09 06 03 55 04 06 13 02 42 45 31 10 30 0E 06 0...U....BE1.0..
  0020: 03 55 04 08 13 07 41 6E 74 77 65 72 70 31 10 30 .U....Antwerp1.0
  0030: 0E 06 03 55 04 07 13 07 41 6E 74 77 65 72 70 31 ...U....Antwerp1
  0040: 25 30 23 06 03 55 04 0A 13 1C 4B 61 76 61 27 73 %0#..U....Kava's
  0050: 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 Certificate Aut
  0060: 68 6F 72 69 74 79 31 0E 30 0C 06 03 55 04 0B 13 hority1.0...U...
  0070: 05 73 74 61 67 65 31 15 30 13 06 03 55 04 03 13 .stage1.0...U...
  0080: 0C 41 6E 64 79 20 5A 61 69 64 6D 61 6E 31 25 30 .Andy Zaidman1%0
  0090: 23 06 09 2A 86 48 86 F7 0D 01 09 01 16 16 41 6E #..*.H........An
  00A0: 64 79 2E 5A 61 69 64 6D 61 6E 40 75 69 61 2E 61 [email protected]
  00B0: 63 2E 62 65 c.be
  *** ServerHelloDone
  [read] MD5 and SHA1 hashes: len = 4
  0000: 0E 00 00 00 ....
  *** Certificate chain
  JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
  *** ClientKeyExchange, RSA PreMasterSecret, v3.1
  Random Secret: { 3, 1, 38, 54, 219, 158, 32, 158, 155, 15, 55, 137, 216, 164, 4
  5, 65, 153, 142, 200, 98, 57, 251, 55, 6, 46, 124, 181, 161, 164, 234, 218, 75,
  195, 72, 218, 187, 182, 197, 4, 11, 249, 45, 3, 136, 207, 114, 236, 172 }
  [write] MD5 and SHA1 hashes: len = 141
  0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 64 92 2E .............d..
  0010: 42 2C A5 79 1D 2B A9 A5 D0 46 2A 1F 67 F3 49 28 B,.y.+...F*.g.I(
  0020: E0 ED 1D 85 E3 06 22 49 8A 79 02 48 E2 DD E6 75 ......"I.y.H...u
  0030: F3 C0 D3 A8 31 C0 18 94 7C 81 24 75 6A A1 0C 4F ....1.....$uj..O
  0040: 99 03 66 B8 37 4F 05 0D 5D CD F2 A0 10 F5 D5 F5 ..f.7O..].......
  0050: 50 66 49 91 CA C0 18 F1 07 E9 70 D0 CB EA 70 D3 PfI.......p...p.
  0060: 8E 13 55 E7 43 BD 94 1C D3 96 1F E9 67 93 57 62 ..U.C.......g.Wb
  0070: 91 5C E6 ED B1 75 9C A8 55 B7 50 DE CE 9B 1C EE .\...u..U.P.....
  0080: 57 62 20 9C F3 11 36 68 7A 38 62 79 D1 Wb ...6hz8by.
  main, WRITE: SSL v3.1 Handshake, length = 141
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 26 36 DB 9E 20 9E 9B 0F 37 89 D8 A4 2D 41 ..&6.. ...7...-A
  0010: 99 8E C8 62 39 FB 37 06 2E 7C B5 A1 A4 EA DA 4B ...b9.7........K
  0020: C3 48 DA BB B6 C5 04 0B F9 2D 03 88 CF 72 EC AC .H.......-...r..
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 3B E9 51 EF F3 13 65 11 4E D6 B7 B1 9F E8 F6 CB ;.Q...e.N.......
  0010: B5 2B 34 8F 87 53 66 61 33 BF 5A AD 7D 22 57 7D .+4..Sfa3.Z.."W.
  Server Nonce:
  0000: 3B E9 53 4E 03 37 E9 CD E8 DB 7C 54 9A 9E 53 B9 ;.SN.7.....T..S.
  0010: 78 E0 36 DF 06 17 07 90 2C D1 83 5E 20 05 DC E9 x.6.....,..^ ...
  Master Secret:
  0000: B5 A0 37 0A 2C 29 AD AC 99 B6 2F E0 4D 80 38 68 ..7.,)..../.M.8h
  0010: F7 4F 24 C4 AA 8C ED 25 A9 D6 90 33 4B 5A 0B 1D .O$....%...3KZ..
  0020: 11 A5 C9 E8 DB DE EF 9B 8D EB 7C 84 D6 AC 94 4F ...............O
  Client MAC write Secret:
  0000: F5 AF 61 5B B4 C2 A8 12 DA 7A FE A6 82 79 7F FC ..a[.....z...y..
  0010: B9 86 B2 C0 ....
  Server MAC write Secret:
  0000: 62 22 C6 39 91 E4 45 50 2A 49 E0 26 CF 16 3E 6A b".9..EP*I.&..>j
  0010: 46 19 00 D9 F...
  Client write key:
  0000: D9 D2 99 89 5C CA 2E 7D F3 B8 52 24 9E 01 9B 3B ....\.....R$...;
  Server write key:
  0000: 37 C3 37 78 8B 85 B0 FE 01 83 E2 6C F7 C6 73 33 7.7x.......l..s3
  ... no IV for cipher
  main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
  JsseJCE: Using JSSE internal implementation for cipher RC4
  *** Finished, v3.1
  verify_data: { 51, 236, 194, 3, 230, 37, 147, 76, 251, 233, 132, 207 }
  [write] MD5 and SHA1 hashes: len = 16
  0000: 14 00 00 0C 33 EC C2 03 E6 25 93 4C FB E9 84 CF ....3....%.L....
  Plaintext before ENCRYPTION: len = 36
  0000: 14 00 00 0C 33 EC C2 03 E6 25 93 4C FB E9 84 CF ....3....%.L....
  0010: 64 30 E3 0B 31 CF 7D C7 D6 17 D8 FB 31 23 F9 34 d0..1.......1#.4
  0020: 5D B9 47 F9 ].G.
  main, WRITE: SSL v3.1 Handshake, length = 36
  main, READ: SSL v3.1 Alert, length = 2
  main, RECV SSLv3 ALERT: fatal, handshake_failure
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
  at java.io.OutputStream.write(OutputStream.java:61)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
  at HttpClient.main(HttpClient.java:105)
  Now, I am sure the certificate is in the keystore, because one of the first things I do in the program is print the certificates available in the keystore...
  Does anyone know what I'm doing wrong? If you need the code to make a proper judgement, I will post it...
  Tnx in advance!
  Greetz,
  Andy Zaidman
  [email protected]

