This discussion is archived
5 Replies Latest reply: Dec 12, 2012 11:45 AM by 979355 RSS

JDK 7 TLSv1.2 handshake_failure

979355 Newbie
Currently Being Moderated
During initial handshake with TLSv1.2 protocol, we are observing what appears
to be handshake failure right after Server sends ServerHelloDone. (Probably
Client sending Client Certificate Message to the server and somehow resulting
is EOF although Server is has not explicitly asked for the Client certificate.)
This is only observed with TLSv1.2 protocol enabled browsers (IE8).

http-0.0.0.0-9999-1, READ: TLSv1.2 Handshake, length = 185
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1338433763 bytes = { 82, 238, 41, 104, 38, 171, 90, 234,
66, 207, 28, 23, 138, 239, 167, 155, 67, 20, 247, 189, 236, 198, 110, 7, 92,
90, 99, 34 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA256,


*** ServerHello, TLSv1.2
RandomCookie: GMT: 1338433763 bytes = { 80, 62, 121, 77, 213, 150, 106, 112,
199, 167, 124, 40, 184, 83, 25, 108, 250, 215, 32, 147, 6, 102, 116, 87, 229,
157, 76, 18 }
Session ID: {80, 199, 225, 227, 142, 254, 98, 13, 88, 45, 24, 128, 141, 233,
146, 172, 138, 35, 133, 91, 25, 122, 254, 53, 138, 30, 204, 194, 42, 73, 194,
85}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256

*** ServerHelloDone
http-0.0.0.0-9999-1, WRITE: TLSv1.2 Handshake, length = 1194
[Raw write]: length = 1199
0000: 16 03 03 04 AA 02 00 00 4D 03 03 50 C7 E1 E3 50 ........M..P...P
04A0: 2A 8F C8 2D 19 CD 06 FE 7D 0C 91 0E 00 00 00 *..-...........

http-0.0.0.0-9999-1, received EOFException: error
http-0.0.0.0-9999-1, handling exception: javax.net.ssl.SSLHandshakeException:
Remote host closed connection during handshake
%% Invalidated: [Session-2, TLS_RSA_WITH_AES_128_CBC_SHA256]
http-0.0.0.0-9999-1, SEND TLSv1.2 ALERT: fatal, description =
handshake_failure
http-0.0.0.0-9999-1, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 28 ......(
http-0.0.0.0-9999-1, called closeSocket()
http-0.0.0.0-9999-1, called close()
http-0.0.0.0-9999-1, called closeInternal(true)
  • 1. Re: JDK 7 TLSv1.2 handshake_failure
    EJP Guru
    Currently Being Moderated
    I can't see any client certificate message there. RFC 2246 says it shouldn't be sent unless requested. There's no way a client cerificate can look like an EOF. What you are seeing is the client unexpectedly closing the TCP connection.
  • 2. Re: JDK 7 TLSv1.2 handshake_failure
    979355 Newbie
    Currently Being Moderated
    I've omitted the bytes on my original post. here is the full message. Right after ServerHelloDone, what appears to be the "client cert" is sent to the server. As I understand it, it is the next action that Client does after ServerHelloDone.
    If its the Client cert, why would the client send this (Server did not asked for it)? If not, what is this data that are being sent and causing EOF?

