Spring RestTemplate: SSL handshake failure

From javax.net.debug log I can see that you are using Java 7 and the client resolves to TLSv1. From openssl output that your server does not support TLSv1.

TLS ver. 1.1 and 1.2 are disabled in Java 7 by default.

Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client connections.

Enable TLSv1.1 and TLSv1.2 either by:

  1. JVM argument:

    -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1
    
  2. Or set the same property from Java code:

    System.setProperty("https.protocols", "TLSv1.2,TLSv1.1,TLSv1");
    
  3. Or install JCE Unlimited Strength policy files for Java 7. I am not 100% sure if this single step would solve the problem although it is always worth to install JCE while it allows JVM to use stronger versions of existing algorithms.

UPDATE 29/Sep/2016:

Order of protocols changed from better to worse (TLS ver. 1.2 to 1) in options 1 and 2.


If you happen to be using Java 7 you need to explicitly tell Java to use TLSv1.2 protocol. Here is an example using Spring XML configuration.

***In any Spring bean (i.e. a controller)***

import org.apache.http.client.HttpClient;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.HttpClients;
import javax.net.ssl.SSLContext;

@Bean(name="client")
public HttpClient make() throws NoSuchAlgorithmException, KeyManagementException {
    SSLContext sslContext = SSLContexts.custom().build();
    SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
            new String[]{"TLSv1.2", "TLSv1.1"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
    return HttpClients.custom()
            .setSSLSocketFactory(sslConnectionSocketFactory)
            .build();
}

***In XML configuration files***

<bean id="factory"
      class="org.springframework.http.client.HttpComponentsClientHttpRequestFactory">
    <property name="httpClient" ref="client"/>
</bean>
<bean id="restTemplate" class="org.springframework.web.client.RestTemplate">
    <property name="requestFactory" ref="factory"/>
</bean>

You could do the same without XML with something like this:

RestTemplate restTemplate;

public HttpClient getHttpClient() throws NoSuchAlgorithmException, KeyManagementException {
    SSLContext sslContext = SSLContexts.custom().build();
    SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
            new String[]{"TLSv1.2", "TLSv1.1"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
    return HttpClients.custom()
            .setSSLSocketFactory(sslConnectionSocketFactory)
            .build();
}

public void setUp() throws Exception {
    restTemplate = new RestTemplate(
            new HttpComponentsClientHttpRequestFactory(
                    getHttpClient()));
    ...
}