java-7sslexception

javax.net.ssl.SSLException: Received fatal alert: unexpected_message in Java7

We have a https client that connects to a webservice over ssl. This always works fine with Java 1.6.

Last week we switch the client to use Java 1.7. Unfortunately the client is no longer able to connect to the webservice. I want to know what is causing this and how to fix it?

And the client throws the following exception: 

    javax.net.ssl.SSLException: Received fatal alert: unexpected_message
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.

 java:1312)

    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82
  )

    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream
 (HttpConnection.java:827)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodB
ase.java:1975)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.j
ava:993)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Htt
  pMethodDirector.java:397)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMe
thodDirector.java:170)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.jav
  a:396)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.jav
  a:324)

Here is the detailed log info.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256

Allow unsafe renegotiation: true

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

main, setSoTimeout(30000) called

main, setSoTimeout(30000) called

%% No cached client session

*** ClientHello, TLSv1

RandomCookie:  GMT: 1392263294 bytes = { 158, 254, 253, 221, 176, 200, 181, 30,

189, 167, 209, 227, 105, 106, 207, 196, 50, 6, 21, 179, 125, 69, 112, 158, 49, 2

34, 113, 10 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128

_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS

_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WI

TH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128

_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WI

TH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_E

DE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_

DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INF

O_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp19

2r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1

, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, s

ect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension server_name, server_name: [host_name: messaging.xxxxx.com]

***

[write] MD5 and SHA1 hashes:  len = 180

0000: 01 00 00 B0 03 01 53 FC   40 7E 9E FE FD DD B0 C8  ......S.@.......

0010: B5 1E BD A7 D1 E3 69 6A   CF C4 32 06 15 B3 7D 45  ......ij..2....E

0020: 70 9E 31 EA 71 0A 00 00   2A C0 09 C0 13 00 2F C0  p.1.q...*...../.

0030: 04 C0 0E 00 33 00 32 C0   07 C0 11 00 05 C0 02 C0  ....3.2.........

0040: 0C C0 08 C0 12 00 0A C0   03 C0 0D 00 16 00 13 00  ................

0050: 04 00 FF 01 00 00 5D 00   0A 00 34 00 32 00 17 00  ......]...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00 00 00 00   1B 00 19 00 00 16 6D 65  ..............me

00A0: 73 73 61 67 69 6E 67 2E   63 6F 76 69 73 69 6E 74  ssaging.xxxxx

00B0: 2E 63 6F 6D                                        .com

main, WRITE: TLSv1 Handshake, length = 180

[Raw write]: length = 185

0000: 16 03 01 00 B4 01 00 00   B0 03 01 53 FC 40 7E 9E  ...........S.@..

0010: FE FD DD B0 C8 B5 1E BD   A7 D1 E3 69 6A CF C4 32  ...........ij..2

0020: 06 15 B3 7D 45 70 9E 31   EA 71 0A 00 00 2A C0 09  ....Ep.1.q...*..

0030: C0 13 00 2F C0 04 C0 0E   00 33 00 32 C0 07 C0 11  .../.....3.2....

0040: 00 05 C0 02 C0 0C C0 08   C0 12 00 0A C0 03 C0 0D  ................

0050: 00 16 00 13 00 04 00 FF   01 00 00 5D 00 0A 00 34  ...........]...4

0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............

0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................

0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ................

0090: 00 08 00 16 00 0B 00 02   01 00 00 00 00 1B 00 19  ................

00A0: 00 00 16 6D 65 73 73 61   67 69 6E 67 2E 63 6F 76  ...messaging.xxx

00B0: 69 73 69 6E 74 2E 63 6F   6D                       xx.com

[Raw read]: length = 5

0000: 15 03 01 00 02                                     .....

[Raw read]: length = 2

0000: 02 0A                                              ..

main, READ: TLSv1 Alert, length = 2

main, RECV TLSv1 ALERT:  fatal, unexpected_message

main, called closeSocket()

main, handling exception: javax.net.ssl.SSLException: Received fatal alert: unex

pected_message

main, called close()

main, called closeInternal(true)

main, called close()

main, called closeInternal(true)

main, called close()

main, called closeInternal(true)
Solution

  • Solution to this problem is:

    1. Disable ecliptic curves with command: -Dcom.sun.net.ssl.enableECC=false
    2. Disable server name extension: -Djsse.enableSNIExtension=false