    *** ServerHelloDone
    http-0.0.0.0-9999-1, WRITE: TLSv1.2 Handshake, length = 1194
    [Raw write]: length = 1199
    0000: 16 03 03 04 AA 02 00 00 4D 03 03 50 C7 D3 DE 35 ........M..P...5
    0010: D6 7E 38 64 B4 F8 DF C5 B1 02 60 86 B0 30 9B 01 ..8d......`..0..
    0020: 70 92 5A 30 DC 91 71 D8 00 65 F7 20 50 C7 D3 DE p.Z0..q..e. P...
    0030: 4E 69 BD 76 21 ED A2 9E 1F 35 04 0D 09 6B 01 C7 Ni.v!....5...k..
    0040: 53 E9 6A 14 BB DC B4 B1 20 89 A4 7D 00 3C 00 00 S.j..... ....<..
    0050: 05 FF 01 00 01 00 0B 00 04 51 00 04 4E 00 04 4B .........Q..N..K
    0060: 30 82 04 47 30 82 03 2F A0 03 02 01 02 02 02 12 0..G0../........
    0070: 34 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 05 00 40...*.H........
    0080: 30 7A 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 0z1.0...U....US1
    0090: 13 30 11 06 03 55 04 08 13 0A 43 61 6C 69 66 6F .0...U....Califo
    00A0: 72 6E 69 61 31 14 30 12 06 03 55 04 07 13 0B 53 rnia1.0...U....S
    00B0: 61 6E 74 61 20 43 6C 61 72 61 31 0E 30 0C 06 03 anta Clara1.0...
    00C0: 55 04 0A 13 05 59 61 68 6F 6F 31 0E 30 0C 06 03 U....Yahoo1.0...
    00D0: 55 04 0B 13 05 59 61 68 6F 6F 31 20 30 1E 06 03 U....Yahoo1 0...
    00E0: 55 04 03 13 17 72 65 74 69 65 72 71 61 2E 63 6F U....retierqa.co
    00F0: 72 70 2E 79 61 68 6F 6F 2E 63 6F 6D 30 1E 17 0D rp.yahoo.com0...
    0100: 31 31 31 31 32 31 30 38 34 31 32 38 5A 17 0D 31 111121084128Z..1
    0110: 36 31 30 32 35 30 38 34 31 32 38 5A 30 64 31 0B 61025084128Z0d1.
    0120: 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 0...U....US1.0..
    0130: 03 55 04 08 13 0A 43 61 6C 69 66 6F 72 6E 69 61 .U....California
    0140: 31 0E 30 0C 06 03 55 04 0A 13 05 59 61 68 6F 6F 1.0...U....Yahoo
    0150: 31 0E 30 0C 06 03 55 04 0B 13 05 59 61 68 6F 6F 1.0...U....Yahoo
    0160: 31 20 30 1E 06 03 55 04 03 13 17 72 65 74 69 65 1 0...U....retie
    0170: 72 71 61 2E 63 6F 72 70 2E 79 61 68 6F 6F 2E 63 rqa.corp.yahoo.c
    0180: 6F 6D 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D om0.."0...*.H...
    0190: 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 ..........0.....
    01A0: 01 01 00 B1 6D E3 CA B7 25 CA 98 DC AD 1A B9 04 ....m...%.......
    01B0: 68 7B 9C 30 72 07 6F D5 0B 92 77 53 70 0B B2 76 h..0r.o...wSp..v
    01C0: EB 4E 60 74 28 0F CB DE 82 98 D3 B1 84 93 84 36 .N`t(..........6
    01D0: F3 53 DC 8D C9 34 D6 1F CD C7 A0 80 F9 54 0D F1 .S...4.......T..
    01E0: F4 C9 6F BD 39 0D 5D B0 2A C1 35 92 E4 F2 B6 7E ..o.9.].*.5.....
    01F0: 0F 5C CC 18 F8 CB C1 99 B1 6F DE C8 7D 6E AC A3 .\.......o...n..
    0200: 7E 46 6B 28 D8 0F 2B 14 E2 D9 4A 61 19 2A BF 5B .Fk(..+...Ja.*.[
    0210: 7B B4 BC BE 16 AF 82 B8 B2 45 D2 6D D1 EC F0 0C .........E.m....
    0220: 68 B7 58 CA 64 67 EC 26 44 0A BA 23 32 24 A2 E4 h.X.dg.&D..#2$..
    0230: 30 F9 74 42 66 58 92 DA EB 03 A7 ED 0E FE EF DB 0.tBfX..........
    0240: 6C EF 40 8C 51 C8 FF 8F 07 E2 58 14 A9 96 E8 DA l.@.Q.....X.....
    0250: 16 86 E6 AE BA 0E 9E 24 5E 89 E3 CF CA 98 4E CC .......$^.....N.
    0260: 65 57 A5 00 BC 6E 06 F4 1F CF E9 7A 72 9A 24 85 eW...n.....zr.$.
    0270: 38 D1 DB BB 4C 95 3E 0B FD 2F 06 A4 9A D8 EF 0E 8...L.>../......
    0280: 6D 37 7D 24 E5 37 2C EC 19 46 B6 56 8C 50 E2 08 m7.$.7,..F.V.P..
    0290: 03 37 54 0C AF 69 4E 31 B9 C5 4A 8B 98 0D 7E 61 .7T..iN1..J....a
    02A0: B2 9A 2B 02 03 01 00 01 A3 81 EC 30 81 E9 30 09 ..+........0..0.
    02B0: 06 03 55 1D 13 04 02 30 00 30 2C 06 09 60 86 48 ..U....0.0,..`.H
    02C0: 01 86 F8 42 01 0D 04 1F 16 1D 4F 70 65 6E 53 53 ...B......OpenSS
    02D0: 4C 20 47 65 6E 65 72 61 74 65 64 20 43 65 72 74 L Generated Cert
    02E0: 69 66 69 63 61 74 65 30 1D 06 03 55 1D 0E 04 16 ificate0...U....
    02F0: 04 14 80 01 28 A3 43 27 49 7A 1E 75 BF 75 B0 59 ....(.C'Iz.u.u.Y
    0300: 3F 5A 3E 84 5D D8 30 81 8E 06 03 55 1D 23 04 81 ?Z>.].0....U.#..
    0310: 86 30 81 83 A1 7E A4 7C 30 7A 31 0B 30 09 06 03 .0......0z1.0...
    0320: 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 U....US1.0...U..
    0330: 13 0A 43 61 6C 69 66 6F 72 6E 69 61 31 14 30 12 ..California1.0.
    0340: 06 03 55 04 07 13 0B 53 61 6E 74 61 20 43 6C 61 ..U....Santa Cla
    0350: 72 61 31 0E 30 0C 06 03 55 04 0A 13 05 59 61 68 ra1.0...U....Yah
    0360: 6F 6F 31 0E 30 0C 06 03 55 04 0B 13 05 59 61 68 oo1.0...U....Yah


