This discussion is archived
7 Replies Latest reply: Mar 9, 2011 4:17 PM by EJP RSS

javax.net.ssl.SSLHandshakeException:

837869 Newbie
Currently Being Moderated
Hi,

I am stuck in a spacific problem, where at first I need to connect to an LDAP server through SSL.
For this, I have added a certificate into cacerts and LDAP connects fine and fetches data.

In second step I need to pass these data to a cloud system though axis webservice using SSL.
For that I have added cloud spacific cert into a seperate keystore file.

Now the 2nd step always shows handshake exception, when in the ist step I successfully connect LDAP with SSL.
If I connect LDAP without SSL, 2nd step also goes well.
For LDAP, it doesn't need keystore properties and will show error if add them before ldap connection.So I have to add following properties after my ldap connection succeeds :

System.setProperty("javax.net.ssl.keyStoreType", "JKS");
System.setProperty("javax.net.ssl.keyStore", certFilePath);
System.setProperty("javax.net.ssl.keyStorePassword", password);

So I think here JVM can not read from two different stores added in two deifferent times into the system properties. When at ist it connects LDAP with SSL, it may creates a store.
After that even though I am adding keystore properties, it's not adding them into the same store.It's my guess, i am not sure the exact internal procedure.

Thanks

Can any one please help me out..How to solve this problem. Bellow is the stake trace for this:


- I/O exception (org.apache.axis2.AxisFault) caught when processing request: Received fatal alert: handshake_failure
- Retrying request
- I/O exception (org.apache.axis2.AxisFault) caught when processing request: Received fatal alert: handshake_failure
- Retrying request
- I/O exception (org.apache.axis2.AxisFault) caught when processing request: Received fatal alert: handshake_failure
- Retrying request
Exception in thread "main" org.apache.axis2.AxisFault: Received fatal alert: handshake_failure
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83)
at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:84)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:542)
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:189)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:371)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:209)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:448)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:401)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
at com.verisign.www._2006._08.vipservice.VipSoapInterfaceServiceStub.getTokenInformation(VipSoapInterfaceServiceStub.java:5252)
at com.verisign.enterprise.usermigration.MigrateUser.getTokenStatus(MigrateUser.java:514)
at com.verisign.enterprise.usermigration.MigrateUser.main(MigrateUser.java:326)
Caused by: com.ctc.wstx.exc.WstxIOException: Received fatal alert: handshake_failure
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
at org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.java:146)
at org.apache.axis2.databinding.utils.writer.MTOMAwareXMLSerializer.flush(MTOMAwareXMLSerializer.java:79)
at org.apache.axis2.databinding.ADBDataSource.serialize(ADBDataSource.java:94)
at org.apache.axiom.om.impl.llom.OMSourcedElementImpl.internalSerializeAndConsume(OMSourcedElementImpl.java:664)
at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerialize(OMElementImpl.java:918)
at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerializeAndConsume(OMElementImpl.java:947)
at org.apache.axiom.soap.impl.llom.SOAPEnvelopeImpl.serializeInternally(SOAPEnvelopeImpl.java:240)
at org.apache.axiom.soap.impl.llom.SOAPEnvelopeImpl.internalSerialize(SOAPEnvelopeImpl.java:228)
at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerializeAndConsume(OMElementImpl.java:947)
at org.apache.axiom.om.impl.llom.OMNodeImpl.serializeAndConsume(OMNodeImpl.java:471)
at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:79)
... 20 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:191)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:99)
at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
... 31 more
- Unable to sendViaPost to url[https://vipha-auth.bbtest.net/mgmt/soap]
org.apache.axis2.AxisFault: Received fatal alert: handshake_failure
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83)
at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:84)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:542)
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:189)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:371)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:209)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:448)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:401)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
at com.verisign.www._2006._08.vipservice.VipSoapInterfaceServiceStub.getTokenInformation(VipSoapInterfaceServiceStub.java:5252)
at com.verisign.enterprise.usermigration.MigrateUser.getTokenStatus(MigrateUser.java:514)
at com.verisign.enterprise.usermigration.MigrateUser.main(MigrateUser.java:326)
Caused by: com.ctc.wstx.exc.WstxIOException: Received fatal alert: handshake_failure
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:313)
at org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.java:146)
at org.apache.axis2.databinding.utils.writer.MTOMAwareXMLSerializer.flush(MTOMAwareXMLSerializer.java:79)
at org.apache.axis2.databinding.ADBDataSource.serialize(ADBDataSource.java:94)
at org.apache.axiom.om.impl.llom.OMSourcedElementImpl.internalSerializeAndConsume(OMSourcedElementImpl.java:664)
at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerialize(OMElementImpl.java:918)
at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerializeAndConsume(OMElementImpl.java:947)
at org.apache.axiom.soap.impl.llom.SOAPEnvelopeImpl.serializeInternally(SOAPEnvelopeImpl.java:240)
at org.apache.axiom.soap.impl.llom.SOAPEnvelopeImpl.internalSerialize(SOAPEnvelopeImpl.java:228)
at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerializeAndConsume(OMElementImpl.java:947)
at org.apache.axiom.om.impl.llom.OMNodeImpl.serializeAndConsume(OMNodeImpl.java:471)
at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:79)
... 20 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:191)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:99)
at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
... 31 more
  • 1. Re: javax.net.ssl.SSLHandshakeException:
    EJP Guru
    Currently Being Moderated
    The system properties concerned are only read once. Changing them afterwards has no effect.

