We Keep Coding

Cannot route from a http request to a https request using the spring cloud gateway

I want to route all http requests to a https service using the spring cloud gateway but always receive a handshake_failure.
Routing everything to https://google.com for example works, but to my own service with its private certificate, created and signed by my own private CA, it does not, although I provided the matching truststore via -Djavax.net.ssl.trustStore and set useInsecureTrustManager: true. So what is wrong here?
My spring cloud gateway config:
server:
port: ${PORT:8081}
spring:
application:
name: gateway-service
cloud:
gateway:
httpclient:
ssl:
useInsecureTrustManager: true
routes:
- id: after_route
uri: https://my.server:2900/server/ping
predicates:
- After=2017-01-20T17:42:47.789-07:00[America/Denver]
And the log out put with -Djavax.net.debug=all:
2019-07-30 14:14:27.206 INFO 8257 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$ddc24342] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.1.6.RELEASE)
2019-07-30 14:14:27.315 INFO 8257 --- [ main] com.tobias.gateway.Gateway : No active profile set, falling back to default profiles: default
2019-07-30 14:14:27.704 INFO 8257 --- [ main] o.s.cloud.context.scope.GenericScope : BeanFactory id=90eb380c-f88b-3401-b688-6ef3ead8e5f1
2019-07-30 14:14:27.724 INFO 8257 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$ddc24342] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.950 CEST|SSLContextImpl.java:427|System property jdk.tls.client.cipherSuites is set to 'null'
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.953 CEST|SSLContextImpl.java:427|System property jdk.tls.server.cipherSuites is set to 'null'
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.974 CEST|SSLCipher.java:437|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.984 CEST|SSLContextImpl.java:401|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|01|main|2019-07-30 14:14:27.984 CEST|SSLContextImpl.java:410|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
...
... Lots of other ignored cipher suites
...
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.009 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.009 CEST|TrustStoreManager.java:311|Reload the trust store
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.022 CEST|TrustStoreManager.java:318|Reload trust certs
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.022 CEST|TrustStoreManager.java:323|Reloaded 1 trust certs
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.026 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.026 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.026 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.040 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.041 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.041 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.042 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.048 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.049 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.049 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.049 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.055 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.056 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.056 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.056 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.068 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.068 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [After]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Before]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Between]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Cookie]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Header]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Host]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Method]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Path]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Query]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [ReadBodyPredicateFactory]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [RemoteAddr]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Weight]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [CloudFoundryRouteService]
2019-07-30 14:14:28.828 INFO 8257 --- [ main] o.s.b.web.embedded.netty.NettyWebServer : Netty started on port(s): 8081
2019-07-30 14:14:28.832 INFO 8257 --- [ main] com.tobias.gateway.Gateway : Started Gateway in 2.114 seconds (JVM running for 2.72)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.298 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.298 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.298 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.299 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.299 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.299 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.308 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe2048
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe3072
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe4096
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe6144
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe8192
javax.net.ssl|WARNING|29|reactor-http-nio-6|2019-07-30 14:14:36.313 CEST|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|29|reactor-http-nio-6|2019-07-30 14:14:36.314 CEST|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|ALL|29|reactor-http-nio-6|2019-07-30 14:14:36.317 CEST|SignatureScheme.java:358|Ignore disabled signature sheme: rsa_md5
javax.net.ssl|INFO|29|reactor-http-nio-6|2019-07-30 14:14:36.317 CEST|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.317 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.318 CEST|ClientHello.java:651|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "BC 92 B0 0D 8A 40 3B CD E7 64 2D 46 A3 49 24 55 08 48 3A BC 02 B3 31 89 20 B2 F3 68 32 AF C4 82",
"session id" : "",
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]",
"compression methods" : "00",
"extensions" : [
]
}
)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.329 CEST|SSLEngineOutputRecord.java:507|WRITE: TLS12 handshake, length = 260
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.330 CEST|SSLEngineOutputRecord.java:525|Raw write (
0000: 16 03 03 01 04 01 00 01 00 03 03 BC 92 B0 0D 8A ................
0010: 40 3B CD E7 64 2D 46 A3 49 24 55 08 48 3A BC 02 #;..d-F.I$U.H:..
0020: B3 31 89 20 B2 F3 68 32 AF C4 82 00 00 10 C0 2C .1. ..h2.......,
0030: C0 2B C0 2F C0 13 C0 14 00 9C 00 2F 00 35 01 00 .+./......./.5..
0040: 00 C7 00 00 00 21 00 1F 00 00 1C 70 6C 61 79 67 .....!.....playg
0050: 72 6F 75 6E 64 2E 6D 61 63 68 69 6E 65 73 2E 6E round.machines.n
0060: 37 6C 61 62 2E 69 6F 00 05 00 05 01 00 00 00 00 7lab.io.........
0070: 00 0A 00 16 00 14 00 17 00 18 00 19 00 09 00 0A ................
0080: 00 0B 00 0C 00 0D 00 0E 00 16 00 0B 00 02 01 00 ................
0090: 00 0D 00 28 00 26 04 03 05 03 06 03 08 04 08 05 ...(.&..........
00A0: 08 06 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 ................
00B0: 03 03 03 01 03 02 02 03 02 01 02 02 00 32 00 28 .............2.(
00C0: 00 26 04 03 05 03 06 03 08 04 08 05 08 06 08 09 .&..............
00D0: 08 0A 08 0B 04 01 05 01 06 01 04 02 03 03 03 01 ................
00E0: 03 02 02 03 02 01 02 02 00 11 00 09 00 07 02 00 ................
00F0: 04 00 00 00 00 00 17 00 00 00 2B 00 07 06 03 03 ..........+.....
0100: 03 02 03 01 FF 01 00 01 00 .........
)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.357 CEST|SSLEngineInputRecord.java:177|Raw read (
0000: 15 03 03 00 02 02 28 ......(
)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.358 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 alert, length = 2
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.359 CEST|Alert.java:232|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|ERROR|29|reactor-http-nio-6|2019-07-30 14:14:36.360 CEST|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:672)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:627)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:443)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:422)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:295)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1332)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1227)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:682)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:617)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:534)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Thread.java:834)}
)

Ok, I found the answer after playing around with the server ssl configuration. The service that I route to ist a spring boot application and its ssl config restricts the cipher suites to use like this:
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
And that suite can not be handled by the spring cloud gateway. If I do not set that property at all, it works.
But now I would like to know what suites the spring cloud gateway supports? And why is that a problem of the gateway at all?