    0480: 9D C1 C3 DC DA 16 18 FC CD 67 48 30 18 3F FD E7 .........gH0.?..
    0490: 7E 52 1F 52 3E DE BA 53 06 E5 F9 4A 67 9E D3 3C .R.R>..S...Jg..<
    04A0: 2A 8F C8 2D 19 CD 06 FE 7D 0C 91 0E 00 00 00 *..-...........
    http-0.0.0.0-9999-1, received EOFException: error
    http-0.0.0.0-9999-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    %% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
    http-0.0.0.0-9999-1, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
    http-0.0.0.0-9999-1, WRITE: TLSv1.2 Alert, length = 2
    [Raw write]: length = 7
    0000: 15 03 03 00 02 02 28 ......(
    http-0.0.0.0-9999-1, called closeSocket()
    http-0.0.0.0-9999-1, called close()
    http-0.0.0.0-9999-1, called closeInternal(true)
  • 3. Re: JDK 7 TLSv1.2 handshake_failure
    979355 Newbie
    Currently Being Moderated
    And this is the log with TLSv1 handshake.

    http-0.0.0.0-9999-1, READ: TLSv1 Handshake, length = 226
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1338438148 bytes = { 222, 245, 235, 71, 230, 158, 4, 115, 127, 182, 160, 119, 51, 55, 242, 247, 239, 37, 51, 169, 33, 52, 29, 144, 20, 78, 109, 147 }
    Session ID: {80, 199, 235, 62, 36, 168, 107, 105, 134, 15, 89, 92, 44, 24, 60, 115, 8, 84, 205, 24, 218, 153, 111, 93, 47, 198, 73, 28, 143, 201, 208, 201}
    Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

