Related
I have sample code to fetch regions from Google Cloud API. This sample code works fine from my laptop (windows with OpenJDK 1.8 version). But the same code fails from kubernetes environment which has suse linux with OpenJDK 1.8 version.
From Suse linux side I get :
Exception in thread "main" java.io.IOException: Error getting access token for service account: Remote host closed connection during handshake
at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:444)
at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:157)
at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:145)
at com.google.auth.oauth2.ServiceAccountCredentials.getRequestMetadata(ServiceAccountCredentials.java:603)
at com.google.auth.http.HttpCredentialsAdapter.initialize(HttpCredentialsAdapter.java:91)
at com.google.api.client.http.HttpRequestFactory.buildRequest(HttpRequestFactory.java:91)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.buildHttpRequest(AbstractGoogleClientRequest.java:404)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:514)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:455)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:565)
at sample.program.gcp.vpvn.regionList(vpvn.java:85)
at sample.program.gcp.vpvn.main(vpvn.java:307)
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:994)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1340)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1315)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:264)
at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:113)
at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:84)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1012)
at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:441)
... 11 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:975)
... 23 more
When I enable SSL debug, I am not getting much details to troubleshoot this issue:
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1616080171 bytes = { 119, 66, 219, 23, 171, 247, 221, 79, 45, 202, 181, 18, 229, 4, 65, 98, 207, 90, 0, 108, 43, 54, 80, 65, 39, 31, 49, 114 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 215
0000: 01 00 00 D3 03 03 60 53 6D 2B 77 42 DB 17 AB F7 ......`Sm+wB....
0010: DD 4F 2D CA B5 12 E5 04 41 62 CF 5A 00 6C 2B 36 .O-.....Ab.Z.l+6
0020: 50 41 27 1F 31 72 00 00 56 C0 24 C0 28 00 3D C0 PA'.1r..V.$.(.=.
0030: 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 C0 &.*.k.j.....5...
0040: 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 00 ..9.8.#.'.<.%.).
0050: 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 00 g.#...../.....3.
0060: 32 C0 2C C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 2.,.+.0.....2...
0070: A3 C0 2F 00 9C C0 2D C0 31 00 9E 00 A2 00 FF 01 ../...-.1.......
0080: 00 00 54 00 0A 00 08 00 06 00 17 00 18 00 19 00 ..T.............
0090: 0B 00 02 01 00 00 0D 00 1C 00 1A 06 03 06 01 05 ................
00A0: 03 05 01 04 03 04 01 04 02 03 03 03 01 03 02 02 ................
00B0: 03 02 01 02 02 00 17 00 00 00 00 00 1A 00 18 00 ................
00C0: 00 15 6F 61 75 74 68 32 2E 67 6F 6F 67 6C 65 61 ..oauth2.googlea
00D0: 70 69 73 2E 63 6F 6D pis.com
main, WRITE: TLSv1.2 Handshake, length = 215
[Raw write]: length = 220
0000: 16 03 03 00 D7 01 00 00 D3 03 03 60 53 6D 2B 77 ...........`Sm+w
0010: 42 DB 17 AB F7 DD 4F 2D CA B5 12 E5 04 41 62 CF B.....O-.....Ab.
0020: 5A 00 6C 2B 36 50 41 27 1F 31 72 00 00 56 C0 24 Z.l+6PA'.1r..V.$
0030: C0 28 00 3D C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 .(.=.&.*.k.j....
0040: 00 35 C0 05 C0 0F 00 39 00 38 C0 23 C0 27 00 3C .5.....9.8.#.'.<
0050: C0 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 .%.).g.#...../..
0060: C0 0E 00 33 00 32 C0 2C C0 2B C0 30 00 9D C0 2E ...3.2.,.+.0....
0070: C0 32 00 9F 00 A3 C0 2F 00 9C C0 2D C0 31 00 9E .2...../...-.1..
0080: 00 A2 00 FF 01 00 00 54 00 0A 00 08 00 06 00 17 .......T........
0090: 00 18 00 19 00 0B 00 02 01 00 00 0D 00 1C 00 1A ................
00A0: 06 03 06 01 05 03 05 01 04 03 04 01 04 02 03 03 ................
00B0: 03 01 03 02 02 03 02 01 02 02 00 17 00 00 00 00 ................
00C0: 00 1A 00 18 00 00 15 6F 61 75 74 68 32 2E 67 6F .......oauth2.go
00D0: 6F 67 6C 65 61 70 69 73 2E 63 6F 6D ogleapis.com
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
Any hints on how to troubleshoot this issue?
