Error: "javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure".
Article ID: KB0093019
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessConnect | - |
| Not Applicable | - |
Description
Description:
Symptoms:
The elliptical curve libraries were not loaded during the SSL handshake.
Cause:
The elliptical curve libraries were not installed during the installation of the underlying TRA.
handshake_failure error with a similar stack trace. No additional information even with the correct certificates installed in BC.
========
*** ClientHello, TLSv1
RandomCookie: GMT: 1450097363 bytes = { 4, 175, 236, 99, 222, 117, 147, 56, 66, 158, 81, 64, 76, 219, 75, 149, 122, 221, 47, 58, 161, 39, 145, 90, 254, 145, 94, 89 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA]
Compression Methods: { 0 }
Extension server_name, server_name: [host_name: x.y.z]
Extension renegotiation_info, renegotiated_connection: <empty>
***
OutboundTransportTPOOL0, WRITE: TLSv1 Handshake, length = 86
OutboundTransportTPOOL0, READ: TLSv1 Alert, length = 2
OutboundTransportTPOOL0, RECV TLSv1 ALERT: fatal, handshake_failure
OutboundTransportTPOOL0, called closeSocket()
OutboundTransportTPOOL0, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2015 Dec 15 08:05:55:667 GMT +0100 BW.BusinessConnect-Interior_Server Debug [bw.logger] BW-EXT-LOG-300002 Job-6951020.6951020 HTTP sync reply: statusCode = [699] statusMsg = [Error connecting to host data-test.nijmegen.nl at port 443 . Received fatal alert: handshake_failure] confirmationID = [dmzmsh-reply-conf-rw_2fI3M5d5Kg2-ODgh--4OzUWqY]
2015 Dec 15 08:05:55:668 GMT +0100 BW.BusinessConnect-Interior_Server Error [bw.logger] BW-EXT-LOG-100000 Job-6951020.6951020 java.lang.Exception: Error connecting to host x.y.z at port 443 . Received fatal alert: handshake_failure
at com.tibco.ax.fw.runtime.outbound.transport.http.HTTPTransport.sendRequest(HTTPTransport.java:730)
at com.tibco.ax.fw.runtime.outbound.transport.http.HTTPTransport.send(HTTPTransport.java:149)
at com.tibco.ax.fw.runtime.outbound.transport.TransportBase.run(TransportBase.java:47)
at com.tibco.pe.util.ThreadPool$ThreadPoolThread.run(Unknown Source)
=========
The server in this case is using elliptical curve encryption over SSL.
Symptoms:
The elliptical curve libraries were not loaded during the SSL handshake.
Cause:
The elliptical curve libraries were not installed during the installation of the underlying TRA.
Issue/Introduction
Error: "javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure".
Resolution
To resolve the error, follow the procedure below.
1). Verify the encryption used by the server by connecting to the server using portecle or openssl to verify what connection being used, i.e., TLS or SSL, what encyrption algorithm or keyexchange mechanism is used. In the above example, when you connect to "x.y.z:443" URL from a browser, you will see a message indicating that ECDHE_RSA is used as the key exchange mechanism. It will be the prefix in the cipher suite name.
2). Verify what version of BC and TRA version in used. In the above case, the server prefers Elliptic Curve Diffie Hellman Ephemeral key exchange. The user needs to install the Elliptic Curves library to JRE. The TRA installer does not install the Elliptic Curve libraries by default. During the JRE installation there is a checkbox to install it. TRA 5.9.0 and above Installer has an option to select the elliptical curve library.
3). On Windows platforms, the libraries is installed under $TIBCO_HOME\tibcojre64\1.7\bin\sunec.dll and for Linux 64-bit under $TIBCO_HOME/tibcojre64/1.8.0/lib/amd64/libsunec.so .
4). After installing the elliptical curve library, confirm that the JRE version in use by running the "java -version" command under the tibcojre/bin folder. The version of JRE should be greater than "1.7.0_85" .
5). Check that the version of TIBCrypt.jar in the BC_HOME/lib/common folder matches the TIBCrypt.jar file under the TRA_HOME\lib folder. The version can be verified by executing the following command:
$TIBCO_HOME/tibcojre64/1.7.0/bin/java -jar <absolute palth>/TIBCrypt.jar . The TIBCrypt version should be/or at a greater version than 2.18.300.001
6). If there is a difference in the TIBCrypt.jar versions installed between the BC and TRA directories, remove the TIBCrypt.jar from BC_HOME/lib/common folder.
Attachments
Feedback
Yes
No
Powered by