SSL handshake issue on IE 11 with tomcat

When I try to access our website through IE11, SSL handshake failed. On IE, following error is displayed.
SSL Error on IE
I enabled SSL debug logging on tomcat. Result is attached.
SSL debug log
I also did a packet trace through wireshark. Result is attached.
Packet Trace
Can somebody help me in understanding, why IE sent RST and handshake is unsuccessful?
For convenience, here is the SSL debug log copy.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
https-jsse-nio2-10443-exec-7, READ: TLSv1.2 Handshake, length = 175
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1545319557 bytes = { 241, 102, 68, 19, 196, 186, 58, 2, 142, 179, 180, 186, 80, 189, 251, 212, 30, 48, 78, 122, 139, 95, 16, 6, 61, 81, 9, 233 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension status_request, data: 01:00:00:00:00
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA256withRSA, SHA384withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA1withECDSA, SHA1withDSA, SHA512withRSA, SHA512withECDSA
Unsupported extension type_35, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Extension extended_master_secret
Unsupported extension type_24, data: 00:10:03:02:01:00
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-3, SSL_NULL_WITH_NULL_NULL]
Standard ciphersuite chosen: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
%% Negotiating: [Session-3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1545319557 bytes = { 97, 98, 78, 54, 18, 174, 216, 230, 116, 27, 86, 149, 238, 243, 141, 200, 231, 225, 54, 68, 118, 22, 87, 178, 217, 116, 246, 186 }
Session ID: {92, 28, 181, 133, 160, 19, 139, 114, 99, 216, 10, 155, 173, 137, 237, 25, 140, 59, 153, 195, 245, 204, 179, 49, 89, 205, 42, 221, 126, 28, 147, 57}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension extended_master_secret
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 26867932193095777263289930763858312315175451169911540270469975322434401554593517846489231467419363365037593818036593693556117551448063131659525311661292145333515905286916353710412662237765713687248571705693533912575809165971751779925378770578516513573848298027718280225066822697515300871707147459915587779589377876395738318963921532217111299410821422855058019420912762790697366719695263850247093569765798072591751245131093354944223958262752669165567038947970251243583487419772340666576477861756748688921273067030346748496043574503202045236644578277345107987729325458604284470785207456233675325551660606573693389742779
public exponent: 65537
Validity: [From: Mon Oct 22 08:56:19 EDT 2018,
To: Thu Oct 19 08:56:19 EDT 2028]
Issuer: CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US
SerialNumber: [ 29565e6b]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F4 F5 1B CB 86 A2 7F 5E 25 2C 5D 9D 62 B8 67 45 .......^%,].b.gE
0010: 06 B5 9E 82 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 16 F2 4F B7 B3 AC E9 87 27 18 C5 FC 9D 61 FF 58 ..O.....'....a.X
0010: A8 D5 9D D8 BA 9E 5A 1D E9 96 EC 17 C4 16 09 EB ......Z.........
0020: 6A F8 5E 3A 62 FC DF 73 13 A6 A7 54 D1 A0 E2 56 j.^:b..s...T...V
0030: 51 C9 7E 55 DA 89 80 1A 30 7E 31 2C 03 C4 90 84 Q..U....0.1,....
0040: 62 B9 AA 6D 0C E0 33 CB 89 59 B3 89 59 48 7F B5 b..m..3..Y..YH..
0050: 55 6B 2F CA 37 E0 96 98 FB 75 73 1C EC 4D A8 3A Uk/.7....us..M.:
0060: 89 49 C9 EA AC 8A 2F 65 F1 4D 98 74 87 F8 2D 5E .I..../e.M.t..-^
0070: 89 60 49 17 04 79 F7 EA D4 B0 C3 FF 0B 6E 98 5C .`I..y.......n.\
0080: 9D 16 AE 00 09 55 38 DB 78 23 52 68 EC 79 43 16 .....U8.x#Rh.yC.
0090: EF 28 7E 9E 27 7C 31 FD 4F AB 25 A7 13 94 AC 88 .(..'.1.O.%.....
00A0: DE 60 A8 94 15 8D F0 32 AF 7C 3A F8 DA AD 7A EA .`.....2..:...z.
00B0: FB B4 AF 77 31 8C FC 20 52 CA 36 4A 9F 1A 3E 62 ...w1.. R.6J..>b
00C0: 01 F7 EF 72 FB 06 FC 7F 83 7A 0F FB 71 EA 4C C5 ...r.....z..q.L.
00D0: 0E 14 9D 64 89 7E 85 AE 76 A7 0A 21 4E 3F E5 17 ...d....v..!N?..
00E0: 35 39 DA A8 F5 84 41 C2 38 22 80 73 A0 91 E0 11 59....A.8".s....
00F0: 2D 4F B9 A9 B5 B9 37 7A 25 EE 73 3C 32 23 C6 19 -O....7z%.s<2#..
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 20009119234614195494302209861076680467201992809229109970753322221057487611764
public y coord: 17012831469688718179923828827485619723638464800697160800297861041710637731326
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=082>
<CN=294>
<CN=1136>
<CN=1363>
<CN=1274>
<CN=1278>
<CN=528>
<CN=107>
<CN=734>
<CN=624>
<CN=104>
<CN=373>
<CN=1407>
<CN=071>
<CN=1000>
<CN=450>
<CN=1330>
<CN=607>
<CN=1353>
<CN=059>
<CN=233>
<CN=151>
<CN=911>
<CN=1272>
<CN=1259>
<CN=815>
<CN=1084>
<CN=1106>
<CN=483>
<CN=575>
<CN=1398>
<CN=357>
<CN=976>
<CN=701>
<CN=605>
<CN=204>
<CN=382>
<CN=455>
<CN=1265>
<CN=914>
<CN=1400>
<CN=363>
<CN=541>
<CN=423>
<CN=391>
<CN=933>
<CN=157>
<CN=197>
<CN=610>
<CN=174>
<CN=1064>
<CN=348>
<CN=1355>
<CN=748>
<CN=955>
<CN=212>
<CN=820>
<CN=105>
<CN=202>
<CN=281>
<CN=823>
<CN=1248>
<CN=685>
<CN=1134>
<CN=220>
<CN=045>
<CN=580>
<CN=1061>
<CN=466>
<CN=987>
<CN=988>
<CN=064>
<CN=1086>
<CN=1364>
<CN=842>
<CN=973>
<CN=460>
<CN=069>
<CN=1307>
<CN=1381>
<CN=291>
<CN=699>
<CN=882>
<CN=1179>
<CN=683>
<CN=499>
<CN=594>
<CN=1045>
<CN=474>
<CN=793>
<CN=871>
<CN=632>
<CN=1216>
<CN=1035>
<CN=870>
<CN=874>
<CN=1463>
<CN=021>
<CN=1180>
<CN=891>
<CN=1011>
<CN=130>
<CN=375>
<CN=315>
<CN=888>
<CN=1004>
<CN=023>
<CN=1176>
<CN=290>
<CN=400>
<CN=969>
<CN=709>
<CN=886>
<CN=1396>
<CN=224>
<CN=1135>
<CN=304>
<CN=1240>
<CN=989>
<CN=358>
<CN=1122>
<CN=1104>
<CN=1389>
<CN=776>
<CN=975>
<CN=1103>
<CN=1303>
<CN=1293>
<CN=1209>
<CN=1166>
<CN=853>
<CN=651>
<CN=781>
<CN=347>
<CN=974>
<CN=694>
<CN=1159>
<CN=049>
<CN=158>
<CN=1297>
<CN=1172>
<CN=526>
<CN=1031>
<CN=1490>
<CN=1024>
<CN=300>
<CN=1076>
<CN=141>
<CN=706>
<CN=381>
<CN=619>
<CN=398>
<CN=1258>
<CN=1139>
<CN=146>
<CN=428>
<CN=703>
<CN=189>
<CN=677>
<CN=166>
<CN=1168>
<CN=1251>
<CN=556>
<CN=1085>
<CN=1001>
<CN=795>
<CN=676>
<CN=999>
<CN=156>
<CN=1074>
<CN=667>
<CN=1038>
<CN=960>
<CN=560>
<CN=501>
<CN=1243>
<CN=1483>
<CN=1420>
<CN=462>
<CN=079>
<CN=1461>
<CN=857>
<CN=851>
<CN=502>
<CN=1414>
<CN=807>
<CN=198>
<CN=1261>
<CN=438>
<CN=472>
<CN=012>
<CN=1187>
<CN=707>
<CN=716>
<CN=238>
<CN=1203>
<CN=554>
<CN=342>
<CN=240>
<CN=1392>
<CN=1315>
<CN=1370>
<CN=520>
<CN=1023>
<CN=881>
<CN=048>
<CN=388>
<CN=210>
<CN=209>
<CN=1090>
<CN=095>
<CN=777>
<CN=1436>
<CN=1108>
<CN=1462>
<CN=409>
<CN=1406>
<CN=979>
<CN=817>
<CN=1354>
<CN=801>
<CN=184>
<CN=540>
<CN=116>
<CN=1464>
<CN=406>
<CN=378>
<CN=691>
