javax.net.ssl.SSLException: Received fatal alert: protocol_version

Has anyone encountered this error before? I'm new to SSL, is there anything obviously wrong with my ClientHello that I'm missing? That exception is thrown with no ServerHello response. Any advice is appreciated.

*** ClientHello, TLSv1
RandomCookie:  GMT: 1351745496 bytes = { 154, 151, 225, 128, 127, 137, 198, 245, 160, 35, 124, 13, 135, 120, 33, 240, 82, 223, 56, 25, 207, 231, 231, 124, 103, 205, 66, 218 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 75
0000: 01 00 00 47 03 01 51 92   00 D8 9A 97 E1 80 7F 89  ...G..Q.........
0010: C6 F5 A0 23 7C 0D 87 78   21 F0 52 DF 38 19 CF E7  ...#...x!.R.8...
0020: E7 7C 67 CD 42 DA 00 00   20 00 04 00 05 00 2F 00  ..g.B... ...../.
0030: 33 00 32 00 0A 00 16 00   13 00 09 00 15 00 12 00  3.2.............
0040: 03 00 08 00 14 00 11 00   FF 01 00                 ...........
xxx, WRITE: TLSv1 Handshake, length = 75
[write] MD5 and SHA1 hashes:  len = 101
0000: 01 03 01 00 3C 00 00 00   20 00 00 04 01 00 80 00  ....<... .......
0010: 00 05 00 00 2F 00 00 33   00 00 32 00 00 0A 07 00  ..../..3..2.....
0020: C0 00 00 16 00 00 13 00   00 09 06 00 40 00 00 15  ............@...
0030: 00 00 12 00 00 03 02 00   80 00 00 08 00 00 14 00  ................
0040: 00 11 00 00 FF 51 92 00   D8 9A 97 E1 80 7F 89 C6  .....Q..........
0050: F5 A0 23 7C 0D 87 78 21   F0 52 DF 38 19 CF E7 E7  ..#...x!.R.8....
0060: 7C 67 CD 42 DA                                     .g.B.
xxx, WRITE: SSLv2 client hello message, length = 101
[Raw write]: length = 103
0000: 80 65 01 03 01 00 3C 00   00 00 20 00 00 04 01 00  .e....<... .....
0010: 80 00 00 05 00 00 2F 00   00 33 00 00 32 00 00 0A  ....../..3..2...
0020: 07 00 C0 00 00 16 00 00   13 00 00 09 06 00 40 00  ..............@.
0030: 00 15 00 00 12 00 00 03   02 00 80 00 00 08 00 00  ................
0040: 14 00 00 11 00 00 FF 51   92 00 D8 9A 97 E1 80 7F  .......Q........
0050: 89 C6 F5 A0 23 7C 0D 87   78 21 F0 52 DF 38 19 CF  ....#...x!.R.8..
0060: E7 E7 7C 67 CD 42 DA                               ...g.B.
[Raw read]: length = 5
0000: 15 03 01 00 02                                     .....
[Raw read]: length = 2
0000: 02 46                                              .F

{http://xml.apache.org/axis/}stackTrace:

javax.net.ssl.SSLException: Received fatal alert: protocol_version
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1806)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:986)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at 

...

On Java 1.8 default TLS protocol is v1.2. On Java 1.6 and 1.7 default is obsoleted TLS1.0. I get this error on Java 1.8, because url use old TLS1.0 (like Your - You see ClientHello, TLSv1). To resolve this error You need to use override defaults for Java 1.8.

System.setProperty("https.protocols", "TLSv1");

More info on the Oracle blog:Diagnosing TLS, SSL, and HTTPS.

marioosh's answer seems to on the right track. It didn't work for me. So I found:

https://stackoverflow.com/questions/30758303/problems-connecting-via-https-ssl-through-own-java-client

which uses:

java.lang.System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");

Which seems to be necessary with Java 7 and a TLSv1.2 site.

I checked the site with:

openssl s_client -connect www.st.nmfs.noaa.gov:443

using

openssl version
OpenSSL 1.0.2l  25 May 2017

and got the result:

...
SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : ECDHE-RSA-AES256-GCM-SHA384
...

Please note that and older openssl version on my mac did not work and I had to use the macports one.

I ran into this issue while trying to install a PySpark package. I got around the issue by changing the TLS version with an environment variable:

echo 'export JAVA_TOOL_OPTIONS="-Dhttps.protocols=TLSv1.2"' >> ~/.bashrc
source ~/.bashrc

@marioosh added some extra information regarding cipher suite encryption .

---

A cipher suite is a collection of symmetric and asymmetric encryption algorithms used by hosts to establish a secure communication in Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol.
Ciphers are algorithms, more specifically they’re a set of steps for both performing encryption as well as the corresponding decryption.

