Java HTTP client crashes on HTTPS connections

OS: CentOS 6.5
JAVA: 1.7.0_91

One use case in the project: due to the remote client server system upgrade, HTTPClient runs into such exception like javax.net.ssl.SSLException: java.security.ProviderException: java.security.KeyException:


javax.net.ssl.SSLException: java.security.ProviderException: java.security.KeyException
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1874)
        at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1857)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1378)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
        at Bla.main(Bla.java:10)
Caused by: java.security.ProviderException: java.security.KeyException
        at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:146)
        at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:704)
        at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:78)
        at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:714)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:278)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1035)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
        ... 5 more

javax.net.ssl.SSLException: java.security.ProviderException: java.security.KeyException

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1874)

at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1857)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1378)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)

at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)

at Bla.main(Bla.java:10)

Caused by: java.security.ProviderException: java.security.KeyException

at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:146)

at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:704)

at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:78)

at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:714)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:278)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1035)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)

... 5 more

After Java runtime was upgrade to Java 8, the exception is gone. If we switch JDK/JRE to 1.7, the problem is still there. The reason can be traced back to /usr/lib64/libssl3.so and nss version is not up to date. Using yum to update nss to the latest, the error is gone.


Name        : nss
Arch        : x86_64
Version     : 3.19.1
Release     : 5.el6_7
Size        : 2.6 M
Repo        : installed
From repo   : updates
Summary     : Network Security Services
URL         : http://www.mozilla.org/projects/security/pki/nss/
License     : MPLv2.0
Description : Network Security Services (NSS) is a set of libraries designed to
            : support cross-platform development of security-enabled client and
            : server applications. Applications built with NSS can support SSL v2
            : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
            : v3 certificates, and other security standards.

Name : nss

Arch : x86_64

Version : 3.19.1

Release : 5.el6_7

Size : 2.6 M

Repo : installed

From repo : updates

Summary : Network Security Services

URL : http://www.mozilla.org/projects/security/pki/nss/

License : MPLv2.0

Description : Network Security Services (NSS) is a set of libraries designed to

: support cross-platform development of security-enabled client and

: server applications. Applications built with NSS can support SSL v2

: and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509

: v3 certificates, and other security standards.

Why Java 8 works before nss update? The reason is JVM (8) wasn’t loading nss but rather using some internal SSL implementation to avoid such exception.