Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL handshake fails for servers with strong ciphers #11

Closed
hrj opened this issue Dec 21, 2014 · 6 comments
Closed

SSL handshake fails for servers with strong ciphers #11

hrj opened this issue Dec 21, 2014 · 6 comments
Assignees
@hrj
Labels
networking security upstream-block
Milestone
0.3

Comments

@hrj
Copy link
Member

hrj commented Dec 21, 2014

For example, navigating to https://clbin.com causes:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1991)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1104)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at com.squareup.okhttp.Connection.upgradeToTls(Connection.java:238)
at com.squareup.okhttp.Connection.connect(Connection.java:153)
at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:169)
at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:104)
at com.squareup.okhttp.internal.http.RouteSelector.next(RouteSelector.java:131)
at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:292)
at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:235)
at com.squareup.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:420)
at com.squareup.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:371)
at com.squareup.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:466)
at com.squareup.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:105)
at com.squareup.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:25)
at org.lobobrowser.request.RequestEngine.processHandler(RequestEngine.java:769)
at org.lobobrowser.request.RequestEngine.access$1(RequestEngine.java:730)
at org.lobobrowser.request.RequestEngine$RequestHandlerTask.lambda$0(RequestEngine.java:1052)
at org.lobobrowser.request.RequestEngine$RequestHandlerTask$$Lambda$28/1859836341.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.lobobrowser.request.RequestEngine$RequestHandlerTask.run(RequestEngine.java:1058)
at org.lobobrowser.util.SimpleThreadPool$ThreadRunnable.run(SimpleThreadPool.java:129)
at java.lang.Thread.run(Thread.java:745)
@hrj hrj added this to the 0.1 milestone Dec 21, 2014
@hrj hrj self-assigned this Dec 21, 2014
@hrj
Copy link
Member Author

hrj commented Dec 21, 2014

Fails even without okhttp:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1991)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1104)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1511)
    at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90)
    at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1431)
    at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1429)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.AccessController.doPrivileged(AccessController.java:713)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1428)
    at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
    at org.lobobrowser.request.RequestEngine.processHandler(RequestEngine.java:769)
    at org.lobobrowser.request.RequestEngine.access$1(RequestEngine.java:730)
    at org.lobobrowser.request.RequestEngine$RequestHandlerTask.lambda$0(RequestEngine.java:1052)
    at org.lobobrowser.request.RequestEngine$RequestHandlerTask$$Lambda$28/1965438258.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.lobobrowser.request.RequestEngine$RequestHandlerTask.run(RequestEngine.java:1058)
    at org.lobobrowser.util.SimpleThreadPool$ThreadRunnable.run(SimpleThreadPool.java:129)
    at java.lang.Thread.run(Thread.java:745)

@hrj
Copy link
Member Author

hrj commented Dec 21, 2014

Fails with okhttp-2.1.1 as well.

@hrj
Copy link
Member Author

hrj commented Dec 21, 2014

This is due to restrictions in the Oracle JDK (import limits), documented here.

Simple way to reproduce this:

(new java.net.URL("https://clbin.com")).openConnection().getContent()

Running the above on OpenJDK 7 works fine.

@hrj hrj mentioned this issue Dec 21, 2014
Closed
@hrj hrj changed the title SSL handshake fails for https://clbin.com SSL handshake fails for servers with strong ciphers Dec 21, 2014
@hrj hrj mentioned this issue Dec 24, 2014
Merged
@hrj hrj modified the milestones: 0.1, 0.2 Dec 25, 2014
@hrj hrj added upstream-block and removed bug labels Dec 25, 2014
@hrj
Copy link
Member Author

hrj commented Dec 27, 2014

We now show an explanation to the user when the SSL handshake exception happens and a link to this wiki page.

@hrj hrj modified the milestones: 0.3, 0.2 Dec 29, 2014
@hrj
Copy link
Member Author

hrj commented Jan 3, 2015

There are couple of things we can do on our side:

  • Inform users to install the JCE unlimited policy. Done, through the wiki.
  • Request JRE vendors to bundle JCE unlimited policy along with the JRE. Done, offline over email.
  • Try converting our code base to Java 7. This will help slightly since openjdk builds for version 7 are more easily available (and they don't face this problem). Being addressed in Support Java 7 #12

@hrj hrj closed this as completed Jan 3, 2015
@hrj
Copy link
Member Author

hrj commented Jun 28, 2015

Updates

  1. Looks like Java 8u31 now supports atleast one cipher from clbin.com and hence doesn't fail anymore. (Either that, or clbin.com server has started supporting more ciphers).
  2. An unlimited strength policy is available for zulu as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hrj hrj

Labels
networking security upstream-block
Projects
None yet
Milestone
0.3
Development

No branches or pull requests
1 participant
@hrj