  import java.net.*;
  import java.io.*;
  import java.security.*;
  import java.security.cert.*;
  import javax.net.ssl.*;
  import java.util.*;
  public class HttpClient
       public HttpClient(){}
       public static void main (String args[])
       try
            //This is my server certificate - public key
            String serverCertificateFile = "MyCA.cer";
            //This is my client personal certificate
            String clientCertificateFile = "MyPersonal.pfx";
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            KeyStore ks = KeyStore.getInstance("JKS");
            TrustManagerFactory tmf = TrustManagerFactory.getInstance("SUNX509");
            ks.load(null, null);
            java.security.cert.X509Certificate the_cert = (java.security.cert.X509Certificate) cf.generateCertificate(new FileInputStream(serverCertificateFile));
            ks.setCertificateEntry("server", the_cert);
            tmf.init(ks);
            for (Enumeration e = ks.aliases() ; e.hasMoreElements() ;)
       System.out.println(ks.getCertificate(e.nextElement().toString()).toString());
            KeyStore ks2 = KeyStore.getInstance("PKCS12", "SunJSSE");
            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SUNX509");
            ks2.load(null, null);
            FileInputStream fin = new FileInputStream(clientCertificateFile);
            ks2.load(fin, "xxx".toCharArray());
            kmf.init(ks2, "xxx".toCharArray());
            fin.close();
            for (Enumeration e = ks2.aliases() ; e.hasMoreElements() ;)
       System.out.println(ks2.getCertificate(e.nextElement().toString()).toString());
            SSLContext ctx = SSLContext.getInstance("SSLv3");
            KeyManager[] km = kmf.getKeyManagers();
            for(int i = 0; i < km.length; ++i)
                 System.out.println(km);
            TrustManager[] tm = tmf.getTrustManagers();
            ctx.init(km, tm, null);
            // connection part
            SSLSocketFactory factory = ctx.getSocketFactory();
            SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 443);
            for(int i = 0; i < socket.getEnabledCipherSuites().length; ++i)
                 System.out.println(socket.getEnabledCipherSuites()[i]);
            socket.startHandshake();
            PrintWriter out = new PrintWriter(
                      new BufferedWriter(
                      new OutputStreamWriter(
                      socket.getOutputStream())));
            out.println("GET " + "/" + " HTTP/1.1");
            out.println();
            out.flush();
       catch(Exception e)
            e.printStackTrace();

