SSL Handshake Exception while retrieving information via REST API from Rapid Recovery 6.x on Windows 2016 & Windows 10 machines

Question

We are getting javax.net.ssl.SSLHandshakeException while using REST API from Rapid Recovery 6.x. 
 The detail story is, we use the AA & RR REST API for getting core information. For that we use java as a rest client, from there actually we used to fire those API. 
 It worked fine with the Rapid Recovery 6.x on Windows 2012 R2 machine. But when we installed RR 6.x on Windows 2016 or Windows 10, the RR API going to give us the SSL handshake exception as follows. 
 handling exception: java.lang.RuntimeException: Could not generate DH keypair 
 But it works fine when we are executing API's from the browser. After searching we found that the issue is related with supported ciphers & protocols by the JRE. 
 By upgrading the ciphers also not works for us now its giving, 
 handling exception: javax.net.ssl.SSLHandshakeException: Unsupported curveId: 29 
 I have a question did you know that, what are the changes made in RR or in OS which demanding higher cipher suites on Windows 2016 & Windows 10 setups. 
 
 Setup Details: 
 - Installed Rapid Recovery 6.1 on Windows 2016 & Windows 10 
 - Using JRE 1.6.20 as a rest client (httpcomponents-client-4.3.1) 
 - Upgraded JCE library for JRE 6 & also added Bouncy Castle third party JCE provider. 
 The detailed debug logs are as follows. 
 Starting AppAssure recovery plugin .. Created config object .. trigger seeding of SecureRandom done seeding SecureRandom main, setSoTimeout(120000) called %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1483973223 bytes = { 236, 54, 18, 237, 36, 103, 106, 234, 1, 19, 4, 82, 70, 67, 187, 123, 109, 196, 237, 161, 184, 164, 190, 216, 22, 85, 92, 112 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] *** main, WRITE: TLSv1 Handshake, length = 175 main, WRITE: SSLv2 client hello message, length = 170 main, READ: TLSv1 Handshake, length = 2024 *** ServerHello, TLSv1 RandomCookie: GMT: 1483973223 bytes = { 32, 136, 220, 33, 216, 28, 67, 38, 73, 16, 239, 5, 32, 207, 134, 27, 52, 4, 41, 29, 176, 161, 88, 211, 195, 165, 52, 121 } Session ID: {201, 15, 0, 0, 140, 72, 143, 139, 114, 125, 248, 148, 141, 57, 216, 130, 122, 91, 15, 126, 173, 135, 34, 60, 214, 86, 188, 2, 50, 85, 17, 174} Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Compression Method: 0 *** %% Created: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA *** Certificate chain chain [0] = [ [ Version: V3 Subject: O=Root, CN=WIN2016-DCX64LK, CN=localhost, T=AppRecoveryCoreServerCertificate Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 4096 bits modulus: 1027255060875638055889093524481687418767917992647967051884839569205364644453896917227420942039939723026801681291888258008716705361654337824956168366726839706915838613894461235058605072791354043735894892332594337093584597044063200036036542537567610306597914022092995540844121028309907175138104890613990265595789936967126128256359000739369619532549874556549153153446462582919046260009735882315514361219812946583812663685221374758820758865892127771026995828004133025158734915339778510989691909021964878221999245026682298493732519806975332772513941916547591719515323024677810588980159216721668148612525068749254080280758393132540409602955929254519713532850724160171539779259529754039445141596179499359679667944749424422768730360056280907048310006821384431577623397713426285302709091893435911095146543694781723490890545314823933830726842240139329796526519491689472123438852892441517016293321422477245497540167796226282753153526296250382458571625195496150528604390474481690066151845556798894356012852929454997219425451546148973242987007262208138990819825641088757152727568368193980474060978111070037263582229367729783598202253306324783003881434667211557477497136889989624086897856093054905293607044578822868861412758375529191123785509350603 public exponent: 65537 Validity: [From: Wed Jan 04 00:55:44 PST 2017, To: Mon Jan 04 00:55:44 PST 2027] Issuer: O=Root, CN=WIN2016-DCX64LK, CN=localhost, T=AppRecoveryCoreServerCertificate SerialNumber: [ 6566e88b 9a2236a3 4afcc33a 1e646a6b] ] Algorithm: [SHA256withRSA] Signature: 0000: 57 F6 A7 AB 8A 5C 63 F1 CC 23 D3 EE 7C E8 84 D8 W....