Business Software Applications

Java Development and HTTPS SSLHandshakeException

These days security is a hot topic: the future of your web application and its user base depend on it. User privacy is directly related to website security and how user sensitive information travels through the Internet. When updating servers to the latest security protocol (i.e. TLS1.2) on HTTPS; you have to ensure that your client-development team is testing and verifying those servers properly.

Today is not sufficient just to test any HTTPS, No! You have to understand which secured protocols are enabled, disabled, vulnerable, etc.

On the server-side; ensure for example that secured protocols like SSLv3 and TLSv1 are disabled due to their known vulnerabilities (POODLE). This is usually done at the networking equipment that support your web applications ((Load Balancers and their incoming ports).

When you are using Java enabled web applications: test the server properly (under TLS1.2) by updating to the latest Java Platform Standard Edition Development Kit (JDK). If you are not using the most updated JDK then your development team can encounter this issue when trying to connect to the server via HTTPS connection:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

This exception indicates that the client and server could not negotiate the desired level of security. The connection is no longer usable.

Class SSLHandshakeException
java.lang.Object
java.lang.Throwable
java.lang.Exception
java.io.IOException
javax.net.ssl.SSLException
javax.net.ssl.SSLHandshakeException

This exception happens when: (1) You updated the server-side infrastructure to support the latest TLS1.2 protocol + disabled older protocols that have known vulnerabilities, (2) You have not updated the Java client-side environment (that interconnects to the server).

The Java client-side environment usually relies on the JDK which needs updating as well. These are the various JDKs and their supported secured protocols:

JDK 6 (2006 to 2013):
- TLS v1.1 (JDK 6 update 111 and above), TLSv1 (default), SSLv3

JDK 7 (July 2011 to present):
- TLSv1.2, TLSv1.1, TLSv1 (default), SSLv3

JDK 8 (March 2014 to present):
- TLSv1.2 (default), TLSv1.1, TLSv1, SSLv3

JDK 7 for instance will only connect with TLSv1.2 when you specifically configure the Java environment to do so; else the SSLHandshakeException will occur. Updating to JDK 8 should resolve the issue; as TLSv1.2 is its default protocol.

Unsure about what you have today, Qualys SSL Labs (www.ssllabs.com) maintains a collection of tools that are helpful in understanding SSL/TLS connections.

Some helpful definitions:

- HTTPS (also called HTTP over TLS, HTTP over SSL and HTTP Secure) is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer.

- Java Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in today's demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that today's applications require.

- Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols are in widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). Major web sites (including Google, YouTube, Facebook and many others) use TLS to secure all communications between their servers and web browsers. The latest protocol (to the date of this post) is TLS 1.2. It was defined in RFC 5246 in August of 2008, it is based on TLS 1.1 with improved flexibility.

- A POODLE attack is an exploit that takes advantage of the way some browsers deal with encryption. POODLE (Padding Oracle On Downgraded Legacy Encryption) is the name of the vulnerability that enables the exploit. POODLE can be used to target browser-based communication that relies on the Secure Sockets Layer (SSL) 3.0 protocol for encryption and authentication. The Transport Layer Security (TLS) protocol has largely replaced SSL for secure communication on the Internet, but many browsers will revert to SSL 3.0 when a TLS connection is unavailable. An attacker who wants to exploit POODLE takes advantage of this by inserting himself into the communication session and forcing the browser to use SSL 3.0.

Posted on February 01, 2016