<CN=659>
<CN=635>
<CN=1413>
<CN=1302>
<CN=565>
<CN=805>
<CN=121>
<CN=700>
<CN=530>
<CN=1002>
<CN=964>
<CN=385>
<CN=1481>
<CN=616>
<CN=929>
<CN=1142>
<CN=489>
<CN=552>
<CN=956>
<CN=806>
<CN=1422>
<CN=1098>
<CN=328>
<CN=1202>
<CN=1280>
<CN=093>
<CN=578>
<CN=1123>
<CN=753>
<CN=190>
<CN=949>
<CN=1430>
<CN=497>
<CN=1428>
<CN=337>
<CN=1475>
<CN=313>
<CN=1417>
<CN=250>
<CN=159>
<CN=237>
<CN=087>
<CN=215>
<CN=1022>
<CN=915>
<CN=991>
<CN=893>
<CN=840>
<CN=425>
<CN=1079>
<CN=1020>
<CN=128>
<CN=487>
<CN=448>
<CN=1057>
<CN=1041>
<CN=1252>
<CN=216>
<CN=791>
<CN=1286>
<CN=199>
<CN=912>
<CN=1182>
<CN=1115>
<CN=260>
<CN=1394>
<CN=265>
<CN=771>
<CN=814>
<CN=1277>
<CN=479>
<CN=437>
<CN=075>
<CN=1050>
<CN=1371>
<CN=505>
<CN=014>
<CN=887>
<CN=1405>
<CN=231>
<CN=1424>
<CN=177>
<CN=1132>
<CN=033>
<CN=1331>
<CN=203>
<CN=772>
<CN=862>
<CN=416>
<CN=1455>
<CN=1266>
<CN=1010>
<CN=1465>
<CN=549>
<CN=1040>
<CN=1299>
<CN=047>
<CN=491>
<CN=350>
<CN=343>
<CN=006>
<CN=433>
<CN=1184>
<CN=731>
<CN=944>
<CN=1444>
<CN=1095>
<CN=843>
<CN=1291>
<CN=211>
<CN=320>
<CN=982>
<CN=1021>
<CN=135>
<CN=138>
<CN=844>
<CN=797>
<CN=1298>
<CN=031>
<CN=1260>
<CN=1169>
<CN=595>
<CN=747>
<CN=1473>
<CN=072>
<CN=513>
<CN=968>
<CN=846>
<CN=312>
<CN=562>
<CN=938>
<CN=1171>
<CN=1336>
<CN=946>
<CN=867>
<CN=490>
<CN=650>
<CN=1387>
<CN=080>
<CN=162>
<CN=330>
<CN=1015>
<CN=704>
<CN=1219>
<CN=1474>
<CN=755>
<CN=959>
<CN=1088>
<CN=997>
<CN=1003>
<CN=179>
<CN=1033>
<CN=1173>
<CN=621>
<CN=266>
<CN=028>
<CN=894>
<CN=1054>
<CN=427>
<CN=498>
<CN=379>
<CN=305>
<CN=401>
<CN=729>
<CN=1099>
<CN=1344>
<CN=1250>
<CN=219>
<CN=604>
<CN=935>
<CN=317>
<CN=735>
<CN=456>
<CN=1043>
<CN=761>
<CN=311>
<CN=757>
<CN=546>
<CN=684>
<CN=507>
<CN=148>
<CN=061>
<CN=693>
<CN=917>
<CN=1433>
<CN=191>
<CN=1359>
<CN=1263>
<CN=1321>
<CN=108>
<CN=345>
<CN=1144>
<CN=1233>
<CN=074>
<CN=821>
<CN=1411>
<CN=150>
<CN=961>
<CN=037>
<CN=1348>
<CN=1292>
<CN=1440>
<CN=1377>
<CN=279>
<CN=713>
<CN=739>
<CN=647>
<CN=395>
<CN=114>
<CN=407>
<CN=368>
<CN=276>
<CN=262>
<CN=1468>
<CN=1479>
<CN=921>
<CN=322>
<CN=067>
<CN=1231>
<CN=1141>
<CN=147>
<CN=062>
<CN=366>
<CN=1186>
<CN=1154>
<CN=1071>
<CN=570>
<CN=1427>
<CN=393>
<CN=030>
<CN=310>
<CN=452>
<CN=1178>
<CN=1034>
<CN=732>
<CN=636>
<CN=458>
<CN=1016>
<CN=1107>
<CN=1147>
<CN=241>
<CN=896>
<CN=723>
<CN=1454>
<CN=688>
<CN=773>
<CN=1452>
<CN=426>
<CN=1485>
<CN=1198>
<CN=932>
<CN=1236>
<CN=602>
<CN=469>
<CN=985>
<CN=1197>
<CN=206>
<CN=796>
<CN=1489>
<CN=561>
<CN=653>
<CN=759>
<CN=1312>
<CN=1013>
<CN=662>
<CN=032>
<CN=623>
<CN=573>
<CN=115>
<CN=942>
<CN=812>
<CN=1447>
<CN=783>
<CN=1416>
<CN=371>
<CN=1082>
<CN=903>
<CN=780>
<CN=1358>
<CN=1162>
<CN=122>
<CN=022>
<CN=253>
<CN=869>
<CN=800>
<CN=194>
<CN=164>
<CN=365>
<CN=429>
<CN=170>
<CN=506>
<CN=1192>
<CN=1285>
<CN=503>
<CN=1287>
<CN=678>
<CN=1350>
<CN=1237>
<CN=1409>
<CN=178>
<CN=145>
<CN=711>
<CN=858>
<CN=719>
<CN=005>
<CN=1175>
<CN=884>
<CN=1019>
<CN=361>
<CN=947>
<CN=758>
<CN=571>
<CN=1025>
<CN=1322>
<CN=790>
<CN=1294>
<CN=222>
<CN=837>
<CN=389>
<CN=744>
<CN=1130>
<CN=256>
<CN=1431>
<CN=720>
<CN=1459>
<CN=436>
<CN=239>
<CN=113>
<CN=399>
<CN=649>
<CN=163>
<CN=728>
<CN=1174>
<CN=217>
<CN=027>
<CN=100>
<CN=883>
<CN=637>
<CN=1314>
<CN=085>
<CN=1375>
<CN=727>
<CN=945>
<CN=1126>
<CN=970>
<CN=890>
<CN=494>
<CN=779>
<CN=076>
<CN=485>
<CN=1110>
<CN=872>
<CN=998>
<CN=271>
<CN=063>
<CN=1466>
<CN=816>
<CN=1222>
<CN=397>
<CN=447>
<CN=527>
<CN=833>
<CN=825>
<CN=1140>
<CN=1339>
<CN=1068>
<CN=845>
<CN=741>
<CN=1226>
<CN=323>
<CN=864>
<CN=118>
<CN=171>
<CN=1234>
<CN=1380>
<CN=1116>
<CN=1471>
<CN=413>
<CN=1476>
<CN=218>
<CN=432>
<CN=1487>
<CN=1313>
<CN=1451>
<CN=408>
<CN=631>
<CN=041>
<CN=533>
<CN=854>
<CN=588>
<CN=232>
<CN=039>
<CN=1157>
<CN=547>
<CN=213>
<CN=612>
<CN=129>
<CN=629>
<CN=1214>
<CN=254>
<CN=1279>
<CN=994>
<CN=1264>
<CN=470>
<CN=751>
<CN=664>
<CN=332>
<CN=1491>
<CN=967>
<CN=1083>
<CN=1300>
<CN=1146>
<CN=1325>
<CN=1072>
<CN=557>
<CN=172>
<CN=827>
<CN=269>
<CN=1254>
<CN=051>
<CN=740>
<CN=579>
<CN=669>
<CN=550>
<CN=1138>
<CN=834>
<CN=516>
<CN=1097>
<CN=242>
<CN=1111>
<CN=390>
<CN=895>
<CN=514>
<CN=056>
<CN=1362>
<CN=1418>
<CN=316>
<CN=909>
<CN=665>
<CN=1478>
<CN=052>
<CN=1256>
<CN=268>
<CN=272>
<CN=384>
<CN=1027>
<CN=131>
<CN=1442>
<CN=566>
<CN=1094>
<CN=009>
<CN=1402>
<CN=1311>
<CN=1480>
<CN=1469>
<CN=828>
<CN=736>
<CN=134>
<CN=682>
<CN=586>
<CN=1225>
<CN=302>
<CN=717>
<CN=1319>
<CN=778>
<CN=1425>
<CN=951>
<CN=1051>
<CN=270>
<CN=1190>
<CN=077>
<CN=065>
<CN=698>
<CN=860>
<CN=1308>
<CN=1014>
<CN=1161>
<CN=919>
<CN=414>
<CN=569>
<CN=824>
<CN=1205>
<CN=900>
<CN=913>
<CN=1189>
<CN=193>
<CN=1170>
<CN=1112>
<CN=1412>
<CN=482>
<CN=173>
<CN=349>
<CN=937>
<CN=445>
<CN=003>
<CN=642>
<CN=1155>
<CN=461>
<CN=681>
<CN=420>
<CN=1343>
<CN=346>
<CN=1191>
<CN=286>
<CN=690>
<CN=092>
<CN=1360>
<CN=1255>
<CN=904>
<CN=567>
<CN=331>
<CN=591>
<CN=680>
<CN=954>
<CN=808>
<CN=309>
<CN=878>
<CN=633>
<CN=880>
<CN=175>
<CN=421>
<CN=314>
<CN=289>
<CN=1124>
<CN=873>
<CN=1269>
<CN=036>
<CN=1230>
<CN=1153>
<CN=1128>
<CN=1224>
<CN=534>
<CN=730>
<CN=936>
<CN=925>
<CN=1060>
<CN=752>
<CN=186>
<CN=1133>
<CN=525>
<CN=1048>
<CN=1366>
<CN=283>
<CN=972>
<CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US>
<CN=746>
<CN=1195>
<CN=1437>
<CN=1042>
<CN=524>
<CN=106>
<CN=529>
<CN=1368>
<CN=1316>
<CN=070>
<CN=643>
<CN=750>
<CN=038>
<CN=767>
<CN=435>
<CN=195>
<CN=1143>
<CN=1129>
<CN=251>
<CN=1296>
<CN=089>
<CN=628>
<CN=261>
<CN=227>
<CN=188>
<CN=957>
<CN=248>
<CN=1193>
<CN=892>
<CN=1289>
<CN=1026>
<CN=040>
<CN=922>
<CN=326>
<CN=966>
<CN=1310>
<CN=020>
<CN=356>
<CN=661>
<CN=258>
<CN=411>
<CN=1221>
<CN=1032>
<CN=459>
<CN=725>
<CN=015>
<CN=656>
<CN=096>
<CN=017>
<CN=620>
<CN=587>
<CN=1318>
<CN=582>
<CN=626>
<CN=1125>
<CN=235>
<CN=165>
<CN=334>
<CN=590>
<CN=167>
<CN=154>
<CN=288>
<CN=103>
<CN=756>
<CN=1117>
<CN=905>
<CN=360>
<CN=1337>
<CN=849>
<CN=221>
<CN=931>
<CN=1327>
<CN=386>
<CN=1208>
<CN=1077>
<CN=001>
<CN=818>
<CN=1391>
<CN=153>
<CN=908>
<CN=086>
<CN=417>
<CN=050>
<CN=1206>
<CN=1073>
<CN=668>
<CN=392>
<CN=924>
<CN=1007>
<CN=644>
<CN=1352>
<CN=1301>
<CN=1211>
<CN=1194>
<CN=876>
<CN=1376>
<CN=338>
<CN=263>
<CN=257>
<CN=803>
<CN=1334>
<CN=1069>
<CN=369>
<CN=518>
<CN=127>
<CN=274>
<CN=1446>
<CN=016>
<CN=1284>
<CN=185>
<CN=765>
<CN=083>
<CN=1268>
<CN=1105>
<CN=544>
<CN=101>
<CN=319>
<CN=1120>
<CN=1432>
<CN=509>
<CN=245>
<CN=1435>
<CN=559>
<CN=144>
<CN=362>
<CN=1188>
<CN=712>
<CN=364>
<CN=282>
<CN=1121>
<CN=225>
<CN=663>
<CN=1372>
<CN=543>
<CN=576>
<CN=1056>
<CN=1037>
<CN=517>
<CN=136>
<CN=531>
