I am trying to connect with TLSv1.3 to dnug.collab.cloud using Apache HTTP Client 5.4.1 with Java 17.0.8.1, but I keep encountering a handshake failure that I don't understand.
When I set jdk.tls.client.protocols=TLSv1.2, the handshake succeeds.
Could someone explain what might be going wrong?
Code
System.out.println(System.getProperty("java.version"));
try (CloseableHttpClient client = HttpClients.createDefault()) {
final HttpGet request1 = new HttpGet(
"https://dnug.collab.cloud/profiles/atom/profileService.do?email=dummy@umbrellacorp.org");
client.execute(request1, response -> {
return null;
});
} catch (Exception e) {
e.printStackTrace();
}
Log generated with javax.net.debug=ssl:handshake
17.0.8.1
javax.net.ssl|DEBUG|2024-12-12 17:00:53.028 CET|SSLCipher.java:466|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|2024-12-12 17:00:53.075 CET|SSLCipher.java:466|jdk.tls.keyLimits: entry = ChaCha20-Poly1305 KeyUpdate 2^37. CHACHA20-POLY1305:KEYUPDATE = 137438953472
javax.net.ssl|WARNING|2024-12-12 17:00:57.306 CET|NamedGroup.java:297|No AlgorithmParameters for x25519 (
"throwable" : {
java.security.NoSuchAlgorithmException: Algorithm x25519 not available
at java.base/javax.crypto.KeyAgreement.getInstance(KeyAgreement.java:194)
...
)
javax.net.ssl|WARNING|2024-12-12 17:00:57.316 CET|NamedGroup.java:297|No AlgorithmParameters for x448 (
"throwable" : {
java.security.NoSuchAlgorithmException: Algorithm x448 not available
at java.base/javax.crypto.KeyAgreement.getInstance(KeyAgreement.java:194)
...
)
javax.net.ssl|WARNING|2024-12-12 17:00:57.322 CET|SignatureScheme.java:296|Signature algorithm, Ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|2024-12-12 17:00:57.323 CET|SignatureScheme.java:296|Signature algorithm, Ed448, is not supported by the underlying providers
javax.net.ssl|INFO|2024-12-12 17:00:57.445 CET|AlpnExtension.java:182|No available application protocols
javax.net.ssl|DEBUG|2024-12-12 17:00:57.446 CET|SSLExtensions.java:272|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|2024-12-12 17:00:57.447 CET|SessionTicketExtension.java:408|Stateless resumption supported
javax.net.ssl|DEBUG|2024-12-12 17:00:57.450 CET|SSLExtensions.java:272|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|2024-12-12 17:00:57.755 CET|SSLExtensions.java:272|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|2024-12-12 17:00:57.756 CET|PreSharedKeyExtension.java:661|No session to resume.
javax.net.ssl|DEBUG|2024-12-12 17:00:57.756 CET|SSLExtensions.java:272|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|2024-12-12 17:00:57.789 CET|ClientHello.java:641|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "AD7E649F326AE997D6BCF2B2BAE7D019A665797892B091C0CF90F8F60A64399C",
"session id" : "F475C1E0041E5A8BDC270BE3252E06EFC7CD830A18A6C61A1319BD84C34603D4",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=dnug.collab.cloud
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"session_ticket (35)": {
<empty>
},
"signature_algorithms (13)": {
"signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"signature_algorithms_cert (50)": {
"signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
},
"key_share (51)": {
"client_shares": [
{
"named group": ffdhe2048
"key_exchange": {
0000: CA 1D A2 35 A2 7A 8A A6 DD 8F 8B 96 C3 76 D6 4D ...5.z.......v.M
0010: D7 3E 20 B8 E8 B3 72 2B B0 DF A8 E2 47 FB 8B 96 .> ...r+....G...
0020: 66 4E 7F 9A A8 82 84 BF 45 45 3A 28 1D 77 BC F0 fN......EE:(.w..
0030: 92 B3 1C 64 52 94 B5 EE 43 FC C9 0B 52 26 AE 59 ...dR...C...R&.Y
0040: AE 1E 89 E7 C2 DB 35 C7 9B 83 0F C7 89 37 33 0C ......5......73.
0050: CE CB A3 E4 01 EB 7C 1B D9 3A F1 FE 2F D1 CA 71 .........:../..q
0060: D1 2C 1A 8A CF 11 82 E3 81 73 E4 D3 B9 5B EA 7E .,.......s...[..
0070: 23 A5 E3 B0 25 8D 31 21 4C 63 68 DD F9 01 E2 75 #...%.1!Lch....u
0080: DC 34 01 AA D4 3B 89 88 E3 05 86 9F 52 DB 76 07 .4...;......R.v.
0090: 33 CF 43 34 01 3C E9 30 4B 71 5D AC 65 6E F4 07 3.C4.<.0Kq].en..
00A0: 1E D6 32 49 74 3F 29 DC 39 0F 4E 07 A1 7B EC C8 ..2It?).9.N.....
00B0: BC F6 5B 46 97 5C 9E B9 AD 6D D7 D8 16 12 DB 36 ..[F.\...m.....6
00C0: BA 1A CD 91 7B 34 DD 75 B7 A9 2A 0A 24 53 F6 E7 .....4.u..*.$S..
00D0: 19 E3 65 E3 1F BD FB 83 EF DD CC 2D FA E4 EA 21 ..e........-...!
00E0: 8A 74 0C A3 B6 71 34 0A D6 C6 8A DF F5 31 B0 B3 .t...q4......1..
00F0: 51 6A 7F 97 A4 A7 7C 50 AE 8E 7E 80 20 13 B9 B8 Qj.....P.... ...
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|2024-12-12 17:00:57.811 CET|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|ERROR|2024-12-12 17:00:57.814 CET|TransportContext.java:370|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
...
)
javax.net.ssl|DEBUG|2024-12-12 17:00:57.815 CET|SSLSocketImpl.java:1759|close the underlying socket
javax.net.ssl|DEBUG|2024-12-12 17:00:57.815 CET|SSLSocketImpl.java:1785|close the SSL connection (passive)
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
...
EDIT: The issue occurs in HCL Notes 14.0.0 (without a Fix Pack) and its JVM 17.0.8.1 executed in a Notes Agent. If the code is executed outside HCL Notes with same JVM, it works as expected. (see comments)
Applying Fix Pack 3 to HCL Notes 14 resolved the issue. The connection can be established with TLSv1.3 as expected. The JVM was also updated with the Fix Pack to IBM Semeru Runtime Open Edition 17.0.12.1 (build 17.0.12+7). I don't know if the updated JVM or something other within HCL Notes 14 was the root cause of the issue.