Colm, While I cannot do logging on the client side, I did some logging on the server side for this issue. I attached the portion of the log below.
The log shows that the client started with sending a SSLv2Hello handshake first (the client should have sent TSLv1Hello if it had read the server's capabilities properly). But anyway, the SSLv2Hello was rejected by the server, interestingly with a TLSv1.2 ALERT. In this case, the client only supports TLSv1.0 (not TLSv1.1 and TLSv1.2). I suspect the client had problem in processing the TLSv1.2 ALERT and gave up. Does this make sense? If yes, what should be the proper way to reject SSLv2Hello? Apparently, that client could talk to an IIS using TLSv1.0 successfully. Thank you very much for your help! Using SSLEngineImpl. 2015-05-14 13:12:28,121 [qtp426435961-26 Selector0 ] DEBUG nio - created SCEP@62320e8{l(/165.122.232.248:57180)<->r(/166.50.179.97:443),s=0,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0}-{SslConnection@658c6f68 SSL NOT_HANDSHAKING i/o/u=-1/-1/-1 ishut=false oshut=false {AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}} 2015-05-14 13:12:28,121 [qtp426435961-27 ] DEBUG ssl - [Session-1, SSL_NULL_WITH_NULL_NULL] SslConnection@658c6f68 SSL NOT_HANDSHAKING i/o/u=73/0/0 ishut=false oshut=false {AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0} NOT_HANDSHAKING filled=73/73 flushed=0/0 Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 qtp426435961-27, fatal error: 10: General SSLEngine problem javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled qtp426435961-27, SEND TLSv1.2 ALERT: fatal, description = unexpected_message qtp426435961-27, WRITE: TLSv1.2 Alert, length = 2 qtp426435961-27, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG ssl - SCEP@62320e8{l(/165.122.232.248:57180)<->r(/166.50.179.97:443),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0r}-{SslConnection@658c6f68 SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false {AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}} javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source) at sun.security.ssl.InputRecord.read(Unknown Source) at sun.security.ssl.EngineInputRecord.read(Unknown Source) at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) at javax.net.ssl.SSLEngine.unwrap(Unknown Source) at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536) at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359) at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678) at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Unknown Source) 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG ChannelEndPoint - close SCEP@62320e8{l(/165.122.232.248:57180)<->r(/166.50.179.97:443),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0!}-{SslConnection@658c6f68 SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false {AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}} 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG HttpParser - javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source) at sun.security.ssl.InputRecord.read(Unknown Source) at sun.security.ssl.EngineInputRecord.read(Unknown Source) at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) at javax.net.ssl.SSLEngine.unwrap(Unknown Source) at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536) at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359) at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678) at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Unknown Source) 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG HttpParser - HttpParser{s=-14,l=0,c=0} org.eclipse.jetty.io.EofException at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1050) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Unknown Source) Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source) at sun.security.ssl.InputRecord.read(Unknown Source) at sun.security.ssl.EngineInputRecord.read(Unknown Source) at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) at javax.net.ssl.SSLEngine.unwrap(Unknown Source) at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536) at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359) at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678) at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) ... 9 more 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG AsyncHttpConnection - Disabled read interest while writing response SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false {AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0} 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG nio - EOF org.eclipse.jetty.io.EofException at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1050) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Unknown Source) Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source) at sun.security.ssl.InputRecord.read(Unknown Source) at sun.security.ssl.EngineInputRecord.read(Unknown Source) at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) at javax.net.ssl.SSLEngine.unwrap(Unknown Source) at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536) at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359) at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678) at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) ... 9 more 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG ChannelEndPoint - close SCEP@62320e8{l(/165.122.232.248:57180)<->r(0.0.0.0/0.0.0.0:443),s=1,open=false,ishut=true,oshut=true,rb=false,wb=false,w=true,i=0!}-{SslConnection@658c6f68 SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false {AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}} 2015-05-14 13:12:28,152 [qtp426435961-26 Selector0 ] DEBUG nio - destroyEndPoint SCEP@62320e8{l(null)<->r(0.0.0.0/0.0.0.0:443),s=0,open=false,ishut=true,oshut=true,rb=false,wb=false,w=true,i=0!}-{SslConnection@658c6f68 SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false {AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}} 2015-05-14 13:12:28,152 [qtp426435961-26 Selector0 ] DEBUG AbstractHttpConnection - closed AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0 -- View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-server-cannot-receive-message-from-TLS1-0-client-tp5756863p5757267.html Sent from the cxf-user mailing list archive at Nabble.com.