• Handshake Failure: EOFException

  I've moved this question from a reply to an earlier question to here because it covers a different problem to the initial one...
  I'm trying to establish a TCP connetion between a Java cclient application and a C++ server. At the client end (where I'm working), SSLSockets are used to careted the connection.
  Having loaded all my certs & keys into JS Keystores and then into KeyStore objects, my attempted connection is failing with what could be no response from the server.
  There is a chance that I set up my JKS files incorrectly but I would have thought that I would see different errors if this were the case. as it is, the client seems to get no repsonse from the server (despite the fact that C++ clients on the same machine are able to connect successfully)
  Q: What can I tell from the following debug info? Is it that the server is simply not responding? Or could there be a chance that the JKS files I generated are wrong:
  NB:  the server details are as follows:
  Encryption method used - TLSv1
  Using self-signed certificates
  Using both server and clients certificates
  Private keys of server and clients certificates are encrypted with a pass phrase for extra security
  Output
  ========================
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1186518602 bytes = { 142, 68, 187, 5, 96, 173, 37, 16, 173, 228, 209, 83, 43, 124, 226, 61, 146, 147, 228, 218, 4, 96, 75, 161, 75, 79, 32, 254 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: { 0 }
  [write] MD5 and SHA1 hashes: len = 73
  main, WRITE: TLSv1 Handshake, length = 73
  [write] MD5 and SHA1 hashes: len = 98
  main, WRITE: SSLv2 client hello message, length = 98
  [Raw write]: length = 100
  main, received EOFException: error
  main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
  main, SEND TLSv1 ALERT: fatal, description = handshake_failure
  main, WRITE: TLSv1 Alert, length = 2
  main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
  main, called closeSocket()
  IO exception, ioe=javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

  Thanks - that worked a treat!
  I specified "TLSv1" as the only enabled protocol (made it configurable)and there were no handshake errors after that.

• RMI handshake failure. Different case.

  Hi to all. In my case, the client starts a thread to get the remote object server. this will continue until it suceed. First i started the server, finally the client.
  But when i started first the client, it fails to get the remote object server even rmi finishes to register the object server in the registry. the client thread always get a null value when trying to get the object server. Anyone experiences the same scenario?

  All are working fine and tested. This situation only occurs when a client thread is started first by getting the remote object server before registering the object server to the remote registry.
  Client thread fails to retrieve the object server even if it is registered..
  But when i started first the server, there are no problems.

• 2-way handshake fails / "hanskake failure"

  I'am trying to set up a 2-way hanshake with a server (Nortel Alteon SSL Accelerator).
  I have the client certificate on my keystore as well as the CA Root certificate in the signers.
  My java client works just fine if no client authentication is required by the server.
  Also, if I test the 2-way handshake with my browser (IE), I have no problem to establish the connection after it prompted me for the appropriate (client) certificate (which I've imported into IE).
  So I wonder if there is particular thing to define at the application level to explicitely return the client certificate at runtime (just like I do by clicking on the button in the IE popup) ?
  Here is the main properties from JSSE, I'm using :
  try {
  // Use Sun's reference implementation of a URL handler
  // for the HTTPS URL protocol
  System.setProperty("java.protocol.handler.pkgs",
  "com.sun.net.ssl.internal.www.protocol");
  // Registers dynamically Sun's ssl provider.           
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Specify the location of the truststore file
  // truststore file contains key material for the TrustManager
  // This file takes precedence over jssecacerts and cacerts
  System.setProperty("javax.net.ssl.trustStore", _trustStorePath);
  System.setProperty("javax.net.ssl.trustStorePassword",
  _trustStorePassword);
  endpoint = new java.net.URL(rpcrouter_address);
  Here is the exception I get :
  stackTrace: javax.net.ssl.SSLHandshakeException: handshake failure
       at com.ibm.jsse.bd.a(Unknown Source)
       at com.ibm.jsse.bd.startHandshake(Unknown Source)
  Tks for the help.
  --MAS

