REST method giving a SSL handshake error - fatal alert: handshake_failure

Document ID : KB000074760
Last Modified Date : 15/05/2018
Show Technical Document Details
Issue:
When using the REST step I am receiving a SSL handshake failure.
The same process works in the REST client Postman and in Fiddler after configuring https.protocols=TLSv1.2.
The following exception is received with DevTest Workstation, REST step.
============================================================================
| HTTP
============================================================================
| Message: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
----------------------------------------------------------------------------
| Trapped Exception: Received fatal alert: handshake_failure
| Trapped Message: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
----------------------------------------------------------------------------
STACK TRACE javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection
Environment:
Devtest 10.1, 10.2 and 10.3
Cause:
From the HTTP/SSL debug log, looks like Server immediately throws handshake failure when Client Hello is done. It seems to be SNI issue. 
There is a known issue with Java 8 supporting SNI correctly in all versions before 8u152.
Versions after this should function correctly, but versions prior to this may not send SNI information when expected. 
 
Resolution:
Here are the steps you can follow to update the jre with DevTest installation. 
1. Download Java SE Development Kit 8u152. You can use the link below: 
http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html 
2. After the download, open the jdk exe file and install it on your environment. 
3. Stop DevTest Workstation. 
4. Go to $LISA_HOME and rename the folder jre to jre_old.
4. When the installation is completed, go to where the new JDK was installed and copy the jre folder. Usually the new JDK will be installed under C:\Program Files\Java\jdk1.8.0_152. 
5. Place the new jre folder under $LISA_HOME. 
6. You will need to copy the following files from the jre_old to the new jre folder: 
From $LISA_HOME/jre_old/lib/ext/, copy tools.jar to $LISA_HOME/jre/lib/ext/. 
From $LISA_HOME/jre_old/lib/security/, copy local_policy.jar and US_export_policy.jar to $LISA_HOME/jre/lib/security/. 
7. Start DevTest Workstation. 
8. Try to send the request to your target URL. You should get a successful response this time.
Additional Information:
If the issue is happening in the Simulators, VSE then all the DevTest components need to follow the above steps.
For more information regarding SNI, please refer to the link below:
https://communities.ca.com/docs/DOC-231172116-of-ssl-java-and-devtest