\c..#...... 0010: D9 E1 D4 CD B6 4A FC 20 6B 02 0D 59 EE B7 B3 3C .....J. k..Y...< 0020: D5 A4 4A 96 3B 5A C3 ED 83 93 FA 07 F9 DA 33 F4 ..J.;Z........3. 0030: 42 72 89 F5 6B C9 EE 35 25 B1 A9 FA 79 E7 A4 7B Br..k..5%...y... 0040: CB 26 5A C1 F7 F2 50 09 08 1E 95 A3 71 3A FE 6E .&Z...P.....q:.n 0050: 18 E0 7B 47 CE D2 E2 34 A8 A5 D5 1D F7 83 D1 E6 ...G...4........ 0060: 8F DB 2D 14 95 C3 DB AE AC F8 F5 CB AB 45 74 BB ..-..........Et. 0070: A0 E7 16 04 D6 79 78 9E 4A C2 54 7E D9 BD 26 15 .....yx.J.T...&. 0080: 78 90 84 DD FD 94 8E 3C DE 0C F5 11 B9 27 DE C5 x......<.....'.. 0090: 6F A0 07 F6 D0 FB DE A3 41 47 63 81 D5 52 09 67 o.......AGc..R.g 00A0: 84 FC 6A B1 DD C0 CF 3A 8D 74 CB 08 6C 62 E6 EF ..j....:.t..lb.. 00B0: 64 69 4F A5 E8 EC DA A7 D0 27 FC 5D 2D C8 C7 79 diO......'.]-..y 00C0: 9B 3F F6 C9 41 DB 8A 6C 94 36 F2 C9 9D C1 FE D1 .?..A..l.6...... 00D0: 86 4B E1 87 81 62 91 45 76 3D 7C 46 71 6E FF 39 .K...b.Ev=.Fqn.9 00E0: 7E 4C B1 51 C1 AD 87 37 F6 88 58 EA C2 35 F0 C0 .L.Q...7..X..5.. 00F0: 6C 31 B3 3D 78 B3 4A E6 C3 25 E4 53 67 DC 64 DE l1.=x.J..%.Sg.d. 0100: C0 25 0D A3 D5 82 7D 87 30 C7 84 68 43 5B AD 05 .%......0..hC[.. 0110: 90 05 A8 C2 38 13 30 9B E4 5D 00 D0 D9 DE 70 14 ....8.0..]....p. 0120: 42 1F 8E E4 54 6E 66 5D D7 9C 8F 04 23 88 57 2A B...Tnf]....#.W* 0130: 6F A1 82 46 62 CD 06 76 00 5C 2B 95 E5 BA 09 22 o..Fb..v.\+...." 0140: 7B 56 ED BE F6 E6 89 0A E2 45 11 19 05 AB CD 14 .V.......E...... 0150: 80 F6 C4 06 CA 6C 5E 27 8E D1 94 93 1A 06 BE 38 .....l^'.......8 0160: 5C 2A 5E 72 D2 82 F8 AF 09 2D 59 3C 0A 6B BB 6E \*^r.....-Y<.k.n 0170: 9D CE C9 04 D9 99 3F D1 82 95 B2 80 5E D1 F3 39 ......?.....^..9 0180: 4C DB BB 65 92 2F 5C 73 01 A3 12 D0 5E 6F B6 E8 L..e./\s....^o.. 0190: 3D 0D 96 A7 40 1A F1 5D 83 A2 90 0B 76 51 64 8C =...@..]....vQd. 01A0: 70 C7 4B 15 D2 8E E4 7A 93 31 C0 5E 22 F2 FE 39 p.K....z.1.^"..9 01B0: 52 B1 B1 69 27 64 E2 B8 FC 44 66 7F 58 4C A3 56 R..i'd...Df.XL.V 01C0: 20 B0 32 75 A3 06 A8 A8 CE 15 55 03 44 1B 36 51 .2u......U.D.6Q 01D0: 6B F3 16 50 46 28 D6 D3 DF 68 3F AE 26 88 CD 3E k..PF(...h?.&..> 01E0: 1D 68 B6 F0 62 8B F8 B1 C6 32 32 43 C0 CF 9F 3C .h..b....22C...< 01F0: 5F 76 12 79 EB AB 2A E0 9D E9 67 11 0A FE A7 90 _v.y..*...g..... ] *** main, handling exception: javax.net.ssl.SSLHandshakeException: Unsupported curveId: 29 main, SEND TLSv1 ALERT: fatal, description = handshake_failure main, WRITE: TLSv1 Alert, length = 2 main, called closeSocket() main, called close() main, called closeInternal(true) main, setSoTimeout(120000) called %% No cached client session 
 Your help is appreciated. 
 
 Thanks !!

Tudor.Popescu · Answer

Hi Sandeep: 
I use PowerShell for all REST API Calls. No need to worry about anything :) 
Please use Invoke-Restmethod for all Methods except GET. Unless the issue was fixed in Win2016/Powershell 5.0 only the first GET call works for sure, the subsequent ones may (or may not) fail. 
To go around it, use a System.Net.Webclient object and enable/disable [System.Net.ServicePointManager]::ServerCertificateValidationCallback before/after making the call. 
Although there are better ways of interacting Java and Powershell, a way of dealing with it would be running the PowerShell script from Java, save the result in an XML file (as the responses are XML) and proceed with the rest of your application. Something like below may work (just got if from the web as I do not have any Java IDE available) 
String cmd = "powershell C:\path\to\your\script\script.ps1" 
Runtime runtime = Runtime.getRuntime(); 
Process process = runtime.exec(command); 
process.getOutputStream().close(); 
It is not the best of the two worlds but it should work :)