{"id":6213,"date":"2014-04-13T23:07:35","date_gmt":"2014-04-13T23:07:35","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2014\/04\/13\/how-can-i-fix-javax-net-ssl-sslhandshakeexception-no-cipher-suites-in-common-collection-of-common-programming-errors\/"},"modified":"2014-04-13T23:07:35","modified_gmt":"2014-04-13T23:07:35","slug":"how-can-i-fix-javax-net-ssl-sslhandshakeexception-no-cipher-suites-in-common-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2014\/04\/13\/how-can-i-fix-javax-net-ssl-sslhandshakeexception-no-cipher-suites-in-common-collection-of-common-programming-errors\/","title":{"rendered":"How can I fix javax.net.ssl.SSLHandshakeException: no cipher suites in common?-Collection of common programming errors"},"content":{"rendered":"<ul>\n<li><img decoding=\"async\" src=\"http:\/\/www.gravatar.com\/avatar\/c07e739efbe319c2b71006019ecdd714?s=32&amp;d=identicon&amp;r=PG\" \/><br \/>\nuser1938742<\/p>\n<p>I know that there are many similar threads out there, but none of the solutions presented in these threads helped me, so here comes another one.<\/p>\n<p>I&#8217;ve an Android client communicating with a Java server. I want the communication to be secure so I use SSL. However, the handshake fails with the following error:<\/p>\n<p>From logcat:<\/p>\n<pre><code>03-28 03:31:30.171: W\/System.err(1214): javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb81201c8: Failure in SSL library, usually a protocol error\n03-28 03:31:30.171: W\/System.err(1214): error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external\/openssl\/ssl\/s23_clnt.c:741 0xad3cdd5c:0x00000000)\n03-28 03:31:30.181: W\/System.err(1214):     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:448)\n03-28 03:31:30.181: W\/System.err(1214):     at com.myapp.ServerCon.getSecureSocket(ServerCon.java:362)\n03-28 03:31:30.181: W\/System.err(1214):     at com.myapp.ServerCon.access$0(ServerCon.java:310)\n03-28 03:31:30.181: W\/System.err(1214):     at com.myapp.ServerCon$1.doInBackground(ServerCon.java:283)\n03-28 03:31:30.181: W\/System.err(1214):     at com.myapp.ServerCon$1.doInBackground(ServerCon.java:1)\n03-28 03:31:30.191: W\/System.err(1214):     at android.os.AsyncTask$2.call(AsyncTask.java:288)\n03-28 03:31:30.191: W\/System.err(1214):     at java.util.concurrent.FutureTask.run(FutureTask.java:237)\n03-28 03:31:30.191: W\/System.err(1214):     at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)\n03-28 03:31:30.191: W\/System.err(1214):     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)\n03-28 03:31:30.191: W\/System.err(1214):     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)\n03-28 03:31:30.191: W\/System.err(1214):     at java.lang.Thread.run(Thread.java:841)\n03-28 03:31:30.191: W\/System.err(1214): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb81201c8: Failure in SSL library, usually a protocol error\n03-28 03:31:30.191: W\/System.err(1214): error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external\/openssl\/ssl\/s23_clnt.c:741 0xad3cdd5c:0x00000000)\n03-28 03:31:30.191: W\/System.err(1214):     at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)\n03-28 03:31:30.191: W\/System.err(1214):     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)\n03-28 03:31:30.191: W\/System.err(1214):     ... 10 more\n<\/code><\/pre>\n<p>On the server with java -Djavax.net.debug=ssl,handshake -jar myserver.jar:<\/p>\n<pre><code>adding as trusted cert:\n  Subject: EMAILADDRESS=mymail@ex.com, CN=myname, L=Stockholm, C=SV\n  Issuer:  EMAILADDRESS=mymail@ex.com, CN=myname, L=Stockholm, C=SV\n  Algorithm: RSA; Serial number: 0xe63fe3941be0b4a5\n  Valid from Tue Mar 25 11:40:58 CET 2014 until Wed Mar 25 11:40:58 CET 2015\n\ntrigger seeding of SecureRandom\ndone seeding SecureRandom\n\nAllow unsafe renegotiation: false\nAllow legacy hello messages: true\nIs initial handshake: true\nIs secure renegotiation: false\n    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello\n    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello\n    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello\n    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello\n    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello\n\nIgnoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello\nIgnoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv2Hello\nIgnoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv3\nIgnoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv3\nIgnoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv3\nIgnoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv3\nIgnoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv3\nIgnoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv3\nIgnoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv3\nIgnoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1\nIgnoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1\nIgnoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1\nIgnoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1\nIgnoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1\nIgnoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1\nIgnoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1\nIgnoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1\nIgnoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1\nIgnoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1\nIgnoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1\nIgnoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1\nIgnoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1\nIgnoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1\nThread-1, READ: