: Jetty/PDFreactor can't connect to my https-secured server (javax.net.ssl.SSLHandshakeException) I have an apache-hosted site using https (working quite well in everyday use, with an "A" rating in
I have an apache-hosted site using https (working quite well in everyday use, with an "A" rating in www.ssllabs.com/). This site my.site offers generated PDFs; for this purpose it connects to our PDFreactor server (a Jetty application) which in turn requests a special view from my.site/my/page/html_view?var=val.
This process used to work fine (as long as we were using plain http, at least).
Now the PDF generation fails because the PDFreactor/Jetty server can't connect to my.site:
trustStore is: /opt/jdk1.7.0_65/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=... (87 trusted certs)
qtp227333474-29, READ: TLSv1 Alert, length = 2
qtp227333474-29, RECV TLSv1 ALERT: fatal, handshake_failure
qtp227333474-29, called closeSocket()
qtp227333474-29, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Further information, retrieved by adding -Djavax.net.debug=all to my commandline:
[029][14:22:17.085][FINER] - Input source has a system id.
[029][14:22:17.085][INFO] - Connecting to: "https://my.site:/my/page/html_view?var=val"
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
qtp227333474-29, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1477657081 bytes = { 117, 207, <a list of 28 numbers below 128>, 109 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2,
secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1,
secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1,
secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1,
sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: my.site]
(line breaks for Cipher Suites and Extension elliptic_curves added by me; the url indeed contains that additional colon in my.site:/my/page/html_view?var=val, but this shouldn't be the problem, right?)
So, what can I do to make the handshake happen?
What does Java mean by unsupported vs. unavailable cipher suites - should I add some on the my.site apache side? (currently the recommended SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH from cipherli.st/).
I tried to add the certificate of my.site (a .crt file) to the keystore, or, as I found no information about a "keyStore", the "trustStore" /opt/jdk1.7.0_65/jre/lib/security/cacerts:
keytool -importcert -file /path/to/my-site.crt -keystore ./cacerts
However, there is appararently a passphase needed, which I don't know. As far as I'm concerned, this keystore file was contained in the tar file I extracted the JRE from and was never changed.
Versions: jdk1.7.0_65, Jetty 8.0.15, PDFreactor 7.0.7174, Debian 7.5.
Is there any other possible problem?
Any suggestions how to fix this? Thank you!
More posts by @Kaufman445
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.