There are multiple reasons for SSL handshake . When we get this Error on the logs . First of all we need to verify server side whether the SSL configured is 2 Ways SSL or 1 Way SSL .
SSL Handshake Issue troubleshooting :
Make sure the Public keys [ Trusted certificates (root & Intermediate )] are imported in the client truststore .
For 2 Ways SSL both side Signer certificate should be imported .
If Server side enforce the certificate then server certificate also need to import at the client trust store .
Both side should have at-least a common Allowed Protocol . Ex TLS1.2 and a cipher
If something is not satisfied in the above then make the changes accordingly .Like importing the signers in to truststore
keytool -import -file /tmp/root.cer -alias root -keysoore /pathToSSL/***.jks then enter and provide the password .
In some case we can not figure out what is the issue .Then enable SSL debug using below parameter in startup script or in the server JVM arguement .then restart the JVM
-Djavax.net.debug=ssl:handshake:verbose
once restarted test the connectivity . In the logs we can see full debug statements . and also we can see what trusted certs are loaded .There are certain steps in SSL handshake all are printed . Refer below table for SSL Handshake to get better idea .
Exception:
*** ClientHello, TLSv1.2
..
…
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension renegotiation_info, renegotiated_connection: b7:c5:d2:43:3b:dd:24:c8:33:41:15:8b
***
[ACTIVE] ExecuteThread: ‘3’ for queue: ‘weblogic.kernel.Default (self-tuning)’, WRITE: TLSv1.2 Handshake, length = 288
[ACTIVE] ExecuteThread: ‘3’ for queue: ‘weblogic.kernel.Default (self-tuning)’, WRITE: TLSv1.2 Application Data, length = 384
[ACTIVE] ExecuteThread: ‘3’ for queue: ‘weblogic.kernel.Default (self-tuning)’, WRITE: TLSv1.2 Application Data, length = 1808
…
…
[ACTIVE] ExecuteThread: ‘3’ for queue: ‘weblogic.kernel.Default (self-tuning)’, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-3, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
[ACTIVE] ExecuteThread: ‘3’ for queue: ‘weblogic.kernel.Default (self-tuning)’, called closeSocket()
[ACTIVE] ExecuteThread: ‘3’ for queue: ‘weblogic.kernel.Default (self-tuning)’, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
In the above error handshake failed because Server side rejectClientNegotiation is set to true . and client tried to negotiate for multiple call’s renegotiation_info that is where it failed .
Now you can match every step in the SSL handshake debug log with the attached screen to see at what step the failure happened .