  Tanks for the attention ...
  At first, I used the same file :
  Ref : System.setProperty("javax.net.ssl.trustStore", _trustStorePath);
  Then, I realized that it might be better to use a different one for the keys, so I've imported the client certificate into a new file and add in my code :
  System.setProperty("javax.net.ssl.keyStore",_keyStorePath);
  But I always get the same exception :
  javax.net.ssl.SSLHandshakeException "handshake failure"
  On the server's side, I have that client certificate defined. I still wonder if every thing is fine with the Alteon config (these Nortel's things are tricky ...) but again when I simulate the client authentication within IE, it works just fine.
  --MAS                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    

• SSLException while handshaking: Peer sent alert: Alert Fatal: decrypt error

  Hello everybody,
  I am tryining to establish a connection from SAP PI 7.0 to an external web service that requires SSL with client authentication. I am using the SOAP adapter for that. The private key of us and the public key of the web service were installed in the VA in the TrustedCAs view. In the corresponding receiver channel configuration I have ticked "Configure Certificate Authetication" and selected appropriate entries in "Keystore Entry" and "Keystore View".
  Whenever I send a message through the channel I am getting though an error during the SSL handshake: Decrypt error.
  Below is the SSL debug log
  ssl_debug(15): Sending v3 client_hello message to services.bloomberg.com:443, requesting version 3.1...
  ssl_debug(15): Received v3 server_hello handshake message.
  ssl_debug(15): Server selected SSL version 3.1.
  ssl_debug(15): Server created new session 81:ED:F8:61:3B:51:8E:70...
  ssl_debug(15): CipherSuite selected by server: TLS_RSA_WITH_AES_256_CBC_SHA
  ssl_debug(15): CompressionMethod selected by server: NULL
  ssl_debug(15): Server does not supports secure renegotiation.
  ssl_debug(15): Received certificate handshake message with server certificate.
  ssl_debug(15): Server sent a 2048 bit RSA certificate, chain has 3 elements.
  ssl_debug(15): ChainVerifier: No trusted certificate found, OK anyway.
  ssl_debug(15): Received certificate_request handshake message.
  ssl_debug(15): Accepted certificate types: RSA, DSA
  ssl_debug(15): Accepted certificate authorities:
  ssl_debug(15):   CN=XXXXXXXXXXXXXXXXXXXXXXXX
  ssl_debug(15):   CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(15):   CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
  ssl_debug(15): Received server_hello_done handshake message.
  ssl_debug(15): Sending certificate handshake message with RSA client certificate...
  ssl_debug(15): Sending client_key_exchange handshake...
  ssl_debug(15): Sending certificate_verify handshake message...
  ssl_debug(15): Sending change_cipher_spec message...
  ssl_debug(15): Sending finished message...
  ssl_debug(15): Received alert message: Alert Fatal: decrypt error
  ssl_debug(15): SSLException while handshaking: Peer sent alert: Alert Fatal: decrypt error
  ssl_debug(15): Shutting down SSL layer...
  My first assumption was that it might be caused by missing public key of other side's server in the TrustedCAs view. Now I have assured that we have this key installed (although I am currious why there is still the "ChainVerifier: No trusted certificate found" message in the log).
  Does somebody have an idea what could cause this SSL handshake failure?
  Best regards,
  Maxim

  The XPI inspector gave more understanding of the situation. It shows which certificates the remote server is sending, which client certificate is used for authentication and many other topics. Interesting enough the XPI inspector shows that PI trusts the server key whereas the NWA log at the very same time tells that it doesn't. I have posted an OSS message asking to explain why there is this discrepancy.