<CN=424>
<CN=380>
<CN=615>
<CN=285>
<CN=1404>
<CN=126>
<CN=519>
<CN=1046>
<CN=1087>
<CN=1383>
<CN=267>
<CN=838>
<CN=383>
<CN=002>
<CN=1177>
<CN=434>
<CN=648>
<CN=788>
<CN=789>
<CN=899>
<CN=1055>
<CN=354>
<CN=1338>
<CN=1163>
<CN=287>
<CN=1290>
<CN=563>
<CN=1467>
<CN=1439>
<CN=965>
<CN=1183>
<CN=671>
<CN=042>
<CN=865>
<CN=1253>
<CN=584>
<CN=538>
<CN=1093>
<CN=1009>
<CN=830>
<CN=1309>
<CN=1347>
<CN=1472>
<CN=091>
<CN=724>
<CN=259>
<CN=043>
<CN=670>
<CN=596>
<CN=1148>
<CN=1395>
<CN=430>
<CN=264>
<CN=826>
<CN=109>
<CN=140>
<CN=1445>
<CN=1078>
<CN=1257>
<CN=099>
<CN=948>
<CN=1165>
<CN=273>
<CN=993>
<CN=992>
<CN=088>
<CN=234>
<CN=1458>
<CN=1500>
<CN=848>
<CN=1365>
<CN=1220>
<CN=1092>
<CN=1245>
<CN=875>
<CN=813>
<CN=1030>
<CN=094>
<CN=1346>
<CN=589>
<CN=168>
<CN=325>
<CN=901>
<CN=252>
<CN=1429>
<CN=073>
<CN=1218>
<CN=183>
<CN=117>
<CN=1119>
<CN=577>
<CN=1397>
<CN=111>
<CN=536>
<CN=1246>
<CN=1393>
<CN=769>
<CN=831>
<CN=971>
<CN=1332>
<CN=614>
<CN=053>
<CN=415>
<CN=418>
<CN=708>
<CN=058>
<CN=029>
<CN=412>
<CN=782>
<CN=512>
<CN=1357>
<CN=229>
<CN=1448>
<CN=1497>
<CN=775>
<CN=1379>
<CN=714>
<CN=835>
<CN=1062>
<CN=372>
<CN=500>
<CN=859>
<CN=453>
<CN=1239>
<CN=963>
<CN=1374>
<CN=1270>
<CN=1044>
<CN=084>
<CN=055>
<CN=1275>
<CN=810>
<CN=298>
<CN=1181>
<CN=564>
<CN=007>
<CN=522>
<CN=877>
<CN=745>
<CN=766>
<CN=1388>
<CN=1100>
<CN=1382>
<CN=277>
<CN=1006>
<CN=1212>
<CN=476>
<CN=1039>
<CN=996>
<CN=1109>
<CN=1460>
<CN=161>
<CN=119>
<CN=1118>
<CN=187>
<CN=980>
<CN=511>
<CN=123>
<CN=1434>
<CN=743>
<CN=1151>
<CN=297>
<CN=1410>
<CN=1207>
<CN=655>
<CN=718>
<CN=336>
<CN=454>
<CN=327>
<CN=930>
<CN=822>
<CN=953>
<CN=292>
<CN=1323>
<CN=024>
<CN=1317>
<CN=733>
<CN=396>
<CN=1213>
<CN=1199>
<CN=1283>
<CN=284>
<CN=444>
<CN=923>
<CN=214>
<CN=601>
<CN=645>
<CN=726>
<CN=201>
<CN=1361>
<CN=1242>
<CN=640>
<CN=861>
<CN=1340>
<CN=1326>
<CN=493>
<CN=1295>
<CN=180>
<CN=120>
<CN=608>
<CN=572>
<CN=1276>
<CN=1066>
<CN=1127>
<CN=344>
<CN=149>
<CN=1018>
<CN=568>
<CN=852>
<CN=1244>
<CN=798>
<CN=868>
<CN=060>
<CN=542>
<CN=523>
<CN=367>
<CN=1167>
<CN=1498>
<CN=532>
<CN=1356>
<CN=410>
<CN=255>
<CN=599>
<CN=1477>
<CN=1200>
<CN=786>
<CN=341>
<CN=247>
<CN=1499>
<CN=1450>
<CN=335>
<CN=403>
<CN=078>
<CN=1160>
<CN=200>
<CN=098>
<CN=666>
<CN=419>
<CN=539>
<CN=829>
<CN=301>
<CN=026>
<CN=646>
<CN=768>
<CN=990>
<CN=1036>
<CN=008>
<CN=794>
<CN=1482>
<CN=299>
<CN=1053>
<CN=638>
<CN=359>
<CN=1441>
<CN=125>
<CN=081>
<CN=464>
<CN=995>
<CN=137>
<CN=1215>
<CN=928>
<CN=1081>
<CN=958>
<CN=333>
<CN=1385>
<CN=449>
<CN=613>
<CN=1494>
<CN=181>
<CN=836>
<CN=600>
<CN=1328>
<CN=443>
<CN=370>
<CN=1349>
<CN=340>
<CN=687>
<CN=611>
<CN=496>
<CN=1384>
<CN=1271>
<CN=1185>
<CN=885>
<CN=819>
<CN=1065>
<CN=1210>
<CN=353>
<CN=1453>
<CN=1049>
<CN=439>
<CN=658>
<CN=934>
<CN=1341>
<CN=249>
<CN=521>
<CN=013>
<CN=351>
<CN=169>
<CN=792>
<CN=774>
<CN=537>
<CN=606>
<CN=1114>
<CN=548>
<CN=035>
<CN=784>
<CN=1008>
<CN=422>
<CN=394>
<CN=804>
<CN=907>
<CN=1158>
<CN=721>
<CN=1249>
<CN=770>
<CN=710>
<CN=275>
<CN=545>
<CN=749>
<CN=902>
<CN=555>
<CN=764>
<CN=1267>
<CN=939>
<CN=627>
<CN=374>
<CN=155>
<CN=705>
<CN=981>
<CN=715>
<CN=1149>
<CN=742>
<CN=307>
<CN=1320>
<CN=352>
<CN=1449>
<CN=208>
<CN=1378>
<CN=1367>
<CN=802>
<CN=639>
<CN=879>
<CN=057>
<CN=760>
<CN=1204>
<CN=597>
<CN=689>
<CN=477>
<CN=672>
<CN=738>
<CN=473>
<CN=019>
<CN=243>
<CN=465>
<CN=207>
<CN=1421>
<CN=133>
<CN=467>
<CN=1232>
<CN=244>
<CN=978>
<CN=1047>
<CN=697>
<CN=068>
<CN=660>
<CN=025>
<CN=641>
<CN=1150>
<CN=617>
<CN=855>
<CN=1102>
<CN=481>
<CN=1101>
<CN=468>
<CN=799>
<CN=763>
<CN=112>
<CN=182>
<CN=223>
<CN=1386>
<CN=1113>
<CN=1288>
<CN=920>
<CN=143>
<CN=1005>
<CN=1403>
<CN=1345>
<CN=230>
<CN=1401>
<CN=609>
<CN=280>
<CN=598>
<CN=1304>
<CN=488>
<CN=1470>
<CN=1273>
<CN=926>
<CN=811>
<CN=484>
<CN=510>
<CN=673>
<CN=1486>
<CN=1017>
<CN=832>
<CN=654>
<CN=1415>
<CN=515>
<CN=1012>
<CN=1329>
<CN=1063>
<CN=1052>
<CN=1137>
<CN=387>
<CN=592>
<CN=977>
<CN=558>
<CN=306>
<CN=762>
<CN=1495>
<CN=1228>
<CN=1080>
<CN=321>
<CN=226>
<CN=492>
<CN=847>
<CN=246>
<CN=278>
<CN=471>
<CN=630>
<CN=551>
<CN=451>
<CN=695>
<CN=625>
<CN=889>
<CN=1029>
<CN=622>
<CN=906>
<CN=696>
<CN=440>
<CN=1484>
<CN=1145>
<CN=535>
<CN=856>
<CN=1164>
<CN=754>
<CN=634>
<CN=1028>
<CN=1456>
<CN=1496>
<CN=574>
<CN=124>
<CN=950>
<CN=1373>
<CN=1390>
<CN=097>
<CN=984>
<CN=495>
<CN=446>
<CN=983>
<CN=110>
<CN=839>
<CN=010>
<CN=986>
<CN=910>
<CN=1457>
<CN=1217>
<CN=898>
<CN=034>
<CN=1335>
<CN=1058>
<CN=1229>
<CN=329>
<CN=431>
<CN=1342>
<CN=1333>
<CN=785>
<CN=692>
<CN=722>
<CN=192>
<CN=1369>
<CN=1282>
<CN=1152>
<CN=943>
<CN=553>
<CN=1247>
<CN=011>
<CN=674>
<CN=809>
<CN=318>
<CN=1426>
<CN=478>
<CN=1488>
<CN=863>
<CN=1059>
<CN=402>
<CN=1075>
<CN=004>
<CN=504>
<CN=1281>
<CN=508>
<CN=160>
<CN=1305>
<CN=377>
<CN=581>
<CN=652>
<CN=102>
<CN=657>
<CN=1223>
<CN=296>
<CN=303>
<CN=1438>
<CN=018>
<CN=1492>
<CN=441>
<CN=1235>
<CN=1241>
<CN=293>
<CN=1306>
<CN=152>
<CN=1408>
<CN=1262>
<CN=916>
<CN=139>
<CN=927>
<CN=1238>
<CN=176>
<CN=376>
<CN=593>
<CN=585>
<CN=405>
<CN=486>
<CN=404>
<CN=1399>
<CN=046>
<CN=940>
<CN=1196>
<CN=1227>
<CN=132>
<CN=457>
<CN=142>
<CN=737>
<CN=1493>
<CN=463>
<CN=675>
<CN=897>
<CN=1351>
<CN=841>
<CN=066>
<CN=1443>
<CN=205>
https-jsse-nio2-10443-exec-7, WRITE: TLSv1.2 Handshake, length = 16383
*** ServerHelloDone
https-jsse-nio2-10443-exec-7, WRITE: TLSv1.2 Handshake, length = 12558
https-jsse-nio2-10443-exec-9, called closeOutbound()
https-jsse-nio2-10443-exec-9, closeOutboundInternal()
https-jsse-nio2-10443-exec-9, SEND TLSv1.2 ALERT: warning, description = close_notify
https-jsse-nio2-10443-exec-9, WRITE: TLSv1.2 Alert, length = 2
Tomcat connector configuration is,
<Connector port="10443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxHttpHeaderSize="4096"
maxThreads="1050" minSpareThreads="25"
maxKeepAliveRequests="-1" keepAliveTimeout="180000"
enableLookups="false" disableUploadTimeout="true"
acceptCount="10" scheme="https" secure="true" SSLEnabled="true"
clientAuth="want" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"
connectionTimeout="180000"
keystoreFile="file.keystore"
keystorePass="file.pass" algorithm="SunX509"
truststoreFile="file.keystore"
truststorePass="file.pass"
truststoreType="JKS"
keyAlias="tomcat"
compression="on"
compressionMinSize="2048"
trustManagerClassName="com.tomcatssl.CustomTrustManager"
useServerCipherSuitesOrder="true"
ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
server="Clock Web Server"
compressableMimeType="text/html,text/xml,text/js,text/css"/>
Thank You

