Ramandeep Singh Nanda

Tue 31 March 2015


Handling and Identifying SSL Handshake errors

SSL handshake errors can occur due to various reasons such as Self Signed certificate, unavailability of protocol or cipher suite requested by client or server, etc.  Recently I faced this issue where I was connecting to third party server using HttpClient library.  Here’s what I did to identify the cause:-

Firstly, I enabled the debug flag for SSL,handshake and failure on javax.net packages.


On examining the logs, I could see that the third party site was expecting a cipher key of 256 bits and the only supported keys in my glassfish server were of 128 bits length.  As it happens,  this occurs because OOTB java 6, 7 or 8 support only 128 bit encryption keys. To enable 256 or higher bit key length , you need to download the *Java Cryptography Extension* (*JCE*) *Unlimited* Strength Jurisdiction Policy Files which essentially contains two jars i.e US_export_policy.jar and local_policy.jar and place them in <JRE_HOME>/lib/security/ directory and restart the server to enable higher bit encryption keys.

The above step will enable  256 bit or higher bit encryption keys and will ensure that you do not face SSL Handshake errors due to key strength.

You can download the Policy files from the following links.

JCE Unlimited for java 6

JCE Unlimited for java 7

JCE Unlimited for java 8

Go Top
comments powered by Disqus