SSLException Received Fatal Alert
dmattrm Dec 9, 2014 11:04 PMI am attempting to integrate as a HTTPS Web Service client running on JBOSS EAP 6.1, Apache CXF 3, JDK 1.7 and I keep getting this error. I've created my keystore and truststore. It doesn't appear I have things configured correctly on the client side because it's not actually getting any Hello message from the server. Can anyone point me in the right direction?
13:48:12,612 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
13:48:12,613 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
13:48:12,614 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
13:48:12,615 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
13:48:12,616 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
13:48:12,617 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
13:48:12,617 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
13:48:12,618 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
13:48:12,619 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
13:48:12,620 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
13:48:12,621 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
13:48:12,622 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
13:48:12,623 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
13:48:12,623 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
13:48:12,624 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
13:48:12,625 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
13:48:12,626 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
13:48:12,726 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
13:48:12,727 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
13:48:12,728 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
13:48:12,729 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
13:48:12,730 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
13:48:12,731 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
13:48:12,731 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
13:48:12,732 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
13:48:12,733 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
13:48:12,734 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
13:48:12,734 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
13:48:12,735 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
13:48:12,735 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
13:48:12,736 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
13:48:12,737 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
13:48:12,737 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
13:48:12,738 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
13:48:12,739 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
13:48:12,740 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
13:48:12,741 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
13:48:12,742 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
13:48:12,759 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Allow unsafe renegotiation: false
13:48:12,761 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Allow legacy hello messages: true
13:48:12,762 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Is initial handshake: true
13:48:12,762 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Is secure renegotiation: false
13:48:12,764 INFO [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, setSoTimeout(60000) called
13:48:12,766 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3
13:48:12,767 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
13:48:12,768 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
13:48:12,769 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3
13:48:12,770 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
13:48:12,772 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
13:48:12,773 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3
13:48:12,774 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
13:48:12,775 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
13:48:12,777 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
13:48:12,778 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
13:48:12,809 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
13:48:12,810 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
13:48:12,810 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
13:48:12,812 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
13:48:12,812 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
13:48:12,813 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
13:48:12,814 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
13:48:12,814 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
13:48:12,815 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
13:48:12,816 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
13:48:12,820 INFO [stdout] (http-example.com/10.61.198.114:8080-2) %% No cached client session
13:48:12,827 INFO [stdout] (http-example.com/10.61.198.114:8080-2) *** ClientHello, TLSv1
13:48:12,829 INFO [stdout] (http-example.com/10.61.198.114:8080-2) RandomCookie: GMT: 1401384476 bytes = { 19, 2, 165, 94, 47, 172, 204, 147, 160, 102, 93, 255, 3, 249, 103, 124, 199, 138, 248, 125, 188, 15, 27, 179, 109, 121, 148, 78 }
13:48:12,830 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Session ID: {}
13:48:12,830 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
13:48:12,844 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Compression Methods: { 0 }
13:48:12,845 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
13:48:12,848 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Extension ec_point_formats, formats: [uncompressed]
13:48:12,848 INFO [stdout] (http-example.com/10.61.198.114:8080-2) Extension server_name, server_name: [host_name: example.com]
13:48:12,849 INFO [stdout] (http-example.com/10.61.198.114:8080-2) ***
13:48:12,850 INFO [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, WRITE: TLSv1 Handshake, length = 221
13:48:12,853 INFO [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, READ: TLSv1 Alert, length = 2
13:48:12,855 INFO [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, RECV TLSv1 ALERT: fatal, unexpected_message
13:48:12,856 INFO [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, called closeSocket()
13:48:12,856 INFO [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, handling exception: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
13:48:12,858 INFO [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, called close()
13:48:12,858 INFO [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, called closeInternal(true)
Here is my cxf config:
<http:conduit name="*.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="changeit">
<sec:keyStore type="JKS" password="changeit"
file="d:/keystore/test.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="changeit"
file="d:/Java/lib/security/cacerts"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>
<sec:UserName>username</sec:UserName>
<sec:Password>password</sec:Password>
</http:authorization>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>