I'm not sure what would cause some browsers to work differently than others for sure, but I do have a guess.
When a server has a trust store configured (for a <Connector>/<SSLHostConfig>), it will advertise the list of trusted certificates to the client during the initial TLS handshake. If you have a huge number of certificates in your trust store, the server will (of course) send them all. If the client isn't expecting to receive a large number of certificates, it may fail when it runs out of space in e.g. a buffer to hold such things. My guess is that MSIE chokes on the long list of acceptable client certificates.
It's unusual for a server to use a <Connector>/<SSLHostConfig> with a large number of certificates in its trust store. Typically, if you need to trust certificates en masse, you generate a CA certificate and use it to sign the individual client certificates, keeping only that CA certificate in your trust store.
If you have a JVM-wide trust store being used for outgoing connections, then you might have a lot of certificates in there. You definitely don't want to use that one for the <Connector>/<SSLHostConfig> on your server. You should use a separate trust-store that contains only the certificates you expect to trust as client TLS certificates. Any other configuration is not secure.
For example, let's say you have VeriSign's root certificate in your trust store. That means anyone who has a client certificate signed by VeriSign can establish a connection with your server. That includes clients outside your organization or circle of trust. You should only include certificates in your trust store that you 100% trust every certificate they could ever have signed.

Make sure that your root certificate is trusted by the browser. For your case, the root is "Cisco Umbrella Root CA", which is not trusted. Follow these steps to import the certificate in browser : https://freesslcert.org/trust-freesslcert-in-browser

