There are 3 conditions to start the handshake on an SSLSocket:

• calling startHandshake which explicitly begins handshakes, or
• any attempt to read or write application data on this socket causes an implicit handshake, or
• a call to getSession tries to set up a session if there is no currently valid session, and an implicit handshake is done.

Any handshake failure will generate an exception (including when the certificate isn’t trusted):

If handshaking fails for any reason, the SSLSocket is closed, and no
futher communications can be done.

Often, calling startHandshake() explicitly when establishing the connection is unnecessary, since the handshake is initiated when you start reading from the inputstream (or writing to the outputstream). Any failure there would cause an exception and stop the normal control flow. You don’t need to register explicitly to capture the completion of the handshake in those cases: if you can read/write from the streams, it’s done.

The notification of handshake completion is mostly useful if you’re a server asking for re-negotiation (by calling startHandshake() after some application data has been exchanged). In this case, you may want to wait for that handshake to have completed before proceeding. For example, if the server requests a client-certificate after receiving an HTTP request for a particular path, it may want to wait for the handshake to complete successfully to be able to authorise the client-certificate, before sending the response. This is because startHandshake() doesn’t stop the flow of application data:

If data has already been sent on the connection, it continues to flow
during this handshake.