java.io.IOException: Received fatal alert: handshake_failure from remote proxy https://repo.spring.io/milestone

Hello Team,

We are proxying the remote repo https://repo.spring.io/milestone , to nexus proxy repo.

But its not retrieving the artifact from remote, when we tried to add the certificate it gives below exception.

2021-03-15 08:45:30,892+0100 INFO [qtp2114521723-100319] myADuser com.sonatype.nexus.ssl.plugin.internal.CertificateRetriever - Retrieving certificate from https://repo.spring.io:443
2021-03-15 08:45:30,893+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: ignoreCookies
2021-03-15 08:45:30,893+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context
2021-03-15 08:45:30,894+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.impl.conn.BasicHttpClientConnectionManager - Get connection for route {tls}->http://orgproxy->https://repo.spring.io:443
2021-03-15 08:45:30,894+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-83642: set socket timeout to 0
2021-03-15 08:45:30,894+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.impl.execchain.MainClientExec - Opening connection {tls}->http://orgproxy->https://repo.spring.io:443
2021-03-15 08:45:30,895+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to /orgproxy
2021-03-15 08:45:30,896+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connection established 172.16.6.141:57000<->orgproxy
2021-03-15 08:45:30,896+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.headers - http-outgoing-83642 >> CONNECT repo.spring.io:443 HTTP/1.1
2021-03-15 08:45:30,897+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.headers - http-outgoing-83642 >> Host: repo.spring.io:443
2021-03-15 08:45:30,897+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.headers - http-outgoing-83642 >> User-Agent: Nexus/3.29.2-02 (OSS; Linux; 3.10.0-327.13.1.el7.x86_64; amd64; 1.8.0_65)
2021-03-15 08:45:30,991+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.headers - http-outgoing-83642 << HTTP/1.1 200 Connection established
2021-03-15 08:45:30,991+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.impl.execchain.MainClientExec - Tunnel to target created.
2021-03-15 08:45:30,992+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
2021-03-15 08:45:30,993+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled cipher suites:[TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2021-03-15 08:45:30,993+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.conn.ssl.SSLConnectionSocketFactory - Starting handshake
2021-03-15 08:45:31,002+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-83642: Shutdown connection
2021-03-15 08:45:31,002+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.impl.execchain.MainClientExec - Connection discarded
2021-03-15 08:45:31,002+0100 DEBUG [qtp2114521723-100319] myADuser org.apache.http.impl.conn.BasicHttpClientConnectionManager - Releasing connection [Not bound]
2021-03-15 08:45:31,066+0100 ERROR [qtp2114521723-100319] myADuser org.sonatype.nexus.extdirect.internal.ExtDirectExceptionHandler - Failed to invoke action method: ssl_Certificate.retrieveFromHost, java-method: com.sonatype.nexus.ssl.plugin.internal.ui.CertificateComponent.retrieveFromHost
java.io.IOException: Received fatal alert: handshake_failure
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:83)
at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:238)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:250)
at com.sonatype.nexus.ssl.plugin.internal.ui.CertificateComponent.retrieveFromHost(CertificateComponent.groovy:85)
at com.palominolabs.metrics.guice.ExceptionMeteredInterceptor.invoke(ExceptionMeteredInterceptor.java:23)
at com.palominolabs.metrics.guice.TimedInterceptor.invoke(TimedInterceptor.java:26)
at org.sonatype.nexus.validation.internal.ValidationInterceptor.invoke(ValidationInterceptor.java:53)
at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.invokeJavaMethod(DispatcherBase.java:142)
at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.invokeMethod(DispatcherBase.java:133)
at org.sonatype.nexus.extdirect.internal.ExtDirectDispatcher.invokeMethod(ExtDirectDispatcher.java:82)
at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.dispatch(DispatcherBase.java:63)
at com.softwarementors.extjs.djn.router.processor.standard.StandardRequestProcessorBase.dispatchStandardMethod(StandardRequestProcessorBase.java:73)
at com.softwarementors.extjs.djn.router.processor.standard.json.JsonRequestProcessor.processIndividualRequest(JsonRequestProcessor.java:502)

Could you please help us resolving the issue.

Regards, Bharat

Verify that the remote host uses one of the supported protocols & ciphers printed in your output.

Hello Matthew,

image
this is the encrypted connection with TLS_AES used by remote - https://repo.spring.io/milestone

From above enabled ciphers in log it seems its not matching and not supported. correct?

If yes, whats the workaround?