This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Getting handshake failure when making API calls using ReadyAPI

Posted on 07-15-2017 10:46 AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

We are getting handshake failure when we make the API calls using ReadyAPI

Wed Jun 28 10:10:20 CDT 2017:ERROR:Exception in request: javax.net.ssl.SSLHandsh
akeException: Received fatal alert: handshake_failure
Wed Jun 28 10:10:20 CDT 2017:ERROR:An error occurred [Received fatal alert: handshake_failure], see error log for details
Wed Jun 28 10:10:20 CDT 2017:INFO:Error getting response for [https://test-us-api.experian.com.Vinspecifications:Request 1]; javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

The Error log had the following stacktrace:

Wed Jun 28 10:10:20 CDT 2017:ERROR:javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
   javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
   	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
   	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
   	at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
   	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
   	...<snipped>

We are using Java 8 still we get the same error. However, if we make the API calls using Postman Client, we get successful response (200) from the API.

Can you please help on why we are getting the handshake failure only when we run using Ready API ?

Solved Solved
0 1 4,304
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM
  1. Since we were getting the SSL handshake failure, collected the tcpdumps on the Edge Routers when the calls were made via ReadyAPI 
    tcpdump -i any -s 0 host <IP address of the host having ReadyAPI > -w <filename-to-capture-networkpackets>
  2. Analysed the tcpdump and found the following information:
    • ReadyAPI sent a ClientHello message to the Edge's Router
    • Protocol used by ReadyAPI was TLSv1.2, and it was accepted by the Router
    • However, there were no ciphers sent by the ReadyAPI that matched to the ciphers that were available with the router
    • So Router sends an Alert - handshake failure 
      Content Type: Alert (21)
Version: TLSv1.2 (0x303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
  3. Next, we made a call with Postman Client. As said earlThe call succeeded. Analysed the TCPDump and found the below information:
    • Protocol TLSv1.2 matched
    • Router and Client agreed to use the matching cipher 
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  4. Checked the list of ciphers sent by the ReadyAPI in the tcpdump and found that the above cipher was not there.
  5. Checked the Nginx conf file (0-default.conf) and noted that the ciphers supported are HIGH:
    • "High" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.
    • Checked the list of ciphers supported by the Edge Router/Nginx here
  6. After this, we ran an a simple Java program that lists the Ciphers supported by the Java 8 used within ReadyAPI. We found that it was not supporting the High encryption cipher suites.
  7. This indicated that Java 8 by default will not have all the cipher suites.
  8. We had to download and include the Java Cryptography Extension (JCE) to Java installation to support High encryption cipher suites.
  9. After this, we restarted ReadyAPI (using readyapi.bat). The High encryption cipher suites were picked up from JCE and the calls started working successfully.

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM
  1. Since we were getting the SSL handshake failure, collected the tcpdumps on the Edge Routers when the calls were made via ReadyAPI 
    tcpdump -i any -s 0 host <IP address of the host having ReadyAPI > -w <filename-to-capture-networkpackets>
  2. Analysed the tcpdump and found the following information:
    • ReadyAPI sent a ClientHello message to the Edge's Router
    • Protocol used by ReadyAPI was TLSv1.2, and it was accepted by the Router
    • However, there were no ciphers sent by the ReadyAPI that matched to the ciphers that were available with the router
    • So Router sends an Alert - handshake failure 
      Content Type: Alert (21)
Version: TLSv1.2 (0x303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
  3. Next, we made a call with Postman Client. As said earlThe call succeeded. Analysed the TCPDump and found the below information:
    • Protocol TLSv1.2 matched
    • Router and Client agreed to use the matching cipher 
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  4. Checked the list of ciphers sent by the ReadyAPI in the tcpdump and found that the above cipher was not there.
  5. Checked the Nginx conf file (0-default.conf) and noted that the ciphers supported are HIGH:
    • "High" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.
    • Checked the list of ciphers supported by the Edge Router/Nginx here
  6. After this, we ran an a simple Java program that lists the Ciphers supported by the Java 8 used within ReadyAPI. We found that it was not supporting the High encryption cipher suites.
  7. This indicated that Java 8 by default will not have all the cipher suites.
  8. We had to download and include the Java Cryptography Extension (JCE) to Java installation to support High encryption cipher suites.
  9. After this, we restarted ReadyAPI (using readyapi.bat). The High encryption cipher suites were picked up from JCE and the calls started working successfully.
Jump to Solution