A cipher suite specifies one algorithm for each of the following tasks:

• Key exchange
• Bulk encryption
• Message authentication

SocketFactory « Default handshaking protocols « To avoid SSLException use https.protocols system property.
This contains a comma-separated list of protocol suite names specifying which protocol suites to enable on this HttpsURLConnection. See the SSLSocket.setEnabledProtocols(String[]) method.

System.setProperty("https.protocols", "SSLv3");
// (OR)
System.setProperty("https.protocols", "TLSv1");

JAVA8 « TLS 1.1 and TLS 1.2 Enabled by Default: The SunJSSE provider enables the protocols TLS 1.1 and TLS 1.2 on the client by default.

System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");

Example for Java8 Network File:

public class SecureSocket {
	static {
		// System.setProperty("javax.net.debug", "all");
		System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
	}
	public static void main(String[] args) {
		String GhitHubSSLFile = "https://raw.githubusercontent.com/Yash-777/SeleniumWebDrivers/master/pom.xml";
		try {
			String str = readCloudFileAsString(GhitHubSSLFile);
					// new String(Files.readAllBytes(Paths.get( "D:/Sample.file" )));
					
			System.out.println("Cloud File Data : "+ str);
		} catch (IOException e) {
			e.printStackTrace();
		}
	}
	public static String readCloudFileAsString( String urlStr ) throws java.io.IOException {
		if( urlStr != null && urlStr != "" ) {
			java.io.InputStream s = null;
			String content = null;
			try {
				URL url = new URL( urlStr );
				s = (java.io.InputStream) url.getContent();
				content = IOUtils.toString(s, "UTF-8");
			} finally {
				if (s != null) s.close(); 
			}
			return content.toString();
		}
		return null;
	}
}

JDK 8 Security You can customize some aspects of JSSE by setting system properties, By Specifying the below property you can check the encryption data from the file.

System.setProperty("javax.net.debug", "all");

Exception

javax.net.ssl.SSLException: Received fatal alert: protocol_version

If handshaking fails for any reason, the SSLSocket is closed, and no further communications can be done.

Observer LOG Sample for the above example:

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1505482843 bytes = { 12, 11, 111, 99, 8, 177, 101, 27, 84, 176, 147, 215, 116, 208, 31, 178, 141, 170, 29, 118, 29, 192, 61, 191, 53, 201, 127, 100 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: raw.githubusercontent.com]
***
[write] MD5 and SHA1 hashes:  len = 213
0000: 01 00 00 D1 03 03 5A BC   D8 5B 0C 0B 6F 63 08 B1  ......Z..[..oc..
0010: 65 1B 54 B0 93 D7 74 D0   1F B2 8D AA 1D 76 1D C0  e.T...t......v..
0020: 3D BF 35 C9 7F 64 00 00   2A C0 09 C0 13 00 2F C0  =.5..d..*...../.
0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........
0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................
0050: 04 00 FF 01 00 00 7E 00   0A 00 34 00 32 00 17 00  ..........4.2...
0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................
0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................
0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................
0090: 0B 00 02 01 00 00 0D 00   1A 00 18 06 03 06 01 05  ................
00A0: 03 05 01 04 03 04 01 03   03 03 01 02 03 02 01 02  ................
00B0: 02 01 01 00 00 00 1E 00   1C 00 00 19 72 61 77 2E  ............raw.
00C0: 67 69 74 68 75 62 75 73   65 72 63 6F 6E 74 65 6E  githubuserconten
00D0: 74 2E 63 6F 6D                                     t.com
main, WRITE: TLSv1.2 Handshake, length = 213
[Raw write]: length = 218
0000: 16 03 03 00 D5 01 00 00   D1 03 03 5A BC D8 5B 0C  ...........Z..[.
0010: 0B 6F 63 08 B1 65 1B 54   B0 93 D7 74 D0 1F B2 8D  .oc..e.T...t....
0020: AA 1D 76 1D C0 3D BF 35   C9 7F 64 00 00 2A C0 09  ..v..=.5..d..*..
0030: C0 13 00 2F C0 04 C0 0E   00 33 00 32 C0 08 C0 12  .../.....3.2....
0040: 00 0A C0 03 C0 0D 00 16   00 13 C0 07 C0 11 00 05  ................
0050: C0 02 C0 0C 00 04 00 FF   01 00 00 7E 00 0A 00 34  ...............4
0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............
0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................
0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ................
0090: 00 08 00 16 00 0B 00 02   01 00 00 0D 00 1A 00 18  ................
00A0: 06 03 06 01 05 03 05 01   04 03 04 01 03 03 03 01  ................
00B0: 02 03 02 01 02 02 01 01   00 00 00 1E 00 1C 00 00  ................
00C0: 19 72 61 77 2E 67 69 74   68 75 62 75 73 65 72 63  .raw.githubuserc
00D0: 6F 6E 74 65 6E 74 2E 63   6F 6D                    ontent.com
[Raw read]: length = 5
0000: 16 03 03 00 5D                                     ....]