Websphere Application Server SSL 403 error

Am getting "org.apache.axis2.AxisFault: HTTP ( 403 )" error while calling a secured webservice from WebsphereApplicationServer7 (JRE 1.6). The service is just HTTPS and doesn't require any authentication. I imported the certificate to the Websphere server truststore through "Signer Certificates".
I can call the same service through the same Websphere JRE1.6 as standalone java program by adding the certificate to the cacerts using keytool command.
Any help is appreciated!
SSL DEBUG failure log:
O Using SSLEngineImpl.
O SSLv3 protocol was requested but was not enabled
O SSLv3 protocol was requested but was not enabled
O
Is initial handshake: true
O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
O %% Client cached [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA]
O %% Try resuming [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA] from port -1
O *** ClientHello, TLSv1
O RandomCookie: GMT: 1474467386 bytes = { 207 }
O Session ID: {16}
O Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RENEGO_PROTECTION_REQUEST]
O Compression Methods: { 0 }
O ***
O [write] MD5 and SHA1 hashes: len = 97
O 0000: ......X.........
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 97
O [Raw write]: length = 102
O 0000: ....a......X....
O [Raw read]: length = 5
O 0000: 16 03 01 00 51 ....Q
O [Raw read]: length = 81
O 0000: 02 00 00 4d 03 01 58 e3 96 0b 5b d1 87 59 13 41 ...M..X......Y.A
O ListenerContainer-1, READ: TLSv1 Handshake, length = 81
O *** ServerHello, TLSv1
O RandomCookie: GMT: 1474467339 bytes = { 91 }
O Session ID: {16,128}
O Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
O Compression Method: 0
O Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
O ***
O JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.2
O JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.2
O JsseJCE: Using KeyGenerator IbmTlsKeyMaterial from provider TBD via init
O CONNECTION KEYGEN:
O Client Nonce:
O Server Nonce:
O Master Secret:
O 0000: ..0..x.Q.....3..
O Client MAC write Secret:
O 0000: ..y..3..........
..M.
O Server MAC write Secret:
O 0000: 39 33 d2 cf a0 1c 20 fa e2 4f 02 a1 86 ff b5 c9 93.......O......
w..L
O Client write key:
O 0000: c7 3f fa 9b 84 98 44 bc 4d bb 69 5d 9d d2 71 db ......D.M.i...q.
O Server write key:
O 0000: dc df 01 38 e5 07 32 9e d4 1a b1 8a 5a e8 6f d4 ...8..2.....Z.o.
O Client write IV:
O 0000: a2 15 75 d4 8e d1 1b 4f 31 7b b1 e3 36 01 01 34 ..u....O1...6..4
O Server write IV:
O 0000: e6 46 38 f7 aa 03 f2 7e f4 fb 6b 9f cb 88 df 48 .F8.......k....H
O %% Server resumed [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA]
O [read] MD5 and SHA1 hashes: len = 81
O 0000: 02 00 00 4d 03 01 58 e3 96 0b 5b d1 87 59 13 41 ...M..X......Y.A
O [Raw read]: length = 5
O 0000: 14 03 01 00 01 .....
O [Raw read]: length = 1
O 0000: 01 .
O ListenerContainer-1, READ: TLSv1 Change Cipher Spec, length = 1
O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
O [Raw read]: length = 5
O 0000: 16 03 01 00 30 ....0
O [Raw read]: length = 48
O 0000: 32 d4 5a 8e 54 a3 bc d6 e4 38 f4 fb 3a 85 fa e1 2.Z.T....8......
O ListenerContainer-1, READ: TLSv1 Handshake, length = 48
O 0000: 14 00 00 0c 13 9c d6 b0 ca a6 cd e1 81 dd 8b c1 ................
O *** Finished
O verify_data: { 19, 156, 214, 176, 202, 166, 205, 225, 129, 221, 139, 193 }
O ***
O JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
O [read] MD5 and SHA1 hashes: len = 16
O 0000: 14 00 00 0c 13 9c d6 b0 ca a6 cd e1 81 dd 8b c1 ................
O JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
O ListenerContainer-1, WRITE: TLSv1 Change Cipher Spec, length = 1
O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
O *** Finished
O verify_data: { 56, 215, 170, 111, 66, 74, 59, 26, 94, 46, 231, 190 }
O ***
O [write] MD5 and SHA1 hashes: len = 16
O 0000: 14 00 00 0c 38 d7 aa 6f 42 4a 3b 1a 5e 2e e7 be ....8..oBJ......
O Padded plaintext before ENCRYPTION: len = 48
O 0000: 14 00 00 0c 38 d7 aa 6f 42 4a 3b 1a 5e 2e e7 be ....8..oBJ......
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 48
O [Raw write]: length = 6
O 0000: 14 03 01 00 01 01 ......
O [Raw write]: length = 53
O 0000: 16 03 01 00 30 aa a8 a4 54 00 fd ba 45 1b d8 e2 ....0...T...E...
O Padded plaintext before ENCRYPTION: len = 496
O 0000: 50 4f 53 54 20 2f 49 6c 61 6e 69 53 65 72 76 69 POST..IlaniServi
ce.svc.HTTP.1.1.
.Host..otlsap
p1..enterpri
se.sun.co
m.8090..Accept..
application.soap
.xml.multipart.r
elated.text....U
ser.Agent..IBM.W
ebServices.1.0..
Cache.Control..n
o.cache..Pragma.
.no.cache..SOAPA
ction...http...t
empuri.org.IIlan
iService.P
O ListenerContainer-1, WRITE: TLSv1 Application Data, length = 472
O [Raw write (bb)]: length = 501
O 0000: 17 03 01 01 f0 be c2 0c b6 1a 50 47 bc 99 d5 c3 ..........PG....
0010: a9 01 b0 05 0e f2 0b a8 32 a0 19 6f 48 35 3f a4 ........2..oH5..
O Padded plaintext before ENCRYPTION: len = 32
O 0000: 3c a3 cc cf c4 13 b4 7e 35 a6 26 d7 0e 78 9e 66 ........5....x.f
0010: 9f a9 2e 22 2f 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ................
O ListenerContainer-1, WRITE: TLSv1 Application Data, length = 1
O Padded plaintext before ENCRYPTION: len = 480
O 0000: 73 6f 61 70 65 6e 76 3a 45 6e 76 65 6c 6f 70 65 soapenv.Envelope
.xmlns.soapenv..
http...schemas.x
mlsoap.org.soap.
envelope....soap
env.Body..ns2.Ad
justBalanc
e.xmlns..http...
schemas.datacont
ract.org.2004.07
O ListenerContainer-1, WRITE: TLSv1 Application Data, length = 456
O [Raw write (bb)]: length = 522
O 0000: 17 03 01 00 20 8b 55 88 99 5b b5 b6 2d 04 a0 b2 ......U.........
0010: 62 88 01 77 f9 d7 7d 58 8c 13 3e 61 0d 55 ab d2 b..w...X...a.U..
O [Raw read]: length = 5
O 0000: 16 03 01 00 20 .....
O [Raw read]: length = 32
O 0000: 9d 7f 17 1a 16 ca 52 b8 8c f6 6e e9 81 a1 e9 47 ......R...n....G
0010: 03 6c ac d4 25 e9 5f 90 a2 48 f7 a2 7c fe 5e 6e .l.......H.....n
O ListenerContainer-1, READ: TLSv1 Handshake, length = 32
O 0000: 00 00 00 00 f6 20 dc f4 08 0c 1a 51 c3 79 9f 04 ...........Q.y..
0010: 73 a2 e1 ea 8a ca dd d4 07 07 07 07 07 07 07 07 s...............
O ListenerContainer-1, RENEGOTIATE
O
Is initial handshake: false
O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
O *** HelloRequest (empty)
O %% Client cached [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA]
O %% Try resuming [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA] from port -1
O *** ClientHello, TLSv1
O RandomCookie: GMT: 1474467386 bytes = { 47, 48, 108, 24, 0, 145, 59, 124, 205, 83, 175, 151, 62, 250, 72, 23, 83, 219, 54, 35, 246, 240, 218, 216, 8, 185, 240, 129 }
O Session ID: {16, 48, 0, 0, 26, 118, 255, 9, 42, 147, 147, 244, 73, 27, 74, 188, 230, 10, 207, 45, 40, 144, 227, 82, 57, 194, 148, 119, 92, 41, 25, 128}
O Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA]
O Compression Methods: { 0 }
O Extension renegotiation_info, ri_length: 12, ri_connection_data: { 56, 215, 170, 111, 66, 74, 59, 26, 94, 46, 231, 190 }
O ***
O [write] MD5 and SHA1 hashes: len = 114
O 0000: 01 00 00 6e 03 01 58 e3 96 3a 2f 30 6c 18 00 91 ...n..X....0l...
O Padded plaintext before ENCRYPTION: len = 144
O 0000: 01 00 00 6e 03 01 58 e3 96 3a 2f 30 6c 18 00 91 ...n..X....0l...
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 144
O [Raw write]: length = 149
O 0000: 16 03 01 00 90 39 0c d3 85 c2 c7 a6 db 1b 19 c9 .....9..........
O [Raw read]: length = 5
O 0000: 16 03 01 03 c0 .....
O [Raw read]: length = 960
O 0000: 52 a5 c4 98 5e 3a ba 29 0c 5d 33 ba e7 a6 f6 9d R.........3.....
O ListenerContainer-1, READ: TLSv1 Handshake, length = 960
O 0000: 02 00 00 65 03 01 58 e3 96 0b d1 0f ec fc 78 bd ...e..X.......x.
O *** ServerHello, TLSv1
O RandomCookie: GMT: 1474467339 bytes = { 209, 15, 236, 252, 120, 189, 229, 92, 195, 178, 12, 253, 84, 35, 32, 141, 135, 199, 74, 135, 129, 147, 179, 39, 140, 238, 136, 245 }
O Session ID: {227, 16, 0, 0, 137, 23, 115, 18, 172, 166, 216, 5, 39, 117, 98, 130, 126, 247, 92, 123, 95, 173, 213, 94, 76, 116, 115, 203, 213, 63, 223, 177}
O Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
O Compression Method: 0
O Extension renegotiation_info, ri_length: 24, ri_connection_data: { 56, 215, 170, 111, 66, 74, 59, 26, 94, 46, 231, 190, 19, 156, 214, 176, 202, 166, 205, 225, 129, 221, 139, 193 }
O ***
O JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.2
O JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.2
O RI_Extension verification complete
O %% Initialized: [Session-8, SSL_RSA_WITH_AES_128_CBC_SHA]
O ** SSL_RSA_WITH_AES_128_CBC_SHA
O [read] MD5 and SHA1 hashes: len = 105
O 0000: 02 00 00 65 03 01 58 e3 96 0b d1 0f ec fc 78 bd ...e..X.......x.
O *** Certificate chain
O chain [0] = [
[
Version: V3
Subject: CN=OTLS..enterprise.sun.com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
23553703497639596335070510257137281846668772458655810320677790628829221930261149412925591183146781723536526781277172608739916146526544854651533994944277413821681774452388324836206810729946188205549925379818388956830834110706891819099617718057830110501768074462851693346833893969477290813937343022841978362903738008267590984351543136396192926768606970581686949544516090193350198903123024609160656153681262348428606470586055201848713219772934786602559592543952662556702629365940208481126300406324501533729138789679650468030591267044786502786266360792591465166026083070678688183035912219682765397505679240220734169611841
public exponent:
65537
Validity: [From: Mon Feb 27 07:21:04 EST 2017,
To: Mon Feb 26 19:00:00 EST 2018]
Issuer: CN=OTLS..enterprise.sun.com
SerialNumber: [157540854616312716013046194484672082663]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
1.3.6.1.5.5.7.3.1]
[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_Encipherment
Data_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 95 2e 1f 6b bf f4 08 1b 05 bc af 0b 83 2b d5 9e ...k............
]
O ***
O Found trusted certificate:
O [
[
Version: V3
Subject: CN=OTLS..enterprise.sun.com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
