• Post Reply Bookmark Topic Watch Topic
  • New Topic

TLSv1 Alert handshake_failure  RSS feed

 
Bonnie Kenison
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have just started encountering this error in JBoss 5.2 EAP. I am running with Java 1.7.0_79 on a Windows Server 2012R2. As far as I know, nothing has changed with regards to the code or the network. This problem started at some point between 10am and 3pm EDT on 6/9/2015.

Here is a copy of my JBoss log:

INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,209 INFO [STDOUT] Allow unsafe renegotiation: false
INFO | srvmain | 2015/06/10 12:57:33.271 | Allow legacy hello messages: true
INFO | srvmain | 2015/06/10 12:57:33.271 | Is initial handshake: true
INFO | srvmain | 2015/06/10 12:57:33.271 | Is secure renegotiation: false
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,209 INFO [STDOUT] http-0.0.0.0-443-7, setSoTimeout(60000) called
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] http-0.0.0.0-443-7, received EOFException: error
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,224 INFO [STDOUT] http-0.0.0.0-443-7, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,271 INFO [STDOUT] http-0.0.0.0-443-7
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,271 INFO [STDOUT] , SEND TLSv1 ALERT:
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,271 INFO [STDOUT] fatal,
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,271 INFO [STDOUT] description = handshake_failure
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,271 INFO [STDOUT] http-0.0.0.0-443-7, WRITE: TLSv1 Alert, length = 2
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,271 INFO [STDOUT] http-0.0.0.0-443-7, called closeSocket()
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,271 INFO [STDOUT] http-0.0.0.0-443-7, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,271 INFO [STDOUT] http-0.0.0.0-443-7, called close()
INFO | srvmain | 2015/06/10 12:57:33.271 | 12:57:33,271 INFO [STDOUT] http-0.0.0.0-443-7, called closeInternal(true)

This is posted to the logs about every 5 seconds - immediately upon startup. I have no idea what JBoss is trying to communicate to. But I also receive this same message when I try to hit an outside secure webservice - which is my real concern. Without the java option -Djavax.net.debug=ssl:handshake:verbose, I had no idea there were these failures every 5 seconds. I only knew about the failure to hit the outside secure webservice - as that exception was thrown to my code. Apparently, nothing is catching this "every 5 seconds" error - as that was only revealed with the verbose debug.

JBoss is configured to listen to port 443 with sslProtocols = "TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello".

1) Does anyone know what JBoss is trying to communicate with?
2) Can anyone give me any idea how to solve this handshake_failure?

 
Bonnie Kenison
Greenhorn
Posts: 9
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I figured out the issue with the 3rd party webservice was that they restricted communication to TSLv1.1 and TLSv1.2. Since I was using Java 1.7, the default is TLSv1. I added the JAVA_OPT -Dhttps.protocols=TLSv1.2,TLSv1.1,TLS1 and that fixed the issue.
 
Paul Clapham
Sheriff
Posts: 22521
43
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for posting back with the answer you found, Bonnie. We always appreciate it when people do that.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!