Cryptography and Secure Communication with whatsapp^{Image from businesstoday.in}

@See

• AZURE TLS/SSL cipher suites
• javax.net.ssl.SSLHandshakeException: No appropriate protocol
• Whatsapp End To End Encryption

I was getting the same error. For Java version 7, following is working for me.

> java.lang.System.setProperty("https.protocols", "TLSv1.2");

This seems like a protocol version mismatch, this exception normally happens when there is a mismatch between SSL protocol version used by the client and the server. your clients should use a proctocol version supported by the server.

You can try by adding following line to catalina.bat after last entry of JAVA_OPTS

set JAVA_OPTS=%JAVA_OPTS% -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2

For those using the IBM JDK you need to provide this argument to the JVM. -Dcom.ibm.jsse2.overrideDefaultTLS=true

I was using Liberty, so I set this in the jvm.options file.

Reference Documentation

More information on protocols used with IBM Here

This is due to the fact that you send a TLSv1 handshake, but then you send a message using SSLv2 protocol;

xxx, WRITE: TLSv1 Handshake, length = 75
xxx, WRITE: SSLv2 client hello message, length = 101

This means that the server expects the TLSv1 protocol to be used and will not accept the connection. Try specifying which protocol to use, or post some relevant code so we can have a look

[Using JBoss]

• Open Config Path:

JBOSS_HOME/standalone/configuration/standalone.xml OR

JBOSS_HOME/standalone/configuration/standalone-full.xml

Inside "<system-properties>" tag, add following line:

<property name="https.protocols" value="TLSv1,TLSv1.1,TLSv1.2"/>

It solved the problem for me.

Not sure if you found an answer but I had this problem and needed to upgrade TLS version to 1.2

private HttpsURLConnection getSSlConnection(String url, String username, String password){
    SSLContext sc = SSLContext.getInstance("TLSv1.2")
    // Create a trust manager that accepts all SSL sites
    TrustManager[] trustAllCerts = new TrustManager[1]
    def tm = new X509TrustManager(){
        @Override
        public void checkClientTrusted(X509Certificate[] certs, String authType) {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
        }

        @Override
        X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0]
        }
    }
    trustAllCerts[0] = tm

    sc.init(null, trustAllCerts, new SecureRandom())
    HttpsURLConnection connection = (HttpsURLConnection) getConnection(url, username, password)
    connection.setSSLSocketFactory(sc.getSocketFactory())
    return connection
}

I have got that error after update to JDK 1.8. But the JAVA_HOME variable was hard coded furthermore to JDK 1.7. Thew modification solved the problem:

set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_241

I'm using apache-tomcat-7.0.70 with jdk1.7.0_45 and none of the solutions here and elsewhere on stackoverflow worked for me. Just sharing this solution as it hopefully might help someone as this is very high on Google's search

What worked is doing BOTH of these steps:

1. Starting my tomcat with "export JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.2" by adding it to tomcat/bin/setenv.sh (Syntax slightly different on Windows)

2. Manually building/forcing HttpClients or anything else you need with the TLS1.2 protocol:

   Context ctx = SSLContexts.custom().useProtocol("TLSv1.2").build();
   HttpClient httpClient = HttpClientBuilder.create().setSslcontext(ctx).build();
   HttpPost httppost = new HttpPost(scsTokenVerificationUrl);
   
   List<NameValuePair> paramsAccessToken = new ArrayList<NameValuePair>(2);
   paramsAccessToken.add(new BasicNameValuePair("token", token));
   paramsAccessToken.add(new BasicNameValuePair("client_id", scsClientId));
   paramsAccessToken.add(new BasicNameValuePair("secret", scsClientSecret));
   httppost.setEntity(new UrlEncodedFormEntity(paramsAccessToken, "utf-8"));
   
   //Execute and get the response.
   HttpResponse httpResponseAccessToken = httpClientAccessToken.execute(httppost);
   
   String responseJsonAccessToken = EntityUtils.toString(httpResponseAccessToken.getEntity());
   

In my case only the below solution worked

---

private static CloseableHttpClient buildHttpClient() {
    	System.setProperty("https.protocols", "TLSv1.2");
    	SSLContext ctx = null;
		try {
			ctx = SSLContexts.custom().useProtocol("TLSv1.2").build();
		} catch (KeyManagementException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (NoSuchAlgorithmException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
		CloseableHttpClient httpClient = 
            HttpClientBuilder.create().setSslcontext(ctx).build();
		return httpClient;
	}

---

I was getting the same error when I was trying to use TLS1.2 on Java 7. I solved this problem with SSLContext. This is my code. I have tested this code on Java 7.

 String url = "--add-url-here--"
 URL url = new URL("https://" + url);
 //sslcontext
 SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
 sslContext.init(null, null, new SecureRandom());
 HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
 connection.setRequestMethod("POST");
 connection.setSSLSocketFactory(sslContext.getSocketFactory());
 System.out.println(connection.getResponseCode());