SSLHandshakeException: no cipher suites in common using asynchttpclient and wiremock using self signed certificate

Question

I have a java client written using the asynchttpclient library. During an integration test I am setting up a wiremock server with which to test. The connection needs to be over ssl.

I am hence generating self signed certificates for my domain: localhost.my-domain.com which points to 127.0.0.1

Certificate Generation

Certificates are generated as follows:

#Generate the self signed keystore (first and last name use:  localhost.my-domain.com)
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass changeit -validity 360 -keysize 2048

#Extract the public certificate 
keytool -export -keystore keystore.jks -alias selfsigned -file public.cer

#Create the truststore
keytool -import -file public.cer -alias selfsigned -keystore public.truststore

#extract pkcs12 private key
keytool -importkeystore -srckeystore keystore.jks -destkeystore private.pkcs12 -deststoretype PKCS12

#Convert public.cer into public.pem 
openssl x509 -inform der -in public.cer -out public.pem

#Convert pkcs12 key to pem format
openssl pkcs12 -in private.pkcs12 -out privatekey.pem -nocerts -nodes

For the sake of the test the same keystore and truststore are used on both sides (my client and wiremock)

Wiremock

My Wiremock configuration is as follows:

@ClassRule
public static WireMockClassRule wireMockRule = new WireMockClassRule(wireMockConfig()
        .port(9998)
        .httpsPort(7777)
        .needClientAuth(true)
        .trustStorePath("/path/to/public.truststore")
        .trustStorePassword("changeit")
        .keystorePath("/path/to/keystore.jks")
        .keystorePassword("changeit")
);

Asynchttpclient

To initialise the connection in asynchttpclient I am doing the following:

private DefaultAsyncHttpClient getSslConnection () {
        final SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();

            final KeyManagerFactory keyManagerFactory;
            try {
                keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                final KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(new FileInputStream(new File("/path/to/keystore.jks")), sslParameters.getKeystorePassword().toCharArray());
                keyManagerFactory.init(keyStore, "changeit".toCharArray());
            } catch (final Exception e) {
                throw new IllegalStateException("failed", e);
            }
            sslContextBuilder.keyManager(keyManagerFactory);

            final TrustManagerFactory trustManagerFactory;
            try {
                trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                final KeyStore trustStore = KeyStore.getInstance("JKS");
                trustStore.load(new FileInputStream(new File("/path/to/public.truststore")), "changeit".toCharArray());
                trustManagerFactory.init(trustStore);
            } catch (final Exception e) {
                throw new IllegalStateException("failed", e);
            }
            sslContextBuilder.trustManager(trustManagerFactory);


        final SslContext sslContext;
        try {
            sslContext = sslContextBuilder
                    .build();
        } catch (final SSLException e) {
            throw new IllegalStateException("Unable to create SslContext", e);
        }

        return new DefaultAsyncHttpClient(generateGenericHttpClientConfiguration()
                .setSslContext(sslContext)
                .build());
    }

private static DefaultAsyncHttpClientConfig.Builder generateGenericHttpClientConfiguration() {
        final DefaultAsyncHttpClientConfig.Builder builder = new DefaultAsyncHttpClientConfig.Builder()
                .setConnectTimeout(connectionTimeout)
                .setReadTimeout(readTimeout)
                .setHandshakeTimeout(handshakeTimeout)
                .setRequestTimeout(requestTimeout)
                .setShutdownTimeout(shutdownTimeout)
                .setSslSessionTimeout(sslSessionTimeout)
                .setPooledConnectionIdleTimeout(pooledConnectionIdleTimeout)
                .setMaxConnections(maxTotal)
                .setMaxConnectionsPerHost(maxRoute);
        return builder;
    }

Error

My Exception is then as follows:

WireMock side:

javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)
    at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1036)
    at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:739)
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:708)
    at com.github.tomakehurst.wiremock.jetty6.DelayableSslSocketConnector$1.run(DelayableSslSocketConnector.java:52)
    at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

My Client Side:

java.util.concurrent.ExecutionException: java.net.ConnectException: Received fatal alert: handshake_failure

    at org.asynchttpclient.netty.NettyResponseFuture.abort(NettyResponseFuture.java:239)
    at org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:141)
    at org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:109)
    at org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)
    at io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:683)
    at io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:604)
    at io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:564)
    at io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:425)
    at io.netty.handler.ssl.SslHandler.notifyHandshakeFailure(SslHandler.java:1239)
    at io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1234)
    at io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1209)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1064)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:904)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:387)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:245)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:292)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:278)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:962)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:528)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:485)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:399)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:371)
    at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
    at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Received fatal alert: handshake_failure
    at org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:138)
    ... 24 more
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
    at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1098)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:970)
    ... 14 more

Debug Info

If i run using ssl,handshake java debug info the following is given:

trustStore is: C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0xc3517
  Valid from Mon Jun 21 06:00:00 CEST 1999 until Mon Jun 22 06:00:00 CEST 2020
... and several others....