TLSv1 Handshake, length = 179\n*** ClientHello, TLSv1\nRandomCookie:  GMT: 1395989998 bytes = { 111, 250, 184, 147, 57, 151, 111, 1, 186, 199, 20, 220, 158, 177, 180, 53, 61, 151, 68, 38, 40, 140, 252, 173, 103, 147, 144, 88 }\nSession ID:  {}\nCipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]\nCompression Methods:  { 0 }\nExtension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]\nExtension elliptic_curves, curve names: {sect571r1, sect571k1, secp521r1, sect409k1, sect409r1, secp384r1, sect283k1, sect283r1, secp256k1, secp256r1, sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1, secp160r2}\n***\n%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]\n%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]\nThread-1, SEND TLSv1 ALERT:  fatal, description = handshake_failure\nThread-1, WRITE: TLSv1 Alert, length = 2\nThread-1, called closeSocket()\nThread-1, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common\njavax.net.ssl.SSLHandshakeException: no cipher suites in common\n        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)\n        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)\n        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)\n        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)\n        at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:894)\n        at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622)\n        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)\n        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)\n        at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)\n        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)\n        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)\n        at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)\n        at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)\n        at java.io.InputStream.read(InputStream.java:101)\n        at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1792)\n        at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1769)\n        at org.apache.commons.io.IOUtils.copy(IOUtils.java:1744)\n        at org.apache.commons.io.IOUtils.toByteArray(IOUtils.java:462)\n        at com.myserver.Listener$ListenerThread.run(Listener.java:88)\n<\/code><\/pre>\n<p>The client code:<\/p>\n<pre><code>private static SSLSocket getSecureSocket() throws IOException {\n    if (sslSocketFactory == null) {\n        try {\n\n            KeyStore truststore = KeyStore.getInstance(\"BKS\");\n            truststore.load(mTruststoreInputStream, STORES_PASSWORD.toCharArray());\n\n            TrustManagerFactory trustManagerFactory = TrustManagerFactory.\n                    getInstance(TrustManagerFactory.getDefaultAlgorithm());\n            trustManagerFactory.init(truststore);\n\n            KeyStore keystore = KeyStore.getInstance(\"BKS\");\n            keystore.load(mKeystoreInputStream, STORES_PASSWORD.toCharArray());\n\n            KeyManagerFactory keyManagerFactory = KeyManagerFactory.\n                    getInstance(KeyManagerFactory.getDefaultAlgorithm());\n            keyManagerFactory.init(keystore, STORES_PASSWORD.toCharArray());\n\n\n            sslSocketFactory = new SSLSocketFactory(SSLSocketFactory.TLS, \n                    keystore, STORES_PASSWORD, truststore, null, null);\n        } catch (KeyStoreException e) {\n            e.printStackTrace();\n            return null;\n        } catch (CertificateException e ) {\n            e.printStackTrace();\n            return null;\n        } catch (NoSuchAlgorithmException e) {\n            e.printStackTrace();\n            return null;\n        } catch (IOException e) {\n            e.printStackTrace();\n            return null;\n        } catch (UnrecoverableKeyException e) {\n            e.printStackTrace();\n            return null;\n            } catch (KeyManagementException e) {\n                e.printStackTrace();\n                return null;\n            }\n\n            }\n    SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket();\n            Log.d(TAG, \"Trying to connect socket to \" + IP + \" on port \" + PORT + \".\");\n            socket.connect(new InetSocketAddress(IP, PORT));\n            return socket;\npublic static void test() {\n        new AsyncTask() {\n\n            @Override\n            protected Void doInBackground(Void... arg0) {\n                try {\n                    SSLSocket socket = getSecureSocket();\n                    OutputStream os = socket.getOutputStream();\n                    String data = \"A big step for man, a small step for mankind\";\n                    byte[] bytes = data.getBytes();\n                    os.write(bytes);\n                } catch (IOException e) {\n                    e.printStackTrace();\n                }\n                return null;\n            }\n\n        }.execute();\n    }\n<\/code><\/pre>\n<p>The server code:<\/p>\n<pre><code>public SSLServerSocket createServerSocket() {\n        try {\n            KeyStore keystore = KeyStore.getInstance(\"JKS\");\n            FileInputStream keystoreInputStream = new FileInputStream(KEYSTORE_NAME);\n            keystore.load(keystoreInputStream, STORES_PASSWORD.toCharArray());\n            KeyStore truststore = KeyStore.getInstance(\"JKS\");\n            FileInputStream truststoreInputStream = new FileInputStream(TRUSTSTORE_NAME);\n            truststore.load(truststoreInputStream, STORES_PASSWORD.toCharArray());\n            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(\"PKIX\", \"SunJSSE\");\n            trustManagerFactory.init(truststore);\n            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(\"SunX509\", \"SunJSSE\");\n            keyManagerFactory.init(keystore, STORES_PASSWORD.toCharArray());\n            X509ExtendedKeyManager x509KeyManager = null;\n            for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {\n                if (keyManager instanceof X509KeyManager) {\n                    x509KeyManager = (X509ExtendedKeyManager) keyManager;\n                    break;\n                }\n            }\n            if (x509KeyManager == null) {\n                debug(\"Searched for x509 key managers but found none.