23553703497639596335070510257137281846668772458655810320677790628829221930261149412925591183146781723536526781277172608739916146526544854651533994944277413821681774452388324836206810729946188205549925379818388956830834110706891819099617718057830110501768074462851693346833893969477290813937343022841978362903738008267590984351543136396192926768606970581686949544516090193350198903123024609160656153681262348428606470586055201848713219772934786602559592543952662556702629365940208481126300406324501533729138789679650468030591267044786502786266360792591465166026083070678688183035912219682765397505679240220734169611841
public exponent:
65537
Validity: [From: Mon Feb 27 07:21:04 EST 2017,
To: Mon Feb 26 19:00:00 EST 2018]
Issuer: CN=OTLS..enterprise.sun.com
SerialNumber: [157540854616312716013046194484672082663]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
1.3.6.1.5.5.7.3.1]
[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_Encipherment
Data_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 95 2e 1f 6b bf f4 08 1b 05 bc af 0b 83 2b d5 9e ...k............
]
O [read] MD5 and SHA1 hashes: len = 806
O 0000: 0b 00 03 22 00 03 1f 00 03 1c 30 82 03 18 30 82 ..........0...0.
0010: 02 00 a0 03 02 01 02 02 10 76 85 43 d2 e9 21 07 .........v.C....
O *** CertificateRequest
O Cert Types: RSA, DSS, ECDSA
O Cert Authorities:
O <Empty>
O [read] MD5 and SHA1 hashes: len = 10
O 0000: 0d 00 00 06 03 01 02 40 00 00 ..........
O *** ServerHelloDone
O [read] MD5 and SHA1 hashes: len = 4
O 0000: 0e 00 00 00 ....
O ClientHandshaker: KeyManager com.ibm.ws.ssl.core.WSX509KeyManager
O matching alias: default
O *** Certificate chain
O chain [0] = [
[
Version: V3
Subject: CN=XQ1..enterprise.sun.com, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
110843921622147780318384621158214764705470317393194727986877851877285223474158936772266058764800503835209829711284711944290493529045508433479261112669514928128534895563063819307253434406155487303648611935061998559156762974027014248792380105199377095915876433187824227059900869413289818622830165728007892211197
public exponent:
65537
Validity: [From: Sun Mar 05 17:32:19 EST 2017,
To: Mon Mar 05 17:32:19 EST 2018]
Issuer: CN=XQ1..enterprise.sun.com, OU=Root Certificate, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
SerialNumber: [32229148073970]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:was70profile1-BASE-8665f1be-6c91-4f3f-9737-7ea56a84c9a7]]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4c 25 62 5f 59 c0 a9 87 L.b.Y...
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 64 3c 9d e8 00 ca f0 f9 9a 33 10 a1 16 39 3a 6d d........3...9.m
]
O chain [1] = [
[
Version: V3
Subject: CN=XQ1..enterprise.sun.com, OU=Root Certificate, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
133709287124393792230601765881699139284227312626945278928615499964607234524332116007234980646619761347476316748109684673947697597508730909561799232875111817433344405710867175697607140981134928059514395419168832779709507872705080489476741742323610788920900244447196181703106638720154734901400895308937603956483
public exponent:
65537
Validity: [From: Thu Dec 15 12:44:52 EST 2011,
To: Fri Dec 11 12:44:52 EST 2026]
Issuer: CN=XQ1..enterprise.sun.com, OU=Root Certificate, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
SerialNumber: [14851033508608]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:was70profile1-BASE-8665f1be-6c91-4f3f-9737-7ea56a84c9a7]]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4b be 7e 6a 81 18 dc 91 K..j....
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 7f 18 a5 d0 88 a1 95 d4 2c 8e b9 51 13 21 b5 df ...........Q....
]
O ***
O JsseJCE: Choose KeyGenerator for IbmTlsRsaPremasterSecret.
O JsseJCE: Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init
O JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider TBD via init
O PreMasterSecret: Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.2
O *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
O [write] MD5 and SHA1 hashes: len = 1857
O 0000: ...7..4...0...0.
O Padded plaintext before ENCRYPTION: len = 1888
O 0000: ...7..4...0...0.
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 1888
O SESSION KEYGEN:
O PreMaster Secret:
O 0000: ........Q.J...K.
O javax.crypto.spec.SecretKeySpec#13e5009
O JsseJCE: Using KeyGenerator IbmTlsMasterSecret from provider TBD via init
O JsseJCE: Using KeyGenerator IbmTlsKeyMaterial from provider TBD via init
O CONNECTION KEYGEN:
O Client Nonce:
O 0000: 58 e3 96 3a 2f 30 6c 18 00 91 3b 7c cd 53 af 97 X....0l......S..
O Server Nonce:
O 0000: 58 e3 96 0b d1 0f ec fc 78 bd e5 5c c3 b2 0c fd X.......x.......
O Master Secret:
O 0000: 31 f7 d1 f5 85 14 c3 3f b4 86 26 04 e9 5d 4a 80 1.............J.
O Client MAC write Secret:
O 0000: 3d f9 24 a2 e8 6b a3 3a 1d cb 1d 89 c4 92 14 dd .....k..........
O Server MAC write Secret:
O 0000: ...W......m.Z..2
O Client write key:
O 0000: p..9....U..f....
O Server write key:
O 0000: 12 69 bf 32 56 85 16 a8 ef f4 56 f7 2e 59 99 62 .i.2V.....V..Y.b
O Client write IV:
O 0000: fe 71 85 da 9e c1 4c 9b 2d 78 47 6d 6b 0b 14 47 .q....L..xGmk..G
O Server write IV:
O 0000: b6 00 6c c6 06 89 77 96 73 54 97 77 2b 92 91 6c ..l...w.sT.w...l
O JsseJCE: Using signature RSAforSSL from provider TBD via init
O JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.2
O JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.2
O Signatures: Using signature RSA from provider from initSignIBMJCE version 1.2
O *** CertificateVerify
O [write] MD5 and SHA1 hashes: len = 134
O 0000: 0f 00 00 82 00 80 8f 81 da ae ea d9 b0 80 7d f3 ................
O JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
O Padded plaintext before ENCRYPTION: len = 160
O 0000: 0f 00 00 82 00 80 8f 81 da ae ea d9 b0 80 7d f3 ................
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 160
O Padded plaintext before ENCRYPTION: len = 32
O 0000: ....R..u.iAt7.q.
O ListenerContainer-1, WRITE: TLSv1 Change Cipher Spec, length = 32
O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
O *** Finished
O verify_data: { 100 }
O ***
O [write] MD5 and SHA1 hashes: len = 16
O 0000: .....g........jd
O Padded plaintext before ENCRYPTION: len = 48
O 0000: .....g........jd
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 48
O [Raw write]: length = 1893
O 0000: 16 03 01 07 60 30 e0 6b 5b 53 27 32 30 1a b2 be .....0.k.S.20...
O [Raw write]: length = 165
O 0000: 16 03 01 00 a0 42 1b 86 be 1e ac 1d 81 23 74 44 .....B........tD
O [Raw write]: length = 37
O 0000: 14 03 01 00 20 24 21 46 20 90 77 7a 1d 02 81 b2 .......F..wz....
O [Raw write]: length = 53
O 0000: ....0.3.a...x...
O [Raw read]: length = 5
O 0000: 14 03 01 00 20 .....
O [Raw read]: length = 32
O 0000: ...m.....x..0...
O ListenerContainer-1, READ: TLSv1 Change Cipher Spec, length = 32
O 0000: .O.......nJ...g.
O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
O [Raw read]: length = 5
O 0000: 16 03 01 00 30 ....0
O [Raw read]: length = 48
O 0000: 04 93 78 76 db 42 1d af 85 e9 bd 2b b8 7a d6 e6 ..xv.B.......z..
O ListenerContainer-1, READ: TLSv1 Handshake, length = 48
O 0000: 14 00 00 0c 77 2e ab 89 d0 91 9c 47 12 35 00 40 ....w......G.5..
O *** Finished
O verify_data: { 119, 46, 171, 137, 208, 145, 156, 71, 18, 53, 0, 64 }
O ***
O JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
O cached session [Session-8, SSL_RSA_WITH_AES_128_CBC_SHA]
O %% Cached client session: [Session-8, SSL_RSA_WITH_AES_128_CBC_SHA]
O [read] MD5 and SHA1 hashes: len = 16
O 0000: ....w......G.5..
O [Raw read (bb)]: length = 37
O 0000: 17 03 01 00 20 c4 23 30 6c 3e 32 03 92 8a a8 b8 .......0l.2.....
O Padded plaintext after DECRYPTION: len = 32
O 0000: 48 de e8 a9 44 bf cf 82 73 c1 a2 4c b7 01 8c 12 H...D...s..L....
O [Raw read (bb)]: length = 1429
O 0000: 17 03 01 05 90 ed 7b 79 7c b6 e2 b4 2e 17 54 68 .......y......Th
O Padded plaintext after DECRYPTION: len = 1424
O 0000: TTP.1.1.403.Forb
idden..Content.T
ype..text.html..
Server.http.eq
uiv..Content.Typ
e..content..text
.html..charset.i
so.8859.1......t
itle.403...Forbi
dden..Access.is.
denied...title..
Update: Successful truncated ssl log from Standalone IBM JRE Java client.
IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
*** ServerHello, TLSv1
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
JsseJCE: Choose KeyGenerator for IbmTlsRsaPremasterSecret.
JsseJCE: Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init
JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider TBD via init
PreMasterSecret: Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.2
JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
main, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
JsseJCE: Using MAC HmacSHA1 from provider TBD via init
main, READ: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
*** ServerHello, TLSv1
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0e 00 00 00 ....
ClientHandshaker: KeyManager com.ibm.jsse2.aJ
JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.2
JsseJCE: Using signature SHA1withECDSA from provider TBD via init
JsseJCE: Using signature NONEwithECDSA from provider TBD via init
JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.2
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJce: EC is available
*** Certificate chain
***
JsseJCE: Choose KeyGenerator for IbmTlsRsaPremasterSecret.
JsseJCE: Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init
JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider TBD via init
PreMasterSecret: Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.2
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
JsseJCE: Using MAC HmacSHA1 from provider TBD via init
MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
*** Finished
verify_data: { 216, 231, 207, 130, 172, 141, 204, 125, 55, 250, 84, 30 }
***
JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
cached session [Session-2, SSL_RSA_WITH_AES_128_CBC_SHA]
%% Cached client session: [Session-2, SSL_RSA_WITH_AES_128_CBC_SHA]
main, READ: TLSv1 Application Data, length = 720
TTP.1.1.200.OK..
Cache.Control..p
rivate..Content.

