Recently, our organisation migrated one of our Java application codes from Java 8 to Java 11. Now, we are facing one unique issue with our application. Our tomcat server is running into a strange issue, where it is not able to present its self-signed ECDSA certificate to the 3rd party server(requested as part of mTLS SSL negotiation) is failing with the following error.
Error while invoking external url error: Client exception while GET:javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlertReceived: handshake_failure(40)","error-type":"java.lang.Exception","error-message":"Client exception while GET:javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlertReceived: handshake_failure(40)","error-stack-trace":"java.lang.Exception: Client exception while GET:javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlertReceived: handshake_failure(40)
My org uses BC-FIPS provider which doesn’t support -Djavax.net.debug debug param.
I did capture tcpdump, which indicates my application doesn’t present the valid certificate for the SSL negotiation. (Certificate length is 0 in the below snapshot)
Both the client and server ECDSA certificates are exchanged correctly and are valid. The server, in this case, is able to negotiate inbound ECDSA-based SSL requests (ECDSA cypher) without any issues. Also, the same code works absolutely fine if the cert type is RSA.
We are using the same trustStore that is used in the case of of Java8; there are no changes in the trustStore and the store is generated using the Java8 keytool command like before.
We use bc-fips-1.0.2.3.jar and all dependent libs such as bcpkix-fips.jar,bctls-fips.jar are already added. We have done no changes here, from Java8 to Java11.
The only major change is runtime changes from jre8 to jre 11.
Any pointers to debug or how to take it forward is appreciated.
The trustStore format is BCFKS.
Thanks, Brinal
