With a Java 6 or 7 Application and HTTPS configured for the vFunction Server, the Agent throws a handshake

With a Java 6 or 7 Application and HTTPS configured for the vFunction Server, the Agent throws a handshake_failure SSL Exception

Overview of the Issue
Steps to Resolve the Issue

Overview of the Issue

This issue occurs in the following circumstances:

An organization installs the vFunction Server with an SSL Certificate and using HTTPS for communication
The organization installs the vFunction Agent on an Application that runs Java 6 or Java 7
Unexpectedly when the Application comes up, an exception is thrown that the Agent cannot connect to the vFunction Server due to an SSL Exception

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

The organization enables SSL debugging on the Application

-Djavax.net.debug=ssl

Unexpectedly, the vFunction Agent throws an exception about an incompability with the available Cipher Suites between the Java 6 or Java 7 Application and the vFunction Server

INFO: Could not load Java7 `java.nio.file.Path` class: ignoring
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 11111111 bytes = { 11, 11, 11, 11, 11, 11, 11 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [host_name: vfunction.organization.com]
***
main, WRITE: TLSv1.2 Handshake, length = 141
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Disable tracking mode (num weak refs:3) started at Fri Jul 25 13:21:42 2025
Remove tags (num weak refs:3) started at Fri Jul 25 13:21:42 2025
Remove tags (num weak refs:3) finished at Fri Jul 25 13:21:42 2025
set tracking mode finished (num weak refs:3) at Fri Jul 25 13:21:42 2025

Steps to Workaround the Issue

Take the following steps to workaround this issue. Note that this is not the preferred path as this is adding a less-secure Cipher Suite to accept traffic on the vFunction Server:

SSH to the Linux VM running the vFunction Server
Connect to the vfunction-nginx Docker Container

docker exec -it vfunction-nginx /bin/bash

Edit the nginx.conf

vi /etc/nginx/nginx.conf
/ssl_ciphers

### Before
ssl_ciphers   !aNULL:!eNULL:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

### After
ssl_ciphers   !aNULL:!eNULL:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:TLS_RSA_WITH_AES_256_CBC_SHA256;

Save and close the file
Reload the Nginx Service

nginx -s reload

Exit the vfunction-nginx Docker Container
Confirm that the Runtime Agents show as Status: Up in the vFunction Server UI and that the SSL Handshake errors are gone from the Application’s logging

Updated on 13 Aug 2025