Getting handshake_failure error with JavaScript Policy

When we are executing the JavaScript TestCallout.js we get 500 Error with the error message: "Received fatal alert: handshake_failure (TestCallOut_js#7)" as shown below:

{"fault":{"faultstring":"Execution of TestCallOut failed with error: Exception thrown from JavaScript : Error executing callout!Received fatal alert: handshake_failure (TestCallOut_js#7)","detail":{"errorcode":"steps.javascript.ScriptExecutionFailed"}}}

We receive this error only for certain URLs but not for others. For example its works for 'https://httpbin.org/json' but not for 'https://<hostname1>/api/people/' or 'https://<hostname2>/api/users'

Solved Solved
0 1 1,206
1 ACCEPTED SOLUTION

  1. Followed the instructions provided in the TLS/SSL Handshake Failure playbook.
  2. Collected a tcpdump and analyzed the packets.
  3. The protocols matched.
  4. Next followed the steps given here in the same playbook used the openssl command on the hostname1 and hostname2 as follows
openssl s_client -connect <hostname1>:443

CONNECTED(00000006)
4604343916:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 40
4604343916:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585:
  • Since I got the error, I re-tried the openssl command with -servername option as follows
    openssl s_client -connect <hostname1>:443 -servername hostname1
    
  • This worked fine without any errors.
  • Repeated the steps 4 and 5 with the hostname2, and observed the same behaviour.
  • This indicated that the hostname1 and hostname2 were SNI enabled target servers, but the Message Processors were not enabled to talk to SNI servers.
  • Followed the steps given in Resolution section here under the same playbook and enabled the MPs to talk to SNI servers.
  • With this, we were able to resolve the issue.

    View solution in original post

    1 REPLY 1

    1. Followed the instructions provided in the TLS/SSL Handshake Failure playbook.
    2. Collected a tcpdump and analyzed the packets.
    3. The protocols matched.
    4. Next followed the steps given here in the same playbook used the openssl command on the hostname1 and hostname2 as follows
    openssl s_client -connect <hostname1>:443
    
    CONNECTED(00000006)
    4604343916:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 40
    4604343916:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585:
    
  • Since I got the error, I re-tried the openssl command with -servername option as follows
    openssl s_client -connect <hostname1>:443 -servername hostname1
    
  • This worked fine without any errors.
  • Repeated the steps 4 and 5 with the hostname2, and observed the same behaviour.
  • This indicated that the hostname1 and hostname2 were SNI enabled target servers, but the Message Processors were not enabled to talk to SNI servers.
  • Followed the steps given in Resolution section here under the same playbook and enabled the MPs to talk to SNI servers.
  • With this, we were able to resolve the issue.