Here with my sample code:
public static void main(String args[]) throws GeneralSecurityException, IOException {
Compute computeService = createComputeService();
Compute.Regions.List request = computeService.regions().list("imageagg-nonprod");
System.out.println("the list of regions for the selected project is \n");
RegionList response;
do {
response = request.execute();
if (response.getItems() == null) {
continue;
}
request.setPageToken(response.getNextPageToken());
} while (response.getNextPageToken() != null);
ArrayList regionNames = new ArrayList<String>();
HashMap<String, ArrayList<String>> ZoneList = new HashMap<>();
response.getItems().forEach(region -> {
ArrayList<String> zones = new ArrayList<String>();
regionNames.add(region.getName());
region.getZones().forEach(zone -> {
zones.add(Paths.get(URI.create(zone).getPath()).getFileName().toString());
});
ZoneList.put(region.getName(), zones);
});
System.out.println("list of region for selected project is \n");
regionNames.forEach(element -> {
System.out.println(element);
});
System.out.println("the names of regions and Zones for the selected Project is \n");
Set entries = ZoneList.entrySet();
Iterator it = entries.iterator();
while (it.hasNext()) {
Map.Entry pair = (Map.Entry) it.next();
System.out.println(pair.getKey() + " = " + pair.getValue());
}
machineList(ZoneList);
}
public static Compute createComputeService() throws IOException, GeneralSecurityException {
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
String proxyHostOpt = "web-proxy.in.software.net";
int proxyPort = 8080;
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
HttpTransport abc = new NetHttpTransport.Builder().trustCertificates(GoogleUtils.getCertificateTrustStore())
.setProxy(new Proxy(Proxy.Type.HTTP, InetSocketAddress.createUnresolved(proxyHostOpt, proxyPort))).build();
//GoogleCredential credential = GoogleCredential.getApplicationDefault(abc,jsonFactory);
List<String> scopes = new ArrayList<>();
//scopes.add("https://www.googleapis.com/auth/cloud-platform");
String jsonToken = "{\n" + " \"type\": \"service_account\",\n" + " \"project_id\": \"imageagg-nonprod\",\n" + " \"private_key_id\": \"99c871d2855b4d9388cc7a3a670a5764deb8c5e9\",\n" + " \"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDh9k2JcCFrDZfm\\ng9DONfKe8xATwljEsW8FXMbPzU5JoXXsy1CYgkeW+eqXguQxFZM3HuI1W+mGBxgE\\n/K2P7XvJxylv7NajpgNmm4KGIh4hOpi+Sn3GVS31ftGM5A/CYKhRpr5uskr5PEin\\nDYxl0hUnfTodJCT+uxPxoCeN8aWuq5s+BapKKB8KVduUqmz3f8GL2Pc5wlm/YyOK\\nJYC781MAzLIFe8cLAVUJrVETqOtFTPCjy0yMGiUKxkyL20C11WFwfdD5ou0SD+6U\\nsT1YD/15KYh9GvV1E2XIPGzVtSHvU9h7FDRqOa+05QP3uDHegrAAib4PHA/A7KPD\\nBwkA6sW/AgMBAAECggEAHCPBtS9vIfdP5uecfcmvHMdVRbiquFgGZOsQYTmGmdnP\\nJz2MnGmBA9a8tc=\\n-----END PRIVATE KEY-----\\n\",\n" + " \"client_email\": \"315654350484-compute#developer.gserviceaccount.com\",\n" + " \"client_id\": \"112960668\",\n" + " \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n" + " \"token_uri\": \"https://oauth2.googleapis.com/token\",\n" + " \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n" + " \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/315654350484-compute%40developer.gserviceaccount.com\"\n" + "}";
ObjectMapper objectMapper = new ObjectMapper();
Map<String, Object> map
= objectMapper.readValue(jsonToken, new TypeReference<Map<String,Object>>(){});
scopes.add(ComputeScopes.COMPUTE);
scopes.add(ComputeScopes.CLOUD_PLATFORM);
//scopes.add(ComputeScopes.DEVSTORAGE_FULL_CONTROL);
GoogleCredentials credentials = GoogleCredentials.fromStream(IOUtils.toInputStream(jsonToken, StandardCharsets.UTF_8)).createScoped(scopes);
ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(IOUtils.toInputStream(jsonToken, StandardCharsets.UTF_8));
HttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(credentials);
// Making call with credentials1 created with json string and proxy set as per requirements
return new Compute.Builder(abc, jsonFactory, requestInitializer).setApplicationName("hcmx").build();
}
My java version details:
java -version
openjdk version "11" 2018-09-25
OpenJDK Runtime Environment 18.9 (build 11+28)
OpenJDK 64-Bit Server VM 18.9 (build 11+28, mixed mode)
Environment where code is running:
[root#hcm-pool-centos76-3 ~]# uname -a
Linux hcm-pool-centos76-3 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2
The crash occurs in mshtml when we print the contents of a WebBrowser(ActiveX Control), in MFC Applications.
1) The print dialog is not opening.