***
found key for : selfsigned
chain [0] = [
[
  Version: V3
  Subject: CN=localhost.my-domain.com, OU=my-domain Sofware Ltd, O=my-domain Software Ltd, L=Sliema, ST=Malta, C=MT
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 22322185126194550795772462085219600605765741974258242212144535570744433693090067697037964532896095888501895176212954181087848506804238875167464582276363224932343212155653874664548116380333979698329196870411155489258120063788253980453150948066639518586839190752172742369244848200670971411040704766236660687310131008467164466602724947105963538159324675914388308835198923964161860881537353803508615054561772507456948494859333876540386345557203373685823145636638162034516089507658075673049538151350225012579285735891440944786147926900982654525113394239397843171301247569748674320790243789470675827095807550007258334440131
  public exponent: 65537
  Validity: [From: Wed Jun 08 17:24:26 CEST 2016,
               To: Sat Jun 03 17:24:26 CEST 2017]
  Issuer: CN=localhost.my-domain.com, OU=my-domain Sofware Ltd, O=my-domain Software Ltd, L=Sliema, ST=Malta, C=MT
  SerialNumber: [    3dad149a]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 80 EF E8 17 92 61 B0 D6   62 29 1A 4C 45 84 5E A0  .....a..b).LE.^.
0010: ED E7 16 00                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 14 14 E7 30 68 39 F7 61   82 6C 29 52 EB F5 3A E6  ...0h9.a.l)R..:.
0010: 25 E8 49 3B 86 3F 63 D0   07 E7 82 D3 51 52 3E BD  %.I;.?c.....QR>.
0020: 7F 18 A8 B8 53 4D C4 AC   BC 66 7D 1D 16 99 56 5D  ....SM...f....V]
0030: AA 77 70 D1 DF B6 4F 4D   BC 45 3B F6 1E 18 10 7B  .wp...OM.E;.....
0040: FD 8B 19 BC 9E 28 A5 2F   B4 32 4D D6 1B 5A F4 EF  .....(./.2M..Z..
0050: 0A C6 7E F4 6E 17 DE 44   39 6F 4C 36 FB 24 52 3A  ....n..D9oL6.$R:
0060: EF 98 09 9D 33 E8 80 73   0C CC 8A 80 4B B6 A8 34  ....3..s....K..4
0070: D6 00 DF C3 DC CB 45 16   A0 60 67 8A 25 52 33 3D  ......E..`g.%R3=
0080: 4B F9 A6 A7 AD 4A 91 7C   05 23 F8 DC 5B 76 09 05  K....J...#..[v..
0090: D6 E7 33 8C CD 0C EC 9F   EB 20 62 E1 57 51 F7 A9  ..3...... b.WQ..
00A0: B9 9A ED 25 7D B9 D9 BA   D4 2C 72 C5 62 F8 DB CB  ...%.....,r.b...
00B0: C2 48 83 2F 8D A3 15 27   99 29 4E 34 3B 18 13 A7  .H./...'.)N4;...
00C0: 30 DF BE 49 30 1B 7A DF   CE E0 C2 DA 97 1F 5D BA  0..I0.z.......].
00D0: 84 B9 92 64 34 8B 19 D2   C4 C7 96 A8 32 34 19 36  ...d4.......24.6
00E0: 7E 75 5D B7 85 F6 19 0E   1D 67 DE 50 29 02 FF CD  .u]......g.P)...
00F0: 3B 64 40 AE 7B 13 30 FA   69 52 3C 13 8A 94 46 3B  ;d@...0.iR<...F;

]
***
trigger seeding of SecureRandom
done seeding SecureRandom
adding as trusted cert:
  Subject: CN=localhost.my-domain.com, OU=my-domain Sofware Ltd, O=my-domain Software Ltd, L=Sliema, ST=Malta, C=MT
  Issuer:  CN=localhost.my-domain.com, OU=my-domain Sofware Ltd, O=my-domain Software Ltd, L=Sliema, ST=Malta, C=MT
  Algorithm: RSA; Serial number: 0x3dad149a
  Valid from Wed Jun 08 17:24:26 CEST 2016 until Sat Jun 03 17:24:26 CEST 2017

trigger seeding of SecureRandom
done seeding SecureRandom
trustStore is: C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0xc3517
  Valid from Mon Jun 21 06:00:00 CEST 1999 until Mon Jun 22 06:00:00 CEST 2020

