SSLHandshakeException while connecting to a https site

by

SSLlabs is apparently testing “out of the box” support. Java crypto has a crock dating back to the 1990s when the US government severely restricted export of crypto software,
and as a result the JRE (or JDK) as distributed by then-Sun now-Oracle does not permit use of 256-bit symmetric encryption, which your server is demanding. You must download and install
the “JCE Unlimited Strength Jurisdiction Policy Files” for your Java (major) version; 8 is at http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html .
The README in the file gives longwinded details, but basically you replace two tiny jar files in JRE/lib/security.

TLSv1.2 is not a real issue now. TLS protocol automatically negotiates the highest version supported (and enabled) by both ends.
Java 8 implements SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2, but recent updates (8u31 or 7u75 and up) disable SSLv3 by default because of POODLE;
you can re-enable it if you choose, but you should be reluctant to. (Java 7 implements the same protocol versions, but client by default disables 1.1 and 1.2 because of compatibility concerns at its release several years ago.)

However, because of POODLE and BEAST some security authorities no longer accept SSLv3 and TLSv1.0
as adequately secure; an important example is credit and debit cards, as detailed in https://security.stackexchange.com/a/87077/39571 .
TLSv1.2 includes some technical improvements over 1.1, making it preferred today, and there might be future discoveries that make those
improvements crucial; if your server can’t support 1.2 (and maybe higher) at that point you would be in trouble. Similarly the fact that the server’s only
supported suite uses plain-RSA key-exchange, i.e. NOT forward secrecy, is considered suboptimal now, and over time may become unacceptable.

keytool (at least with the normally used keystore and truststore files) has nothing to do with symmetric cryptography.
It could likely be relevant if the server uses a CA root (or more exactly and slightly more general, trust anchor)
that your JRE and/or application does not trust, and/or if the server wants client authentication at SSL/TLS level,
which is fairly rare. (Most websites authenticate at the web-application level, or at least HTTP level, if at all.)
SSLLabs checking of the server cert chain (and several other things also) is generally stricter than Java’s, and they
didn’t complain in that area, so it’s unlikely you have a problem there.

More Related Contents:

  1. Received fatal alert: handshake_failure through SSLHandshakeException
  2. Java client certificates over HTTPS/SSL
  3. Java SSLHandshakeException “no cipher suites in common”
  4. Problems connecting via HTTPS/SSL through own Java client
  5. How to make Java 6, which fails SSL connection with “SSL peer shut down incorrectly”, succeed like Java 7?
  6. Java HTTPS client certificate authentication
  7. How to solve javax.net.ssl.SSLHandshakeException Error?
  8. why doesn’t java send the client certificate during SSL handshake?
  9. How to ignore SSL certificate errors in Apache HttpClient 4.0
  10. Trust Store vs Key Store – creating with keytool
  11. Import PEM into Java Key Store
  12. Does Java support Let’s Encrypt certificates?
  13. limiting java ssl debug logging
  14. Read RSA private key of format PKCS1 in JAVA
  15. Extended server_name (SNI Extension) not sent with jdk1.8.0 but send with jdk1.7.0
  16. Running Selenium scripts with JMeter
  17. How to set TLS version on apache HttpClient
  18. How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
  19. Java and HTTPS url connection without downloading certificate
  20. SSLHandShakeException No Appropriate Protocol
  21. How do I do TLS with BouncyCastle?
  22. Java SSL connect, add server cert to keystore programmatically
  23. Java SSLException: hostname in certificate didn’t match
  24. Using SSLContext with just a CA certificate and no keystore
  25. How to configure trustStore for javax.net.ssl.trustStore on windows?
  26. Android SSL HttpGet (No peer certificate) error OR (Connection closed by peer) error
  27. SSL “Peer Not Authenticated” error with HttpClient 4.1
  28. How to use .key and .crt file in java that generated by openssl?
  29. How to build a SSLSocketFactory from PEM certificate and key without converting to keystore?
  30. Creating .p12 truststore with openssl

Leave a Comment