    *** ServerHello, TLSv1
    RandomCookie:  GMT: 1338438148 bytes = { 73, 194, 86, 54, 76, 225, 104, 134, 77, 72, 217, 116, 184, 120, 141, 64, 237, 234, 199, 128, 252, 229, 251, 86, 81, 45, 166, 148 }
    Session ID: {80, 199, 242, 4, 152, 234, 86, 73, 205, 249, 183, 201, 25, 18, 217, 39, 102, 175, 252, 122, 33, 177, 186, 91, 167, 223, 140, 161, 105, 93, 3, 127}
    Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
    Compression Method: 0
    Extension renegotiation_info, renegotiated_connection: <empty>

    *** Certificate chain
    chain [0] = [
    [

    ***
    *** ECDH ServerKeyExchange
    Server key: Sun EC public key, 256 bits


    *** ServerHelloDone
    http-0.0.0.0-9999-1, WRITE: TLSv1 Handshake, length = 1525
    [Raw write]: length = 1530

    0000: 16 03 01 05 F5 02 00 00 4D 03 01 50 C7 F2 04 49 ........M..P...I
    0010: C2 56 36 4C E1 68 86 4D 48 D9 74 B8 78 8D 40 ED .V6L.h.MH.t.x.@.
    0020: EA C7 80 FC E5 FB 56 51 2D A6 94 20 50 C7 F2 04 ......VQ-.. P...
    0030: 98 EA 56 49 CD F9 B7 C9 19 12 D9 27 66 AF FC 7A ..VI.......'f..z
    0040: 21 B1 BA 5B A7 DF 8C A1 69 5D 03 7F C0 11 00 00 !..[....i]......
    0050: 05 FF 01 00 01 00 0B 00 04 51 00 04 4E 00 04 4B .........Q..N..K
    0060: 30 82 04 47 30 82 03 2F A0 03 02 01 02 02 02 12 0..G0../........
    0070: 34 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 05 00 40...*.H........
    0080: 30 7A 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 0z1.0...U....US1
    0090: 13 30 11 06 03 55 04 08 13 0A 43 61 6C 69 66 6F .0...U....Califo
    00A0: 72 6E 69 61 31 14 30 12 06 03 55 04 07 13 0B 53 rnia1.0...U....S

    05F0: EE 7D ED A6 07 AF 0E 00 00 00 ..........
    [Raw read]: length = 5
    0000: 16 03 01 00 46 ....F
    [Raw read]: length = 70
    0000: 10 00 00 42 41 04 0B 6E 49 16 83 39 FF 49 C5 6D ...BA..nI..9.I.m
    0010: 53 B1 BD 93 13 E8 29 F7 88 3D 7C 64 FD 50 F5 CC S.....)..=.d.P..
    0020: 59 81 A2 55 E6 92 C5 36 02 C4 3E 91 62 E6 40 43 Y..U...6..>.b.@C
    0030: 95 F1 C5 0D F1 92 17 32 B4 D8 5B FE 1B 09 79 87 .......2..[...y.
    0040: 9D 54 6F 32 FA AA .To2..
    http-0.0.0.0-9999-1, READ: TLSv1 Handshake, length = 70
    *** ECDHClientKeyExchange

    ...Rest is omitted

    TLSv1.2 fails on reading the last 5 data unlike this one which succeeds and moves on.
  • 4. Re: JDK 7 TLSv1.2 handshake_failure
    EJP Guru
    Currently Being Moderated
    I've omitted the bytes on my original post. here is the full message. Right after ServerHelloDone, what appears to be the "client cert" is sent to the server.
    Something is sent, and it looks like a certificate, but it wasn't requested, and it is not legal for the client to send it.
    As I understand it, it is the next action that Client does after ServerHelloDone.
    It is the next action the client does after CertificateRequest, otherwise it shouldn't do it.
    If its the Client cert, why would the client send this (Server did not asked for it)?
    No idea, ask Microsoft.
    If not, what is this data that are being sent and causing EOF?
    There is no 'data that are being sent and causing EOF'. EOF causes EOF. The client is closing the connection. That causes TCP to send a TCP FIN segment, which means EOF at the receiver.
  • 5. Re: JDK 7 TLSv1.2 handshake_failure
    979355 Newbie
    Currently Being Moderated
    Tried with Opera 10.x which has TLSv1.2 support which does work with JDK 7 which seems to indicate that IE8(9) does not implement this correctly.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points