How to debug SSL errors such as, " Received fatal alert: handshake_failure" .
Article ID: KB0094082
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks | - |
| Not Applicable | - |
Description
Description:
Thread-11, WRITE: TLSv1 Handshake, length = 114
Thread-11, READ: TLSv1 Alert, length = 2
Thread-11, RECV TLSv1 ALERT: fatal, handshake_failure
Thread-11, called closeSocket()
Thread-11, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Thread-11, called close()
Thread-11, called closeInternal(true)
Thread-11, called close()
Thread-11, called closeInternal(true)
Thread-11, called close()
Thread-11, called closeInternal(true)
11:00:32,688 ERROR [WsdlSubmit] Exception in request: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
11:00:32,688 ERROR [SoapUI] An error occured [Received fatal alert: handshake_failure], see error log for details
11:00:32,718 INFO [AbstractHttpRequestDesktopPanel] Error getting response for [https://localhost:9696]; javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Thread-11, WRITE: TLSv1 Handshake, length = 114
Thread-11, READ: TLSv1 Alert, length = 2
Thread-11, RECV TLSv1 ALERT: fatal, handshake_failure
Thread-11, called closeSocket()
Thread-11, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Thread-11, called close()
Thread-11, called closeInternal(true)
Thread-11, called close()
Thread-11, called closeInternal(true)
Thread-11, called close()
Thread-11, called closeInternal(true)
11:00:32,688 ERROR [WsdlSubmit] Exception in request: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
11:00:32,688 ERROR [SoapUI] An error occured [Received fatal alert: handshake_failure], see error log for details
11:00:32,718 INFO [AbstractHttpRequestDesktopPanel] Error getting response for [https://localhost:9696]; javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Issue/Introduction
How to debug SSL errors such as, " Received fatal alert: handshake_failure" .
Resolution
There are many reasons for such errors such as SSL version disabled by server, no cipher suites in common, etc. Only after we read both SSL debug trace from the server and client side can we find the cause. These traces can be captured by enabling a few properties. Refer the KB 29434 for more details. The client trace is always like that mentioned in the "Description" part of this KB. The server log however could be like either of the following (right after ClientHello):
1). No cipher suites in common.
%% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-4, SSL_NULL_WITH_NULL_NULL]
http-bio-9696-exec-4, SEND TLSv1 ALERT: fatal, description = handshake_failure
http-bio-9696-exec-4, WRITE: TLSv1 Alert, length = 2
http-bio-9696-exec-4, called closeSocket()
http-bio-9696-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
2). SSLv3 disabled by server.
http-bio-9696-exec-1, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
http-bio-9696-exec-1, WRITE: TLSv1.2 Alert, length = 2
http-bio-9696-exec-1, called closeSocket()
http-bio-9696-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 not enabled or not supported
The client log resembles the following.
Thread-50, WRITE: SSLv3 Handshake, length = 149
Thread-50, READ: SSLv3 Alert, length = 2
Thread-50, RECV TLSv1 ALERT: fatal, handshake_failure
Thread-50, called closeSocket()
Thread-50, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
1). No cipher suites in common.
%% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-4, SSL_NULL_WITH_NULL_NULL]
http-bio-9696-exec-4, SEND TLSv1 ALERT: fatal, description = handshake_failure
http-bio-9696-exec-4, WRITE: TLSv1 Alert, length = 2
http-bio-9696-exec-4, called closeSocket()
http-bio-9696-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
2). SSLv3 disabled by server.
http-bio-9696-exec-1, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
http-bio-9696-exec-1, WRITE: TLSv1.2 Alert, length = 2
http-bio-9696-exec-1, called closeSocket()
http-bio-9696-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 not enabled or not supported
The client log resembles the following.
Thread-50, WRITE: SSLv3 Handshake, length = 149
Thread-50, READ: SSLv3 Alert, length = 2
Thread-50, RECV TLSv1 ALERT: fatal, handshake_failure
Thread-50, called closeSocket()
Thread-50, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
3). SSLv2 hello sent by client though client uses TLS , but server disables SSLv2 hello.
http-bio-9696-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-bio-9696-exec-2, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
http-bio-9696-exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio-9696-exec-2, called closeSocket()
Then client log may resemble:
Extension ec_point_formats, formats: [uncompressed]
***
Thread-10, WRITE: TLSv1 Handshake, length = 163
Thread-10, WRITE: SSLv2 client hello message, length = 149
Thread-10, READ: Unknown-3.3 Alert, length = 2
Thread-10, RECV TLSv1 ALERT: fatal, handshake_failure
Thread-10, called closeSocket()
Thread-10, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Check which side is writing " SEND TLSv1 ALERT: fatal, description = handshake_failure"! Then find the detailed error message from that side. Refer to KB 45679 for SSLv3 related issues. It has a solution supporting SSLv3. We do not recommend using any protocol less than TLSV1 due to POODLE vulnerability.
http-bio-9696-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-bio-9696-exec-2, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
http-bio-9696-exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio-9696-exec-2, called closeSocket()
Then client log may resemble:
Extension ec_point_formats, formats: [uncompressed]
***
Thread-10, WRITE: TLSv1 Handshake, length = 163
Thread-10, WRITE: SSLv2 client hello message, length = 149
Thread-10, READ: Unknown-3.3 Alert, length = 2
Thread-10, RECV TLSv1 ALERT: fatal, handshake_failure
Thread-10, called closeSocket()
Thread-10, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Check which side is writing " SEND TLSv1 ALERT: fatal, description = handshake_failure"! Then find the detailed error message from that side. Refer to KB 45679 for SSLv3 related issues. It has a solution supporting SSLv3. We do not recommend using any protocol less than TLSV1 due to POODLE vulnerability.
Feedback
Yes
No
Powered by
