How to troubleshoot javax.net.ssl.SSLException: Received fatal alert: handshake_failure

SYMPTOM

When trying to consume a SSL endpoint with HTTP Requester using TLS context you are seeing the error: 

Root Exception stack trace:
javax.net.ssl.SSLException: Received fatal alert: handshake_failure
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615)

CAUSE

When this kind of error appears it points that some issue happened when trying to perform the SSL Handshake. Usually this is caused because the Protocol and/or Cipher Suites proposed by the client are not supported by the service you are trying to consume.
This can be verified by enabling the SSL debug, you can find more information how to enable SSL Debug here: How to enable SSL debug logging in MuleSoft Products
In the SSL debug log you will see that the client is sending ClientHello with the TLS version (in the example TLSv1.2) with the supported Cipher Suites and you never receive the ServerHello presenting its supported Cipher Suites. 

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1540703219 bytes = { 236, 187, 154, 87, 41, 72, 226, 59, 44, 178, 16, 175, 159, 193, 47, 58, 245, 244, 240, 145, 135, 108, 196, 71, 237, 58, 231, 0 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA]
Compression Methods:  { 0 }

SOLUTION

Review that the remote service that you are trying to consume supports the same Protocol and at least one of the Cipher Suites listed in the ClientHello message. 
For this, you can use some of the following tools: 

You can use openssl to connect to that server to see which TLS version supports: 

openssl s_client -connect <IP>:<PORT> -tls1_2 
openssl s_client -connect <IP>:<PORT> -tls1_1 
openssl s_client -connect <IP>:<PORT> -tls1 

or you can use cURL command as follows: 

curl -vvvv -k https://<IP>:<PORT>

or you can use the nmap tool with the following script to list the supported Protocol and Cipher Suites:

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

Once you have identified the supported Protocol and Cipher Suites supported by the service, you can modify the ones supported by the HTTP Requester through the TLS configuration to being able to connect to the service. 

More information about the TLS Configuration in Mule 3: 

https://docs.mulesoft.com/mule-runtime/3.9/tls-configuration#protocol-cipher-suite-behavior

https://docs.mulesoft.com/mule-runtime/latest/tls-configuration#optional-attributes-of-the-tls-context-element

More information about the TLS Configuration in Mule 4: 

https://docs.mulesoft.com/mule-runtime/latest/tls-configuration#optional-attributes-of-the-tls-context-element
https://docs.mulesoft.com/mule-runtime/latest/tls-configuration#optional-specify-protocols-and-cipher-suites
https://docs.mulesoft.com/mule-runtime/latest/tls-configuration#example-adding-additional-cipher-suites-and-protocol-restrictions