.... and several others ....

trigger seeding of SecureRandom
done seeding SecureRandom***
found key for : selfsigned
chain [0] = [
[
  Version: V3
  Subject: CN=localhost.my-domain.com, OU=my-domain Sofware Ltd, O=my-domain Software Ltd, L=Sliema, ST=Malta, C=MT
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 22322185126194550795772462085219600605765741974258242212144535570744433693090067697037964532896095888501895176212954181087848506804238875167464582276363224932343212155653874664548116380333979698329196870411155489258120063788253980453150948066639518586839190752172742369244848200670971411040704766236660687310131008467164466602724947105963538159324675914388308835198923964161860881537353803508615054561772507456948494859333876540386345557203373685823145636638162034516089507658075673049538151350225012579285735891440944786147926900982654525113394239397843171301247569748674320790243789470675827095807550007258334440131
  public exponent: 65537
  Validity: [From: Wed Jun 08 17:24:26 CEST 2016,
               To: Sat Jun 03 17:24:26 CEST 2017]
  Issuer: CN=localhost.my-domain.com, OU=my-domain Sofware Ltd, O=my-domain Software Ltd, L=Sliema, ST=Malta, C=MT
  SerialNumber: [    3dad149a]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 80 EF E8 17 92 61 B0 D6   62 29 1A 4C 45 84 5E A0  .....a..b).LE.^.
0010: ED E7 16 00                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 14 14 E7 30 68 39 F7 61   82 6C 29 52 EB F5 3A E6  ...0h9.a.l)R..:.
0010: 25 E8 49 3B 86 3F 63 D0   07 E7 82 D3 51 52 3E BD  %.I;.?c.....QR>.
0020: 7F 18 A8 B8 53 4D C4 AC   BC 66 7D 1D 16 99 56 5D  ....SM...f....V]
0030: AA 77 70 D1 DF B6 4F 4D   BC 45 3B F6 1E 18 10 7B  .wp...OM.E;.....
0040: FD 8B 19 BC 9E 28 A5 2F   B4 32 4D D6 1B 5A F4 EF  .....(./.2M..Z..
0050: 0A C6 7E F4 6E 17 DE 44   39 6F 4C 36 FB 24 52 3A  ....n..D9oL6.$R:
0060: EF 98 09 9D 33 E8 80 73   0C CC 8A 80 4B B6 A8 34  ....3..s....K..4
0070: D6 00 DF C3 DC CB 45 16   A0 60 67 8A 25 52 33 3D  ......E..`g.%R3=
0080: 4B F9 A6 A7 AD 4A 91 7C   05 23 F8 DC 5B 76 09 05  K....J...#..[v..
0090: D6 E7 33 8C CD 0C EC 9F   EB 20 62 E1 57 51 F7 A9  ..3...... b.WQ..
00A0: B9 9A ED 25 7D B9 D9 BA   D4 2C 72 C5 62 F8 DB CB  ...%.....,r.b...
00B0: C2 48 83 2F 8D A3 15 27   99 29 4E 34 3B 18 13 A7  .H./...'.)N4;...
00C0: 30 DF BE 49 30 1B 7A DF   CE E0 C2 DA 97 1F 5D BA  0..I0.z.......].
00D0: 84 B9 92 64 34 8B 19 D2   C4 C7 96 A8 32 34 19 36  ...d4.......24.6
00E0: 7E 75 5D B7 85 F6 19 0E   1D 67 DE 50 29 02 FF CD  .u]......g.P)...
00F0: 3B 64 40 AE 7B 13 30 FA   69 52 3C 13 8A 94 46 3B  ;d@...0.iR<...F;

]
***
adding as trusted cert:
  Subject: CN=localhost.my-domain.com, OU=my-domain Sofware Ltd, O=my-domain Software Ltd, L=Sliema, ST=Malta, C=MT
  Issuer:  CN=localhost.my-domain.com, OU=my-domain Sofware Ltd, O=my-domain Software Ltd, L=Sliema, ST=Malta, C=MT
  Algorithm: RSA; Serial number: 0x3dad149a
  Valid from Wed Jun 08 17:24:26 CEST 2016 until Sat Jun 03 17:24:26 CEST 2017