\");\n                throw new NullPointerException();\n            }\n            X509ExtendedTrustManager x509TrustManager = null;\n            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {\n                if (trustManager instanceof X509TrustManager) {\n                    x509TrustManager = (X509ExtendedTrustManager) trustManager;\n                }\n            }\n            if (x509TrustManager == null) {\n                debug(\"Searched for x509 trust managers but found none.\");\n                throw new NullPointerException();\n            }\n            SSLContext sslContext = SSLContext.getInstance(\"TLS\");\n            KeyManager[] keyManagers = { x509KeyManager };\n            TrustManager[] trustManagers = { x509TrustManager };\n            sslContext.init(keyManagers, trustManagers, null);\n            SSLServerSocketFactory sslServerSocketFactory = sslContext.getServerSocketFactory();\n            SSLServerSocket serverSocket = (SSLServerSocket) sslServerSocketFactory.createServerSocket(PORT);\n            serverSocket.setNeedClientAuth(true);\n            \/* Force TLS 1.0, this will disable i.e SSL2 which is insecure. *\/\n            \/\/serverSocket.setEnabledProtocols(new String[] { \"TLSv1\" });\n            return serverSocket;\n        } catch (NullPointerException e) {\n            e.printStackTrace();\n        } catch (FileNotFoundException e) {\n            e.printStackTrace();\n        } catch (NoSuchAlgorithmException e) {\n            e.printStackTrace();\n        } catch (NoSuchProviderException e) {\n            e.printStackTrace();\n        } catch (UnrecoverableKeyException e) {\n            e.printStackTrace();\n        } catch (KeyStoreException e) {\n            e.printStackTrace();\n        } catch (CertificateException e) {\n            e.printStackTrace();\n        } catch (IOException e) {\n            e.printStackTrace();\n        } catch (KeyManagementException e) {\n            e.printStackTrace();\n        }\n        return null;\n    }\n\nwhile (true) {\n    try {\n        debug(\"Listening for incoming connections...\");\n        SSLSocket clientSocket = (SSLSocket) serverSocket.accept();\n        \/\/ Handle connection in a separate thread.\n        ListenerThread thread = new ListenerThread(clientSocket);\n        thread.start();\n    } catch (IOException e) {\n        e.printStackTrace();\n    }\n}\n<\/code><\/pre>\n<p>I generated my certificates as follows:<\/p>\n<p>Generated my keys with openssl:<\/p>\n<pre><code>openssl genrsa -des3 -out client_key.pem 4096\nopenssl genrsa -des3 -out client_key.pem 4096\n<\/code><\/pre>\n<p>CSR:<\/p>\n<pre><code>openssl req -new -x509 -key client_key.pem -out client_cert.pem -days 365\nopenssl req -new -x509 -key server_key.pem -out server_cert.pem -days 365\n<\/code><\/pre>\n<p>Used portecle to convert to bks. First, opened portecle and created a new bks-file. Imported server_cert.pem and saved as truststore.bks. Next, combined the client cert and keyfile<\/p>\n<pre><code>cat client_cert.pem client_key.pem &gt; client.pem\n<\/code><\/pre>\n<p>Used openssl to generate a pkcs12-file<\/p>\n<pre><code>openssl pkcs12 -export -in client.pem -out client.pkcs12 -name \"client\"\n<\/code><\/pre>\n<p>Created a new bks-file in portecle. Imported client.pkcs12 and saved as client.bks (this is my server keystore).<\/p>\n<p>These two files were imported into the Android project and loaded from \/res\/raw<\/p>\n<p>Server certs were created in the same way, but I used portecle to export as jks instead. The server keystore contains the server.pkcs12 and the server truststore contains the client certificate (client_cert.pem).<\/p>\n<p>Any help would be greatly appreciated!<\/p>\n<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/www.gravatar.com\/avatar\/5cfe5f7d64f44be04f147295f5c7b88e?s=32&amp;d=identicon&amp;r=PG\" \/><br \/>\nEJP<\/p>\n<p>This can only happen if one end or the other changes the enabled cipher suites. The simple solution is not to do that.<\/p>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>user1938742 I know that there are many similar threads out there, but none of the solutions presented in these threads helped me, so here comes another one. I&#8217;ve an Android client communicating with a Java server. I want the communication to be secure so I use SSL. However, the handshake fails with the following error: [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6213","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=6213"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6213\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=6213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=6213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=6213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}