java - How to debug the ssl connection error

Question

Description: I tried to post some xml format data to a API gateway. When i post my data to one site under Https protocol with JAVA HttpsURLConnection, i got the Received fatal alert: handshake_failure error.

Attempts 1: enable the SSL debug with vm option by adding -Djavax.net.debug=all then i got those:

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1511946801 bytes = { 126, 217, 71, 253, 228, 128, 168, 241, 225, 17, 188, 15, 91, 241, 195, 104, 187, 74, 19, 124, 157, 248, 96, 131, 84, 231, 109, 219 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=alipay-test.connectedpos.de]
***
[write] MD5 and SHA1 hashes:  len = 243
0000: 01 00 00 EF 03 03 5A 1E   7A 31 7E D9 47 FD E4 80  ......Z.z1..G...
0010: A8 F1 E1 11 BC 0F 5B F1   C3 68 BB 4A 13 7C 9D F8  ......[..h.J....
0020: 60 83 54 E7 6D DB 00 00   46 C0 23 C0 27 00 3C C0  `.T.m...F.#.'.<.
0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.).g.@...../...
0040: 0E 00 33 00 32 C0 2B C0   2F 00 9C C0 2D C0 31 00  ..3.2.+./...-.1.
0050: 9E 00 A2 C0 08 C0 12 00   0A C0 03 C0 0D 00 16 00  ................
0060: 13 C0 07 C0 11 00 05 C0   02 C0 0C 00 04 00 FF 01  ................
0070: 00 00 80 00 0A 00 34 00   32 00 17 00 01 00 03 00  ......4.2.......
0080: 13 00 15 00 06 00 07 00   09 00 0A 00 18 00 0B 00  ................
0090: 0C 00 19 00 0D 00 0E 00   0F 00 10 00 11 00 02 00  ................
00A0: 12 00 04 00 05 00 14 00   08 00 16 00 0B 00 02 01  ................
00B0: 00 00 0D 00 1A 00 18 06   03 06 01 05 03 05 01 04  ................
00C0: 03 04 01 03 03 03 01 02   03 02 01 02 02 01 01 00  ................
00D0: 00 00 20 00 1E 00 00 1B   61 6C 69 70 61 79 2D 74  .. .....alipay-t
00E0: 65 73 74 2E 63 6F 6E 6E   65 63 74 65 64 70 6F 73  est.connectedpos
00F0: 2E 64 65                                           .de
main, WRITE: TLSv1.2 Handshake, length = 243
[Raw write]: length = 248
0000: 16 03 03 00 F3 01 00 00   EF 03 03 5A 1E 7A 31 7E  ...........Z.z1.
0010: D9 47 FD E4 80 A8 F1 E1   11 BC 0F 5B F1 C3 68 BB  .G.........[..h.
0020: 4A 13 7C 9D F8 60 83 54   E7 6D DB 00 00 46 C0 23  J....`.T.m...F.#
0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 2B C0 2F 00 9C  ./.....3.2.+./..
0050: C0 2D C0 31 00 9E 00 A2   C0 08 C0 12 00 0A C0 03  .-.1............
0060: C0 0D 00 16 00 13 C0 07   C0 11 00 05 C0 02 C0 0C  ................
0070: 00 04 00 FF 01 00 00 80   00 0A 00 34 00 32 00 17  ...........4.2..
0080: 00 01 00 03 00 13 00 15   00 06 00 07 00 09 00 0A  ................
0090: 00 18 00 0B 00 0C 00 19   00 0D 00 0E 00 0F 00 10  ................
00A0: 00 11 00 02 00 12 00 04   00 05 00 14 00 08 00 16  ................
00B0: 00 0B 00 02 01 00 00 0D   00 1A 00 18 06 03 06 01  ................
00C0: 05 03 05 01 04 03 04 01   03 03 03 01 02 03 02 01  ................
00D0: 02 02 01 01 00 00 00 20   00 1E 00 00 1B 61 6C 69  ....... .....ali
00E0: 70 61 79 2D 74 65 73 74   2E 63 6F 6E 6E 65 63 74  pay-test.connect
00F0: 65 64 70 6F 73 2E 64 65                            edpos.de
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Attempts 2: tried with this solution, but no differences. SSLHandshakeException: Received fatal alert: handshake_failure after Java 6 -> 8 upgrade

For @AxelH comment:

I do have "normal" certificate, the https should be public accessible for anyone in Internet(That's how SSL certificate works).

?  security ls -l
total 280
-rw-rw-r--  1 root  wheel      0 Sep 18  2014 trusted.libraries
-rw-rw-r--  1 root  wheel  20969 Sep 18  2014 java.security
-rw-rw-r--  1 root  wheel   2466 Sep 18  2014 java.policy
-rw-rw-r--  1 root  wheel  95881 Sep 18  2014 cacerts
-rw-rw-r--  1 root  wheel   1188 Sep 18  2014 blacklisted.certs
-rw-rw-r--  1 root  wheel   3890 Sep 18  2014 blacklist

links:

https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https https://tonyyan.wordpress.com/2015/07/17/enabled-tls-1-2-and-tls-1-1-on-java-7/

Answer 1

The site you're attempting to connect (alipay-test.connectedpos.de) does not have any cipher suites in common with Java.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)

You will need to enable the JCE Unlimited Strength Jurisdiction Policy for Java for this to work.

For Java 7, you can download the JCE Unlimited Strength Jurisdiction Policy files from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html. For all versions of Java 8 except Update 151, you can download the files from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html. Once done, replace the two JARs (local_policy.jar, US_export_policy.jar) under your JRE's lib/security directory with the ones from the downloaded package.

For Java 8 Update 151 and later, the files are installed by default. To enable these file, edit the file java.security under your JRE's lib/security directory and specify crypto.policy=unlimited.

This will add additional (stronger) ciphersuites and you should be able to connect without having to make any changes to your code or enable TLSv1.2