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
214187874@qtp-1409545055-0 - Acceptor0 DelayableSslSocketConnector@0.0.0.0:7777, setSoTimeout(200000) called
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1465403695 bytes = { 30, 118, 6, 181, 187, 105, 144, 0, 40, 135, 10, 57, 140, 23, 96, 35, 255, 117, 199, 166, 250, 139, 47, 126, 51, 172, 237, 45 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=localhost.my-domain.com]
Extension renegotiation_info, renegotiated_connection: <empty>
***
AsyncHttpClient-3-1, WRITE: TLSv1.2 Handshake, length = 196
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
2009745500@qtp-1409545055-2, READ: TLSv1.2 Handshake, length = 196
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1465403695 bytes = { 30, 118, 6, 181, 187, 105, 144, 0, 40, 135, 10, 57, 140, 23, 96, 35, 255, 117, 199, 166, 250, 139, 47, 126, 51, 172, 237, 45 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=localhost.my-domain.com]
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
2009745500@qtp-1409545055-2, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
2009745500@qtp-1409545055-2, WRITE: TLSv1.2 Alert, length = 2
2009745500@qtp-1409545055-2, called closeSocket()
2009745500@qtp-1409545055-2, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common

I have tried using spark framework instead of Wiremock however I still get the same situation.

Are server and client executed using the same JVM (version)? Cipher suite problems usually arise when using old client with new server or the other way round. — Robert, Jun 08 '16 at 17:39
This is running inside a JUnit integration test so literally inside the same jvm instance. — mangusbrother, Jun 08 '16 at 18:35
It does look like it should work. If I were you I'd write a trivial (Java) test server that uses that keystore and truststore, and just accepts a connection, reads a request, and gives a canned reply (probably 400). If that succeeds you can blame WireMock, and if it exhibits the error you have a simpler case to debug. And if you run it in a separate JVM, it's easier to separate the `javax.ne.debug` output. — dave_thompson_085, Jun 19 '16 at 18:51
It does in fact seem to be an issue with the mock server side, as i launched an application which i intend to use ssl with and it worked using both keys, however if i use Wiremock or Spark Framework in the test it will fail on the handshake. There must be something missing from their configuration though. I'm not sure what — mangusbrother, Jun 21 '16 at 10:36

score 0 · Answer 1 · edited Jun 08 '16 at 20:56

0

Disclaimer: I'm the author of AsyncHttpClient

My2cents: you generated a certificate with a large key ("keysize 2048") but you forgot to patch your JDK with the JCE unlimited strength extension.

edited Jun 08 '16 at 20:56

user207421

305,947
44
307
483

answered Jun 08 '16 at 20:40

Stephane Landelle

6,990
2
23
29

I do have the unlimited strength extension installed unfortunately – mangusbrother Jun 08 '16 at 21:19
And at least in Suncle, **Unlimited Strength only affects symmetric**; RSA is always unlimited. (So are DSA and DH, although that only matters since 8 implemented 186-3 sizes; and EC, although NIST primes only go to 521 and in practice nobody uses others except djb which is 255-giving-128 and Suncle doesn't do Edwards anyway.) *IBM* Java may have once had a limit on RSA, but I can no longer check, and since the public net has required RSA minimum 2048 for well over 2 years now I can't imagine such a limit is in place. – dave_thompson_085 Jun 19 '16 at 18:46
FWIW, a colleague of mine tried to reproduce the issue, but things worked fine. He didn't have enough points on SOF to comment, so he tried to answer instead and ask for more details but his answer was deleted by the modo... – Stephane Landelle Jun 19 '16 at 21:16

score 0 · Accepted Answer · answered Jun 28 '16 at 12:00

0

Turns out that there seems to be some issue in both Wiremock and Spark Framework As, Once i set up my own server using the same exact keys it worked without any trouble.

answered Jun 28 '16 at 12:00

mangusbrother

3,988
11
51
103

score 0 · Answer 3 · answered Oct 02 '17 at 07:43

Just in case it will help anyone, in my case I got this error because I've loaded a p12 format file to the keystore of the server, instead of a jks file.

i.e. something like:

@ClassRule
public static WireMockClassRule wireMockRule = new WireMockClassRule(wireMockConfig()
        .httpsPort(7777)
        .keystorePath("/path/to/keystore.p12")
        .keystorePassword("changeit")
);

score 0 · Answer 4 · answered Apr 06 '19 at 08:45

Another potential issue is that .keystorePassword() doesn't provide the keystore password as traditionally understood. It provides the password for the individual key within the keystore.

I got around this by importing keys out of my own keystore into the wiremock one (which has a password of password) - this kept my password on the key entries but with the keystore password as password it then worked. I don't think wiremock will work if the actual keystore password is something other than password.