0

I am trying to connect to WebService client using HttpApiClient. I am specifying 

truststore = <path to Java cacerts>
truststore password = <default pass>
keystore = <custom JKS properties with all certs> 
keystore password = <default pass>

When I debug the SSL using Java, I dont even see the "Server Hello message" directly the fatal, handshake error like below: 

http-bio-8080-exec-9, WRITE: TLSv1 Handshake, length = 122
http-bio-8080-exec-9, READ: TLSv1 Alert, length = 2
http-bio-8080-exec-9
, RECV TLSv1 ALERT:  
fatal, 
handshake_failure
http-bio-8080-exec-9, called closeSocket()
http-bio-8080-exec-9, handling exception: javax.net.ssl.SSLHandshakeException: 
Received fatal alert: handshake_failure
http-bio-8080-exec-9, called close()
http-bio-8080-exec-9, called closeInternal(true)

I cant debug further because there are no clues as to what is wrong. Error message does not describe anything. I have double checked all the certs are present. Any ideas on how can I debug this / what is missing ?

greengrassbluesky
  • 373
  • 1
  • 6
  • 23
  • You would need to look at the server logs. What does 'keystore = ' mean? I suggest you don't specify the truststore at all: it defaults to the JRE `cacerts` file anyway, and you might get the path wrong if you specify it explicitly. – user207421 May 20 '15 at 04:56
  • @EJP: I agree that more information should be in the server logs. But changing anything on the truststore at this step should not be necessary, since the truststore is only relevant once it got the server side certificate, which does not happen yet. – Steffen Ullrich May 20 '15 at 05:01
  • Please check that the server is accessible by a normal browser or some other TLS client. If this is the case it might caused by missing SNI extension on the client side. Or it might be a server with a very restrictive cipher set or old protocol version. If you can publish the URL one might check from outside. – Steffen Ullrich May 20 '15 at 05:04

0 Answers0