Which MAVEN versions are affected by maven:SSL_HANDSHAKE_FAILURE?

All supported Apache Maven versions (depends mostly on the Java runtime and network).

How can I manually validate maven:SSL_HANDSHAKE_FAILURE?

Confirm which Java runtime Maven is using: `mvn -v` (Java version and vendor matter). Confirm the failing repository host and URL from the build output (use `mvn -X` if necessary). If you are on a corporate network, determine whether HTTPS is intercepted (corporate CA required) or whether a proxy is required.

How do I prevent maven:SSL_HANDSHAKE_FAILURE in CI?

Standardize Java runtimes for builds and keep them updated. Distribute corporate CAs and proxy configuration to developer machines and CI runners. Prefer an internal repository manager to shield builds from external TLS and proxy variability.

RepoFlow | SSLHandshakeException: Received fatal alert: handshake

What This Error Means

The JVM running Maven could not complete the TLS handshake with the repository, so Maven cannot download artifacts over HTTPS.

How to Fix It

Upgrade the Java runtime used by Maven (often the most reliable fix) and retry.
If you're behind a corporate TLS proxy, import the corporate root CA into the trust store used by the Java runtime that mvn -v reports (or configure a dedicated trust store via MAVEN_OPTS).
If you control the repository, fix TLS configuration (serve a complete certificate chain and modern TLS settings).
Retry the Maven command and compare results between networks (office/VPN vs hotspot) to isolate proxy interception.

Why It Happens

Your Java runtime is too old for the repository's TLS requirements (for example, TLS 1.2+ only).
A corporate proxy/VPN intercepts HTTPS and presents certificates that your JVM does not trust.
The repository server is misconfigured (incomplete certificate chain or unsupported cipher suite).
System time is wrong, causing certificate validity checks to fail.

How to Verify

Re-run the original Maven goal and confirm artifact downloads succeed without SSLHandshakeException.
Confirm Maven can download at least one artifact from the previously failing host.

Manual TLS and Java runtime checks

Confirm which Java runtime Maven is using: mvn -v (Java version and vendor matter).
Confirm the failing repository host and URL from the build output (use mvn -X if necessary).
If you are on a corporate network, determine whether HTTPS is intercepted (corporate CA required) or whether a proxy is required.

Common CLI Output

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake

Why TLS handshakes fail in Maven

Maven relies on the Java runtime's TLS implementation to connect to HTTPS repositories.
Handshake failures can be caused by incompatible TLS versions/ciphers, missing trusted CAs, proxies intercepting HTTPS, or server-side TLS misconfiguration.
This is different from a 401/403: the connection fails before Maven can authenticate or download metadata.

Prevention Tips

Standardize Java runtimes for builds and keep them updated.
Distribute corporate CAs and proxy configuration to developer machines and CI runners.
Prefer an internal repository manager to shield builds from external TLS and proxy variability.

Where This Can Be Triggered

github.com/apache/maven/blob/maven-3.9.6/maven-core/src/main/java/org/apache/maven/project/DefaultProjectDependenciesResolver.java

TLS handshake failures bubble up as a transfer failure message from the underlying resolver/wagon layer and are included in Maven's dependency resolution exception (e.getMessage()). - GitHub

String msg = "Could not resolve dependencies for project " + project.getId() + ": " + e.getMessage();
DependencyResolutionException dex = new DependencyResolutionException(msg, e);
dex.setResult(e.getResult());
throw dex;