I'm mostly creating this page to troubleshoot this issue, but also because Google returns 0 results for this quoted error in title.

A backend client of my legacy Tomcat7 webapp recently updated their SSL certificate to TLS1.2 and now my production systems can't connect. This code base is 5 years old and MASSIVE. I cannot simply upgrade to JDK 1.8 without major surgery.

In my Mac OSX Intellij IDE I use 1.7.0_u141 and it works fine, it can connect to the client and data is returned! BUT Using 1.7.0_79 in my IDE, I am able to reproduce the error and do a debug to the java code that tries to perform the SSL handshake.

I have tried to update the CentOS 6.6 server to use 1.7.0_131 (same error), I found 1.7.0_151b32 on "the internet" (i.e. not from oracle but looks legit) and tried it on a non-prod server with this issue, I still get the SSLHandshakeException: (data masked and changed so security won't yell at me)

com.twitter.finagle.SslHandshakeException: Received fatal alert: handshake_failure at remote address: client.example.com/##.##.##.##:443,DefaultHttpRequest(chunked: false)
GET /BClass/LocationStatusLookup?id=################### HTTP/1.1
Host: client.example.com
Accept-Encoding: gzip, deflate
,Some(com.twitter.finagle.ChannelWriteException: com.twitter.finagle.SslHandshakeException: Received fatal alert: handshake_failure at remote address: client.example.com/##.##.##.##:443))

I tried passing these arguments to tomcat7 setenv.sh:

-Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2" 
-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"

No difference yet.

I also tried downloading cert in browser converting it to x509 using openssl and importing it into my jks (java key store).

Anything else I can do?