    Does your LDAP system really require a client certificate? And does it really have to be different from the other client cert?
  • 2. Re: javax.net.ssl.SSLHandshakeException:
    837869 Newbie
    Currently Being Moderated
    Hi EJP,

    we need a client cert for LDAP,which we add into cacerts and it is not binded with any password.But for cloud connection we need another cert,which is protected by password.
    So LDAP connection doesn't need any keystore setup, but the cloud connection needs and both operation should pass in one go itself.

    I don't know any way to solve it.
  • 3. Re: javax.net.ssl.SSLHandshakeException:
    EJP Guru
    Currently Being Moderated
    Maybe LDAP is asking for but not requiring a client cert, and when one is available as in case 2 it is unknown to LDAP and therefore being rejected. Solution: export it to whatever LDAP uses for a truststore and use case 2.
  • 4. Re: javax.net.ssl.SSLHandshakeException:
    handat Expert
    Currently Being Moderated
    Your LDAP server is probably using an untrusted, self-signed SSL certificate, thus requiring you to add its certificate into cacerts. I don't believe it is a client cert, otherwise you would had added it into a separate keystore rather than added it to the cacerts trust store similar to what you did for your cloud key store. So you can just create your cloud keystore with key pair and just add the LDAP server's certificate as a trusted cert to it.
  • 5. Re: javax.net.ssl.SSLHandshakeException:
    EJP Guru
    Currently Being Moderated
    This doesn't make much sense.
    Your LDAP server is probably using an untrusted, self-signed SSL certificate, thus requiring you to add its certificate into cacerts.
    LDAP is working via SSL in case 1. Ergo either he has already done that or it isn't self-signed. No other possibility.
    I don't believe it is a client cert, otherwise you would had added it into a separate keystore
    That is exactly what he has done. That's why he is setting javax.net.ssl.keyStore, which is what is causing this problem. Read his post.
    So you can just create your cloud keystore with key pair and just add the LDAP server's certificate as a trusted cert to it.
    And this is real nonsense. You don't add trusted certificates to keystores. You add them to truststores.
  • 6. Re: javax.net.ssl.SSLHandshakeException:
    837869 Newbie
    Currently Being Moderated
    Hi Ejp,

    I guess, what's happening is that. When LDAP is connecting with SSL, an SSLContext would get created and stays in the JVM.So in the 2nd phase, when we add keystore elements in system properties for cloud operation, they don't get added in the same SSLContext.
    Is there any way we can fetch existing SSLContext and add keystore object into it.
    And how to attach this context manually into webservice axis2 api call.

    Thanks
  • 7. Re: javax.net.ssl.SSLHandshakeException:
    EJP Guru
    Currently Being Moderated
    I guess
    Why? My reply of 9/03/2011 09:17 still seems the most likely to me. Ignore the confusion created above.
    When LDAP is connecting with SSL, an SSLContext would get created and stays in the JVM
    Correct.
    So in the 2nd phase, when we add keystore elements in system properties for cloud operation, they don't get added in the same SSLContext.
    They don't get added to any SSLContext. The system properties are only read once, and that already happened when you made the LDAP connection. So 'changing them afterwards has no effect', as I already said in my first reply above, 9/03/2011 00:05.
    Is there any way we can fetch existing SSLContext and add keystore object into it.
    No there isn't, but as that isn't the problem it's irrelevant.

    As I see it you have two choices:

    1. Export the client certificate into whatever LDAP uses as a truststore, as I mentioned above.

    2. Create a specific SSLContext and KeyManager, load the KeyManager from the keystore explicitly, and use that SSLContext when creating the 2nd connection. This seems like a lot of extra work that JSSE would do for you automatically if you implemented (1).
    And how to attach this context manually into webservice axis2 api call.
    And you would still have to solve that problem, and I don't know how to do it.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points