• SSL Handshake Error in Android (ADF Mobile)

  Hi Guys,
  Now I am tried to using "https" Web service with my application, but seems show SSL handshake error specially in Android only, iOS is totally working.
  Log from Android is
  09-27 18:09:03.252: I/System.out(30444): [SEVERE - oracle.adfmf.framework - adf.mf.internal - logError] Request:  {classname: oracle.adfmf.framework.api.Model; method: processBatchRequests; params: [0: false][1: [0: {classname: oracle.adfmf.framework.api.Model; method: evaluateMethodExpression; params: [0: #{bindings.AgentAuthenCDKey.execute}][1: [0: {.type: oracle.adfmf.amx.event.ActionEvent; }]][2: void][3: [0: oracle.adfmf.amx.event.ActionEvent]]; }]]; } exception:  {message: SSL handshake failure; errorCode: 409; .type: oracle.adfmf.framework.exception.AdfInvocationRuntimeException; .exception: true; severity: ERROR; errorCategory: WEBSERVICE; }
  How to solved this one ?
  ** If my android didn't connect to internet, it still show "SSL handshake error" too, that so weird !

  Hi,
  Sorry to bump this, but I have the exact same problem. "SSL Handshake Error" when calling SSL enabled web services - works fine on iOS, but not on Android, which implies to me a problem with the framework rather than my certificate?
  : D/CVM(985): [SEVERE - oracle.adfmf.framework - Utility - invoke] InvocationTargetException Error: ERROR [oracle.adfmf.framework.exception.AdfInvocationRuntimeException] - SSL handshake failure
  I'm on JDeveloper 11.1.2.4, ADF Mobile Framework 11.1.2.4.39.64.51.
  Are there any known issues with ADF Mobile/SSL on Android?
  Any help is much appreciated.
  Rich.

• Handshake Exception with Firefox and Jetty Servlet Container

  We do have a strange problem with Firefox 2 and Jetty 6.1 (a Servlet Container) using HTTPS to communicate: At some stage Firefox (FF) sends a ClientHelloV2, to which Jetty responds with a ServerHelloV3. This leads to a handshake failure for this handshake and for any subsequent attempt.
  To avoid the handshake failures there are 2 options:
  1.) restart FF
  2.) change the servername or port, by using ssltap [2] as a proxy.
  [FF] --> [ssltap] --> [Jetty]
  That way it is possible to change the port without restarting
  FF and Jetty, and to debug the SSL traffic.
  Both options make FF to start a SSL session, by sending a ClientHelloV3. Then everything works until we get to the same stage described above.
  h2. Logs:
  From what I can see in the logs of ssltap, Firefox is sending some data, which might be something like a partial handshake (?).
  --> [
  alloclen = 63 bytes
  (63 bytes of 63)
  [Wed Jan 09 12:18:41 2008] [ssl2] ClientHelloV2 {
  version = {0x03, 0x00}
  cipher-specs-length = 36 (0x24)
  sid-length = 0 (0x00)
  challenge-length = 16 (0x10)
  cipher-suites = {
  (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
  (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
  (0x000035) TLS/RSA/AES256-CBC/SHA
  (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
  (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
  (0x000004) SSL3/RSA/RC4-128/MD5
  (0x000005) SSL3/RSA/RC4-128/SHA
  (0x00002f) TLS/RSA/AES128-CBC/SHA
  (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
  (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
  (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
  (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
  session-id = { }
  challenge = { 0xa954 0x2122 0x3e82 0xb993 0xd72f 0xea54 0x779f 0x958c }
  The server responds with:
  <-- [
  (1161 bytes of 1156)
  SSLRecord { [Wed Jan 09 12:18:41 2008]
  0: 16 03 00 04 84 |....�
  type = 22 (handshake)
  version = { 3,0 }
  length = 1156 (0x484)
  handshake {
  0: 02 00 00 46 |...F
  type = 2 (server_hello)
  length = 70 (0x000046)
  ServerHello {
  server_version = {3, 0}
  random = {...}
  0: 47 84 ad 91 a1 f6 cb e5 f8 e2 f0 46 60 4b dd 48 | G����.&#9574;.�.�F`K.H
  10: 13 a8 93 96 d2 4f 2b d8 2d fe 49 2f 22 e5 29 5e | .����O+�-.I/".)^
  session ID = {
  length = 32
  contents = {..}
  0: 47 84 ad 91 84 b7 ef 62 92 fb 03 d7 8a 41 ae 82 | G������b��.�.A�.
  10: d5 57 a3 e0 24 cc b5 2e b2 c7 29 3d 3a 37 a6 11 | &#305;W��$&#9568;�.&#9619;�)=:7�.
  cipher_suite = (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
  0: 0b 00 02 f6 |....
  type = 11 (certificate)
  length = 758 (0x0002f6)
  CertificateChain {
  chainlength = 755 (0x02f3)
  Certificate {
  size = 752 (0x02f0)
  data = { saved in file 'cert.001' }
  0: 0c 00 01 38 |...8
  type = 12 (server_key_exchange)
  length = 312 (0x000138)
  0: 0e 00 00 00 |....
  type = 14 (server_hello_done)
  length = 0 (0x000000)
  +Then FF responds with a handshake failure:+
  --> [
  (7 bytes of 2)
  SSLRecord { [Wed Jan 09 12:18:41 2008]
  0: 15 03 00 00 02 |.....
  type = 21 (alert)
  version = { 3,0 }
  length = 2 (0x2)
  fatal: handshake failure
  0: 02 28 |.(
  I am pretty stuck. Do you have any idea? Or can you give me any advice, how to further investigate this problem?
  Thanks,
  -Stefan
  [2] http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html

