This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Handshake Exception while retrieving information via REST API from Rapid Recovery 6.x on Windows 2016 & Windows 10 machines

We are getting  javax.net.ssl.SSLHandshakeException while using REST API from Rapid Recovery 6.x.

The detail story is, we use the AA & RR REST API for getting core information. For that we use java as a rest client, from there actually we used to fire those API.

It worked fine with the  Rapid Recovery 6.x on Windows 2012 R2 machine. But when we installed RR 6.x on Windows 2016 or Windows 10, the RR API going to give us the SSL handshake exception as follows.

handling exception: java.lang.RuntimeException: Could not generate DH keypair

But it works fine when we are executing API's from the browser. After searching we found that the issue is related with supported ciphers & protocols by the JRE.

By upgrading the ciphers also not works for us now its giving,

handling exception: javax.net.ssl.SSLHandshakeException: Unsupported curveId: 29 

I have a question did you know that, what are the changes made in RR or in OS which demanding higher cipher suites on Windows 2016 & Windows 10 setups.

 

Setup Details:

- Installed Rapid Recovery 6.1 on Windows 2016 & Windows 10

- Using JRE 1.6.20 as a rest client (httpcomponents-client-4.3.1)  

- Upgraded JCE library for JRE 6 & also added Bouncy Castle third party JCE provider.

The detailed debug logs are as follows.

Starting AppAssure recovery plugin ..
Created config object ..
trigger seeding of SecureRandom
done seeding SecureRandom
main, setSoTimeout(120000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1483973223 bytes = { 236, 54, 18, 237, 36, 103, 106, 234, 1, 19, 4, 82, 70, 67, 187, 123, 109, 196, 237, 161, 184, 164, 190, 216, 22, 85, 92, 112 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 175
main, WRITE: SSLv2 client hello message, length = 170
main, READ: TLSv1 Handshake, length = 2024
*** ServerHello, TLSv1
RandomCookie: GMT: 1483973223 bytes = { 32, 136, 220, 33, 216, 28, 67, 38, 73, 16, 239, 5, 32, 207, 134, 27, 52, 4, 41, 29, 176, 161, 88, 211, 195, 165, 52, 121 }
Session ID: {201, 15, 0, 0, 140, 72, 143, 139, 114, 125, 248, 148, 141, 57, 216, 130, 122, 91, 15, 126, 173, 135, 34, 60, 214, 86, 188, 2, 50, 85, 17, 174}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
***
%% Created: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: O=Root, CN=WIN2016-DCX64LK, CN=localhost, T=AppRecoveryCoreServerCertificate
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 4096 bits
modulus: 1027255060875638055889093524481687418767917992647967051884839569205364644453896917227420942039939723026801681291888258008716705361654337824956168366726839706915838613894461235058605072791354043735894892332594337093584597044063200036036542537567610306597914022092995540844121028309907175138104890613990265595789936967126128256359000739369619532549874556549153153446462582919046260009735882315514361219812946583812663685221374758820758865892127771026995828004133025158734915339778510989691909021964878221999245026682298493732519806975332772513941916547591719515323024677810588980159216721668148612525068749254080280758393132540409602955929254519713532850724160171539779259529754039445141596179499359679667944749424422768730360056280907048310006821384431577623397713426285302709091893435911095146543694781723490890545314823933830726842240139329796526519491689472123438852892441517016293321422477245497540167796226282753153526296250382458571625195496150528604390474481690066151845556798894356012852929454997219425451546148973242987007262208138990819825641088757152727568368193980474060978111070037263582229367729783598202253306324783003881434667211557477497136889989624086897856093054905293607044578822868861412758375529191123785509350603
public exponent: 65537
Validity: [From: Wed Jan 04 00:55:44 PST 2017,
To: Mon Jan 04 00:55:44 PST 2027]
Issuer: O=Root, CN=WIN2016-DCX64LK, CN=localhost, T=AppRecoveryCoreServerCertificate
SerialNumber: [ 6566e88b 9a2236a3 4afcc33a 1e646a6b]

