JDK 7 RECV TLSv1 ALERT: fatal, handshake_failure

Question

I met this issue on JDK7 https tls connect, and I tried replace security jar(UnlimitedJCEPolicyJDK7). But not work.

I tried many SSLcontext SSLContext ctx = SSLContext.getInstance("TLS"); // i tried TLSv1,TLSv1.2, TLSv1.0, SSL all of them cannot work.

Also some System.setProperties, TLSv1, TLSv1.2, still not work

My JDk version is 1.7.085, and because some reasion, we cannot upgrade to latest or higher version. BTW, i tried running user JDK8, its work, tried running on Windows server, jdk1.7-085, work! But on Linux(CentOS7), cannot work. here is the code:

  public static String post(String url, String json) {  
    HttpClient client = new DefaultHttpClient();  
    client = WebClientDevWrapper.wrapClient(client);  
    HttpPost post = new HttpPost(url);  
   // JSONObject response = null;  
    try {  
      //  StringEntity s = new StringEntity(json);  
       // s.setContentEncoding("UTF-8");  
       // s.setContentType("application/json");  
       // post.setEntity(s);  
  
        Long startTime = System.currentTimeMillis();  
        HttpResponse res = client.execute(post);  
        System.out.println(System.currentTimeMillis() - startTime);  
        if (res.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {  
            HttpEntity entity = res.getEntity();  
            String charset = EntityUtils.getContentCharSet(entity);  
            if(charset == null){  
                charset = "utf-8";  
            }  
           return entity.toString();
        }  
    } catch (Exception e) {  
        throw new RuntimeException(e);  
    }  
    return null;  
}  
  
public static class WebClientDevWrapper {  
    public static HttpClient wrapClient(HttpClient base) {  
        try {  
            SSLContext ctx = SSLContext.getInstance("TLS");  // i tried TLSv1,TLSv1.2, TLSv1.0, SSL all of them cannot work
            X509TrustManager tm = new X509TrustManager() {  
                @Override  
                public X509Certificate[] getAcceptedIssuers() {  
                    return null;  
                }  
  
                @Override  
                public void checkClientTrusted(  
                        java.security.cert.X509Certificate[] chain,  
                        String authType)  
                        throws java.security.cert.CertificateException {  
                      
                }  
  
                @Override  
                public void checkServerTrusted(  
                        java.security.cert.X509Certificate[] chain,  
                        String authType)  
                        throws java.security.cert.CertificateException {  
                      
                }  
            };  
            ctx.init(null, new TrustManager[] { tm }, null);  
            SSLSocketFactory ssf = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);  
            ClientConnectionManager ccm = base.getConnectionManager();  
            SchemeRegistry sr = ccm.getSchemeRegistry();  
            sr.register(new Scheme("https", 443, ssf));  
            return new DefaultHttpClient(ccm, base.getParams());  
        } catch (Exception ex) {  
            ex.printStackTrace();  
            return null;  
        }  
    }  
}  

Here is the log:

      Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Algorithm: EC; Serial number: 0x2f80fe238c0e220f486712289187acb3
    Valid from Sun Nov 04 16:00:00 PST 2007 until Mon Jan 18 15:59:59 PST 2038
  
  adding as trusted cert:
    Subject: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
    Issuer:  CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
    Algorithm: EC; Serial number: 0x5c8b99c55a94c5d27156decd8980cc26
    Valid from Sun Jan 31 16:00:00 PST 2010 until Mon Jan 18 15:59:59 PST 2038
  
  adding as trusted cert:
    Subject: CN=Amazon Root CA 4, O=Amazon, C=US
    Issuer:  CN=Amazon Root CA 4, O=Amazon, C=US
    Algorithm: EC; Serial number: 0x66c9fd7c1bb104c2943e5717b7b2cc81ac10e
    Valid from Mon May 25 17:00:00 PDT 2015 until Fri May 25 17:00:00 PDT 2040
  
  adding as trusted cert:
    Subject: CN=Sonera Class2 CA, O=Sonera, C=FI
    Issuer:  CN=Sonera Class2 CA, O=Sonera, C=FI
    Algorithm: RSA; Serial number: 0x1d
    Valid from Fri Apr 06 00:29:40 PDT 2001 until Tue Apr 06 00:29:40 PDT 2021
  
  adding as trusted cert:
    Subject: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
    Issuer:  CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
    Algorithm: RSA; Serial number: 0x2e6a000100021fd752212c115c3b
    Valid from Thu Jan 12 06:38:43 PST 2006 until Wed Dec 31 14:59:59 PST 2025
  
  adding as trusted cert:
    Subject: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
    Issuer:  CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
    Algorithm: EC; Serial number: 0x1f47afaa62007050544c019e9b63992a
    Valid from Wed Mar 05 16:00:00 PST 2008 until Mon Jan 18 15:59:59 PST 2038
  