We fixed this issue by turning off "Client Certificate" requirement at IIS Server which was set to Optional before. We wanted One-way SSL but the server was set up for Two-way SSL Client Authentication.
It worked with standalone Java client because Java-Client was not sending the client certificate and as the "Client-Certificate" was Optional at IIS, it worked well.
However, Websphere Application Server was sending the default "Client-Certificate" to IIS and IIS obviously didn't have any clue on this certificate, hence it was failing.
This can be verified from the failure log in the question. Right after the "*** CertificateRequest", WAS-Client was sending the default-cert.

Browsium ION will allow you to set the highest java security globally, whilst reducing security for chosen specific applications. We advise to always keep the version of JRE on machines at the very latest version.
Download the latest (x86) version of Jre https://java.com/en/download/
Download Browsium ION - Browsium Ion Evaluation Kit
Create a profile and a Rule to swap from latest version to JRE 1.6 version. See the demo video Keep Java Up to Date" on our Website for simple instruction of how to do this.
Using a Browsium ION Custom file the Deployment.Properties file can be amended to change the SSL and TLS Security attributes.
Let me know if you need any help.

keytool -list -v and keytool -list return different outputs

When I execute this command:
keytool -list -keystore %JAVA_HOME%/jre
/lib/security/cacerts
I received this output:
ascom-ws, 27.05.2016, trustedCertEntry,
Certificate fingerprint (SHA1): 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
from which I understand that this certificate is a SHA1 certificate.
However when I execute this command:
keytool -list -v -keystore %JAVA_HOME%/jre
/lib/security/cacerts
I receive this output:
Alias name: ascom-ws
Creation date: 27.05.2016
Entry type: trustedCertEntry
Owner: CN=*.ascom-ws.com, O=Ascom (Sweden) AB, L=Gothenburg, ST=Gothenburg, C=SE
Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: fb34f8c44b6d2cb3f92593f8fe7e67d
Valid from: Tue Oct 06 02:00:00 CEST 2015 until: Fri Dec 14 13:00:00 CET 2018
Certificate fingerprints:
MD5: A4:8E:49:4F:2C:10:C6:94:80:C5:6A:DC:13:72:CF:F0
SHA1: 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
SHA256: 2D:24:07:41:C0:1B:9D:70:DF:CB:13:0A:C9:18:1B:A4:12:25:B7:53:C7:99:09:ED:2F:E2:CA:12:3A:BF:F8:4A
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 51 68 FF 90 AF 02 07 75 3C CC D9 65 64 62 A2 12 Qh.....u<..edb..
0010: B8 59 72 3B .Yr;
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/sha2-ha-server-g4.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/sha2-ha-server-g4.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.ascom-ws.com
DNSName: ascom-ws.com
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 67 8B 3F 98 ED 79 21 03 59 95 82 CC FE 4A EA DF g.?..y!.Y....J..
0010: F8 C3 55 7C ..U.
]
]
from which I understand that this certificate is a SHA2 certificate. Is that right?

The fingerprint does not define the certificate type, is the hash (one way) of the entire certificate in DER format (in SHA-1, MD5... etc), to know the certificate signature type refer to the Signature algorithm name (public key + digest algorithm) in that case you are right, your certificate signature is a SHA2 signature (SHA256 with RSA public key) but your certificate type is a (trusted certificate entry) x509 with a RSA public key.

When you look more in detail you can see that when you use the verbose option -v you also have the result you get without the option verbose :
Certificate fingerprints:
MD5: A4:8E:49:4F:2C:10:C6:94:80:C5:6A:DC:13:72:CF:F0
---> SHA1: 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
SHA256: 2D:24:07:41:C0:1B:9D:70:DF:CB:13:0A:C9:18:1B:A4:12:25:B7:53:C7:99:09:ED:2F:E2:CA:12:3A:BF:F8:4A
Signature algorithm name: SHA256withRSA
Version: 3
The -v option really only show you more information.
so you can see that the signature algorithm here is SHA256withRSA
but the signature is not the certificate type.
The certificate is probably a X.509 certificate

Couldn't not able to establish two-way SSL connection

Using plain java client i'm trying to connect to other webserver, It works on standlone but when i deploy on weblogic and try to connect it give below error.
Server :weblogic 10.3
Full stack trace of SSL: with below stactrace it easily sounds that handshake is happening but again its trying to connect and failing .please suggest me where i'm doing wrong.
code snippet i'm using :
FileInputStream fisjks = null;
FileInputStream fisTrusted = null;
String keyStoreType = "jks";
String passphrase = "password";
String passphraseTrusted = "password";
KeyStore ks = KeyStore.getInstance(keyStoreType);
fisjks = new FileInputStream("C:/CFC/Certs/client.jks");
ks.load(fisjks, passphrase.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, passphrase.toCharArray());
KeyStore ks1 = KeyStore.getInstance(keyStoreType);
fisTrusted = new FileInputStream("C:/CFC/Certs/clientTruststore.jks");
ks1.load(fisTrusted, passphraseTrusted.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory
.getInstance("PKIX");
tmf.init(ks1);
SSLContext sslc = SSLContext.getInstance("SSLv3");
sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
HttpsTransportInfo https = new HttpsTransportInfo();
https.setKeyManagers(kmf.getKeyManagers());
https.setTrustManagers(tmf.getTrustManagers());
error stack trace:
found key for : 1 chain [0] = [ [ Version: V3 Subject:
EMAILADDRESS=ravi-kumar.gullapalli#db.com, CN=dbsinlt3767, OU=deutsche
bank, O=deutsche bank, L=sg, ST=sg, C=sg Signature Algorithm:
SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits modulus:
144592527724012074845004082487794424487354455673579096476940872358533141438065735825819894128056692571922940458543755331194643176374687100664359963995916933269788855991350833527371185749001888440965012790605437863243747901365797345245355690011955852557580366177837112034836139958497356357064447873318654927713
public exponent: 65537 Validity: [From: Sun Mar 13 17:23:02 SGT
2011,
To: Wed Mar 07 17:23:02 SGT 2012] Issuer: EMAILADDRESS=ravi-kumar.gullapalli#db.com, CN=dbsinws3283, OU=deutsche
bank, O=deutsche bank, L=sg, ST=sg, C=sg SerialNumber: [ 1001]
Certificate Extensions: 4 [1]: ObjectId: 2.16.840.1.113730.1.13
Criticality=false Extension unknown: DER encoded OCTET string = 0000:
04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated
Certificat 0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [
KeyIdentifier [ 0000: 75 87 47 BE 09 C0 D9 C7 4F FB 5F 57 1D F7 77
99 u.G.....O._W..w. 0010: CF 12 FB DB
.... ] ]
[3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [
KeyIdentifier [ 0000: 96 83 10 39 C4 C0 8F 54 5E 0F 85 A0 9C D4 85
71 ...9...T^......q 0010: FC 55 39 9A
.U9. ]
]
* main, SEND TLSv1 ALERT: fatal, description = certificate_unknown main, WRITE: TLSv1 Alert, length = 2 [Raw write]: length = 7 0000: 15
03 01 00 02 02 2E ....... main, called
closeSocket() main, handling exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found at
weblogic.wsee.jaxrpc.ServiceImpl.throwServiceException(ServiceImpl.java:174)
at
weblogic.wsee.jaxrpc.ServiceImpl.loadWsdlDefinition(ServiceImpl.java:485)
at weblogic.wsee.jaxrpc.ServiceImpl.(ServiceImpl.java:119) at
com.db.luup.InvoiceAgentService_Impl.(Unknown Source) at
com.db.mobile.test.LuupMobileClientTest1.main(LuupMobileClientTest1.java:78)
Caused by: weblogic.wsee.wsdl.WsdlException: Failed to read wsdl file
from url due to -- javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found at
weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:313) at
weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305) at
weblogic.wsee.wsdl.WsdlSchema.parse(WsdlSchema.java:136) at
weblogic.wsee.wsdl.WsdlSchemaImport.parse(WsdlSchemaImport.java:99)
at weblogic.wsee.wsdl.WsdlSchema.parse(WsdlSchema.java:116) at
weblogic.wsee.wsdl.WsdlSchema.parse(WsdlSchema.java:73) at
weblogic.wsee.wsdl.WsdlTypes.parse(WsdlTypes.java:165) at
weblogic.wsee.wsdl.WsdlDefinitions.parseChild(WsdlDefinitions.java:520)
at weblogic.wsee.wsdl.WsdlExtensible.parse(WsdlExtensible.java:98)
at weblogic.wsee.wsdl.WsdlDefinitions.parse(WsdlDefinitions.java:468)
at weblogic.wsee.wsdl.WsdlDefinitions.parse(WsdlDefinitions.java:403)
at weblogic.wsee.wsdl.WsdlDefinitions.parse(WsdlDefinitions.java:389)
at weblogic.wsee.wsdl.WsdlFactory.parse(WsdlFactory.java:79) at
weblogic.wsee.wsdl.WsdlFactory.parse(WsdlFactory.java:66) at
weblogic.wsee.jaxrpc.ServiceImpl.loadWsdlDefinition(ServiceImpl.java:476)
... 3 more Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at
weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
at
weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
... 17 more Caused by: sun.security.validator.ValidatorException: No
trusted certificate found at
sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:330)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:110)
at sun.security.validator.Validator.validate(Validator.java:218) at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
... 32 more

The server didn't trust the client certificate, or vice versa.

If the error stack is from the client application, then the file C:/CFC/Certs/clientTruststore.jks must have the CA certificate for the server certifcate's Issuer.
"No trusted certificate found". The client cannot verify the server's certificate since a matching CA certificate is not found in the truststore.