Pages

Wednesday, May 27, 2015

javax.net.ssl.SSLException: Received fatal alert: unexpected_message

This seems like a protocol version mismatch, this exception normally happens when there is a mismatch between SSL protocol version used by the client and the server. your clients should use a protocol version supported by the server.

You could probably enable the SSLv2 protocol at the JVM but that is  is a serious security risk. The clients are using an outdated and insecure protocol and should be updated to TLSv1.1 or TLSv.1.2.

Below is nice solution to resolve the error javax.net.ssl.SSLException: Received fatal alert: unexpected_message.


System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2,SSLv3,SSLv2Hello");

OR

System.setProperty("com.sun.net.ssl.enableECC","false");
System.setProperty("jsse.enableSNIExtension","false");

AND

import javax.net.ssl.*
import java.security.SecureRandom
import java.security.cert.CertificateException
import java.security.cert.X509Certificate;

HttpsURLConnection connection = (HttpsURLConnection) new URL(requestURL).openConnection();
setAcceptAllVerifier(connection);

private static SSLSocketFactory sslSocketFactory = null;

private static void setAcceptAllVerifier(HttpsURLConnection connection) throws Exception {
    if (sslSocketFactory == null) {
        TrustManager trustManager = new X509TrustManager() {
            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {

            }

            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {

            }

            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };

        SSLContext sslContext = SSLContext.getInstance("SSLv3");
        sslContext.init(null, trustManager as TrustManager[], new SecureRandom());
        sslSocketFactory = sslContext.getSocketFactory();
    }
    connection.setSSLSocketFactory(sslSocketFactory);
    connection.setHostnameVerifier(ALL_TRUSTING_HOSTNAME_VERIFIER);
}

private static final HostnameVerifier ALL_TRUSTING_HOSTNAME_VERIFIER = new HostnameVerifier() {
    public boolean verify(String hostname, SSLSession session) {
        return true;
    }
};

No comments:

Post a Comment