  trigger seeding of SecureRandom
  done seeding SecureRandom
  Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
  Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
  EJB default - 3, setSoTimeout(0) called
  Allow unsafe renegotiation: false
  Allow legacy hello messages: true
  Is initial handshake: true
  Is secure renegotiation: false
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie:  GMT: 1589873969 bytes = { 222, 24, 98, 24, 65, 188, 120, 218, 192, 185, 167, 79, 96, 88, 137, 120, 155, 15, 245, 65, 248, 172, 68, 134, 134, 219, 224, 102 }
  Session ID:  {}
  Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
  Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
  EJB default - 3, setSoTimeout(0) called
  Allow unsafe renegotiation: false
  Allow legacy hello messages: true
  Is initial handshake: true
  Is secure renegotiation: false
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie:  GMT: 1589873969 bytes = { 222, 24, 98, 24, 65, 188, 120, 218, 192, 185, 167, 79, 96, 88, 137, 120, 155, 15, 245, 65, 248, 172, 68, 134, 134, 219, 224, 102 }
  Session ID:  {}
  Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
  Compression Methods:  { 0 }
  ***
  [write] MD5 and SHA1 hashes:  len = 61
  0000: 01 00 00 39 03 01 5F C4   8D 31 DE 18 62 18 41 BC  ...9.._..1..b.A.
  0010: 78 DA C0 B9 A7 4F 60 58   89 78 9B 0F F5 41 F8 AC  x....O`X.x...A..
  0020: 44 86 86 DB E0 66 00 00   12 00 2F 00 33 00 32 00  D....f..../.3.2.
  Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
  Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
  EJB default - 3, setSoTimeout(0) called
  Allow unsafe renegotiation: false
  Allow legacy hello messages: true
  Is initial handshake: true
  Is secure renegotiation: false
  %% No cached client session
  ***** ClientHello, TLSv1**
  RandomCookie:  GMT: 1589873969 bytes = { 222, 24, 98, 24, 65, 188, 120, 218, 192, 185, 167, 79, 96, 88, 137, 120, 155, 15, 245, 65, 248, 172, 68, 134, 134, 219, 224, 102 }
  Session ID:  {}
  Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
  Compression Methods:  { 0 }
  ***
  [write] MD5 and SHA1 hashes:  len = 61
  0000: 01 00 00 39 03 01 5F C4   8D 31 DE 18 62 18 41 BC  ...9.._..1..b.A.
  0010: 78 DA C0 B9 A7 4F 60 58   89 78 9B 0F F5 41 F8 AC  x....O`X.x...A..
  0020: 44 86 86 DB E0 66 00 00   12 00 2F 00 33 00 32 00  D....f..../.3.2.
  0030: 0A 00 16 00 13 00 05 00   04 00 FF 01 00           .............
  EJB default - 3, WRITE: TLSv1 Handshake, length = 61
  [Raw write]: length = 66
  0000: 16 03 01 00 3D 01 00 00   39 03 01 5F C4 8D 31 DE  ....=...9.._..1.
  0010: 18 62 18 41 BC 78 DA C0   B9 A7 4F 60 58 89 78 9B  .b.A.x....O`X.x.
  0020: 0F F5 41 F8 AC 44 86 86   DB E0 66 00 00 12 00 2F  ..A..D....f..../
  0030: 00 33 00 32 00 0A 00 16   00 13 00 05 00 04 00 FF  .3.2............
  0040: 01 00                                              ..
  [Raw read]: length = 5
  0000: 15 03 01 00 02                                     .....
  [Raw read]: length = 2
  0000: 02 28                                              .(
  **EJB default - 3, READ: TLSv1 Alert, length = 2
  EJB default - 3, RECV TLSv1 ALERT:  fatal, handshake_failure**
  EJB default - 3, called closeSocket()
  EJB default - 3, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  EJB default - 3, IOException in getSession():  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  EJB default - 3, called close()
  EJB default - 3, called closeInternal(true)
  EJB default - 3, called close()
  EJB default - 3, called closeInternal(true)
  java.lang.RuntimeException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
      at com.synnex.snif.util.HttpRequest.post(HttpRequest.java:201)
      at com.synnex.snif.xxxx.ClientCustomSSL.httpGet(ClientCustomSSL.java:372)
      at com.synnex.snif.xxxx.ClientCustomSSL.processExecute(ClientCustomSSL.java:232)
      at com.synnex.snif.xxxx.ClientCustomSSL.process(ClientCustomSSL.java:190)
      at com.synnex.snif.xxxx.SNIFJboss6Timer.perform(SNIFJboss6Timer.java:31)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
      at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:56)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
      at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:56)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374)
      at org.jboss.as.ejb3.concurrency.ContainerManagedConcurrencyInterceptor.processInvocation(ContainerManagedConcurrencyInterceptor.java:104)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
      at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.as.ejb3.component.singleton.SingletonComponentInstanceAssociationInterceptor.processInvocation(SingletonComponentInstanceAssociationInterceptor.java:52)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:272)
      at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:339)
      at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:238)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
      at org.jboss.as.ejb3.timerservice.TimedObjectInvokerImpl.callTimeout(TimedObjectInvokerImpl.java:101)
      at org.jboss.as.ejb3.timerservice.task.CalendarTimerTask.callTimeout(CalendarTimerTask.java:60)
      at org.jboss.as.ejb3.timerservice.task.TimerTask.run(TimerTask.java:132)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
      at java.util.concurrent.FutureTask.run(FutureTask.java:262)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:745)
      at org.jboss.threads.JBossThread.run(JBossThread.java:122)
  Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
      at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
      at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
      at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
      at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
      at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
      at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:641)
      at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
      at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
      at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
      at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
      at com.synnex.snif.util.HttpRequest.post(HttpRequest.java:190)
      ... 52 more