  I did some more analysis:
  When I replace the keystore by another keystore provided by the Jetty
  distribution, Firefox will not complain about the handshake
  exception. Nevertheless there are handshake exceptions, and the SSL
  level switches from TLS to SSLv3.
  Now I guess the question is: What is the difference between the two
  keystores?
  Answer: As far as I can see, the Keystore provided in the Jetty distro
  has expired in 2001, while my keystore is still valid (although also
  self-generated).
  Could it be, that Firefox some is less strict regarding handshake
  failures, after you have told it to accept an expired certificate?
  I am not sure whether this is problem of JSSE, or not? What do you think?

• Ssl handshake error when activating changes in admin console

  An error occurred during activation of changes, please see the log for details.
  [Deployer:149150]An IOException occurred while reading input.; nested exception is: javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from 10.26.176.83 - 10.26.176.83 was not trusted causing SSL handshake failure.; nested exception is: javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from 10.26.176.83 - 10.26.176.83 was not trusted causing SSL handshake failure.
  [Security:090477]Certificate chain received from 10.26.176.83 - 10.26.176.83 was not trusted causing SSL handshake failure.
  WLS 10.3 on Windows 2008: I configured one of my managed servers for SSL and I'm able to reach deployments via browser and the keystore/certificate chain I have setup. However, I'm getting the above error in Admin Console all over the place. I am unable to commit configuration changes without deleting the SSL managed server. The admin server is still HTTP via 7001. I'm not sure where to look to resolve this issue. Any ideas appreciated.

  It seems like you did not update the trust store of your AdminServer. It acts as a ssl client of your managed server and cannot verify its identity certificate.

• IPlanet 6.0 - Enabling HTTP logging to debug SSL Handshake

  Hello all,
  We have a IPlanet 6.0 web server instance which receives secure HTTP requests from client systems. We are experiencing a SSL handshake failure. We have ensured that the correct certificates are installed at both ends.
  A wireshark trace at the web server shows that the Client Hello was received successfully and a Server Hello was never sent. Our conjecture is that this could be because the cipher suites do not match. It could be extremely useful to us if we could enable appropriate levels of logging and/or add JVM options to log the HTTP/SSL handshake transactions.
  Can someone help us with the additional logging? If there are questions that I can answer, please let me know.
  Thanks,
  Sourabh

  6.0 is EOL (dead). Please upgrade to 7.0.
  I can answer SSL protocol questions as far as they apply to 7.0, but don't have any information about 6.0 specifically.
  The JVM is not involved in SSL protocol handling. In general for diagnostics, always set the Web Server error log to verbose. That said in this case it probably won't help much, but can't hurt.
  If the client hello is being silently ignored there is some higher level problem going on. Either the server has crashed or is hung or maybe it never received the client request or maybe its response was lost (a misbehaving firewall dropping packets, for example). This is not a case of merely having no common ciphersuite, the server would still have sent a failure response if it was able to do so.
  It might not reveal much more than wireshark did, but first thing I'd try (after upgrading to 7.0 ;-), is run the connection attempt through ssltap and see what it reports.