]
Algorithm: [SHA256withRSA]
Signature:
0000: 57 F6 A7 AB 8A 5C 63 F1 CC 23 D3 EE 7C E8 84 D8 W....\c..#......
0010: D9 E1 D4 CD B6 4A FC 20 6B 02 0D 59 EE B7 B3 3C .....J. k..Y...<
0020: D5 A4 4A 96 3B 5A C3 ED 83 93 FA 07 F9 DA 33 F4 ..J.;Z........3.
0030: 42 72 89 F5 6B C9 EE 35 25 B1 A9 FA 79 E7 A4 7B Br..k..5%...y...
0040: CB 26 5A C1 F7 F2 50 09 08 1E 95 A3 71 3A FE 6E .&Z...P.....q:.n
0050: 18 E0 7B 47 CE D2 E2 34 A8 A5 D5 1D F7 83 D1 E6 ...G...4........
0060: 8F DB 2D 14 95 C3 DB AE AC F8 F5 CB AB 45 74 BB ..-..........Et.
0070: A0 E7 16 04 D6 79 78 9E 4A C2 54 7E D9 BD 26 15 .....yx.J.T...&.
0080: 78 90 84 DD FD 94 8E 3C DE 0C F5 11 B9 27 DE C5 x......<.....'..
0090: 6F A0 07 F6 D0 FB DE A3 41 47 63 81 D5 52 09 67 o.......AGc..R.g
00A0: 84 FC 6A B1 DD C0 CF 3A 8D 74 CB 08 6C 62 E6 EF ..j....:.t..lb..
00B0: 64 69 4F A5 E8 EC DA A7 D0 27 FC 5D 2D C8 C7 79 diO......'.]-..y
00C0: 9B 3F F6 C9 41 DB 8A 6C 94 36 F2 C9 9D C1 FE D1 .?..A..l.6......
00D0: 86 4B E1 87 81 62 91 45 76 3D 7C 46 71 6E FF 39 .K...b.Ev=.Fqn.9
00E0: 7E 4C B1 51 C1 AD 87 37 F6 88 58 EA C2 35 F0 C0 .L.Q...7..X..5..
00F0: 6C 31 B3 3D 78 B3 4A E6 C3 25 E4 53 67 DC 64 DE l1.=x.J..%.Sg.d.
0100: C0 25 0D A3 D5 82 7D 87 30 C7 84 68 43 5B AD 05 .%......0..hC[..
0110: 90 05 A8 C2 38 13 30 9B E4 5D 00 D0 D9 DE 70 14 ....8.0..]....p.
0120: 42 1F 8E E4 54 6E 66 5D D7 9C 8F 04 23 88 57 2A B...Tnf]....#.W*
0130: 6F A1 82 46 62 CD 06 76 00 5C 2B 95 E5 BA 09 22 o..Fb..v.\+...."
0140: 7B 56 ED BE F6 E6 89 0A E2 45 11 19 05 AB CD 14 .V.......E......
0150: 80 F6 C4 06 CA 6C 5E 27 8E D1 94 93 1A 06 BE 38 .....l^'.......8
0160: 5C 2A 5E 72 D2 82 F8 AF 09 2D 59 3C 0A 6B BB 6E \*^r.....-Y<.k.n
0170: 9D CE C9 04 D9 99 3F D1 82 95 B2 80 5E D1 F3 39 ......?.....^..9
0180: 4C DB BB 65 92 2F 5C 73 01 A3 12 D0 5E 6F B6 E8 L..e./\s....^o..
0190: 3D 0D 96 A7 40 1A F1 5D 83 A2 90 0B 76 51 64 8C =...@..]....vQd.
01A0: 70 C7 4B 15 D2 8E E4 7A 93 31 C0 5E 22 F2 FE 39 p.K....z.1.^"..9
01B0: 52 B1 B1 69 27 64 E2 B8 FC 44 66 7F 58 4C A3 56 R..i'd...Df.XL.V
01C0: 20 B0 32 75 A3 06 A8 A8 CE 15 55 03 44 1B 36 51 .2u......U.D.6Q
01D0: 6B F3 16 50 46 28 D6 D3 DF 68 3F AE 26 88 CD 3E k..PF(...h?.&..>
01E0: 1D 68 B6 F0 62 8B F8 B1 C6 32 32 43 C0 CF 9F 3C .h..b....22C...<
01F0: 5F 76 12 79 EB AB 2A E0 9D E9 67 11 0A FE A7 90 _v.y..*...g.....

]
***
main, handling exception: javax.net.ssl.SSLHandshakeException: Unsupported curveId: 29
main, SEND TLSv1 ALERT: fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, called close()
main, called closeInternal(true)
main, setSoTimeout(120000) called
%% No cached client session
Your help is appreciated.
 
Thanks !! 
  • Hi Sadeep:
    I would try TLS v1.2 -- looks to me that TLSv1 is used in your application.
    JDK 6 update 111 supports SSLv3, TLSv1 and TLSv1.1 with TLSv1 being the default. JDK 6 is deprecated since 2013
    JDK 8 uses TLSv1.2 by default -- it may be the best bet.

    Hope that this helps.
  • Thanks for your help Tudor.
    Upgrading to Java 8 is not feasible right in a moment now, it will take time.
    Can you suggest any workaround that will fix this issue temporarily so that we can proceed ahead ?
  • Hi Sandeep:
    I use PowerShell for all REST API Calls. No need to worry about anything :)
    Please use Invoke-Restmethod for all Methods except GET. Unless the issue was fixed in Win2016/Powershell 5.0 only the first GET call works for sure, the subsequent ones may (or may not) fail.
    To go around it, use a System.Net.Webclient object and enable/disable [System.Net.ServicePointManager]::ServerCertificateValidationCallback before/after making the call.
    Although there are better ways of interacting Java and Powershell, a way of dealing with it would be running the PowerShell script from Java, save the result in an XML file (as the responses are XML) and proceed with the rest of your application. Something like below may work (just got if from the web as I do not have any Java IDE available)
    String cmd = "powershell C:\\path\\to\\your\\script\\script.ps1"
    Runtime runtime = Runtime.getRuntime();
    Process process = runtime.exec(command);
    process.getOutputStream().close();
    It is not the best of the two worlds but it should work :)
  • Yes, this alternative may work.
    Thanks for your valuable help.