For printing from webbrowser, we call the below function
ExecWB(OLECMDID_PRINT, OLECMDEXECOPT_PROMPTUSER, NULL, NULL);
2) The crash starts from preview.js (CPrintDoc_RectComplete method) of ieframe.dll.
3) It is crashing in mshtml, "mshtml!Tree::CIE9DocumentLayout::HandleLayoutBuilderError+0xc6"
4) It is giving "Break instruction exception - code 80000003" .
Could you please let us know if there is any hotfix available for this callstack.
The call stack of the crashing thread is
00 000000ea2e697dc0 00007ffb483c4097 mshtml!Tree::CIE9DocumentLayout::HandleLayoutBuilderError+0xc6
01 000000ea2e697e00 00007ffb47cea9fc mshtml!CMarkupPageLayout::CalcPageLayoutSize+0xa09bcf
02 000000ea2e697f90 00007ffb489a6b86 mshtml!CMarkupPageLayout::CalcTopLayoutSizeWithDefault+0x1c
03 000000ea2e697fc0 00007ffb47b13a7f mshtml!CContainerLayout::CalcSizeVirtual+0x166
04 000000ea2e6980c0 00007ffb4806969e mshtml!CLayout::CalcSize+0x247
05 000000ea2e698270 00007ffb480694a8 mshtml!CFlowLayout::MeasureSite+0x42b
06 000000ea2e6983f0 00007ffb4806936f mshtml!CFlowLayout::GetSiteWidth+0x123
07 000000ea2e6984a0 00007ffb48069959 mshtml!CLSMeasurer::GetSiteWidth+0xaf
08 000000ea2e698520 00007ffb4806b97b mshtml!CLineServices::VerticalAlignOneObjectFast+0x443
09 000000ea2e6985f0 00007ffb4806ea8a mshtml!CLineServices::VerticalAlignObjectsFast+0x2da
0a 000000ea2e698730 00007ffb483648f0 mshtml!CLSMeasurer::Measure+0x3c6
0b 000000ea2e6987c0 00007ffb48273b4d mshtml!CLSMeasurer::MeasureLine+0x3c
0c 000000ea2e698810 00007ffb4806b01f mshtml!CRecalcLinePtr::MeasureLine+0x2a6
0d 000000ea2e698980 00007ffb4806e3ea mshtml!CDisplay::RecalcLinesWithMeasurer+0x2f2
0e 000000ea2e698ae0 00007ffb4806d555 mshtml!CDisplay::RecalcLines+0x6a
0f 000000ea2e698d20 00007ffb48057c51 mshtml!CDisplay::RecalcView+0x54
10 000000ea2e698d60 00007ffb4803af3d mshtml!CFlowLayout::CalcTextSize+0x303
11 000000ea2e698ed0 00007ffb4805a85d mshtml!CFlowLayout::CalcSizeCoreCompat+0x4a9
12 000000ea2e699440 00007ffb47b13a7f mshtml!CFlowLayout::CalcSizeVirtual+0x89
13 000000ea2e6994d0 00007ffb4806969e mshtml!CLayout::CalcSize+0x247
14 000000ea2e699680 00007ffb480694a8 mshtml!CFlowLayout::MeasureSite+0x42b
15 000000ea2e699800 00007ffb4806936f mshtml!CFlowLayout::GetSiteWidth+0x123
16 000000ea2e6998b0 00007ffb48071555 mshtml!CLSMeasurer::GetSiteWidth+0xaf
17 000000ea2e699930 00007ffb511539fe mshtml!CEmbeddedILSObj::Fmt+0x261
18 000000ea2e699a50 00007ffb51154acf msls31!ProcessOneRun+0x2f1
19 000000ea2e699ba0 00007ffb511544fb msls31!FetchAppendEscCore+0x11f
1a 000000ea2e699ca0 00007ffb511543bf msls31!FiniFormatGeneralCase+0x11b
1b 000000ea2e699d70 00007ffb51153bef msls31!CreateLineCore+0x837
1c 000000ea2e699f10 00007ffb4806e2e7 msls31!LsCreateLine+0x11f
1d 000000ea2e699fa0 00007ffb480727c9 mshtml!CLSMeasurer::LSDoCreateLine+0x1c3
1e 000000ea2e69a170 00007ffb4806ebf8 mshtml!CLSMeasurer::LSMeasure+0x79
1f 000000ea2e69a290 00007ffb483648f0 mshtml!CLSMeasurer::Measure+0x160
20 000000ea2e69a320 00007ffb48273b4d mshtml!CLSMeasurer::MeasureLine+0x3c
21 000000ea2e69a370 00007ffb4806b01f mshtml!CRecalcLinePtr::MeasureLine+0x2a6
22 000000ea2e69a4e0 00007ffb4806e3ea mshtml!CDisplay::RecalcLinesWithMeasurer+0x2f2
23 000000ea2e69a640 00007ffb4806d555 mshtml!CDisplay::RecalcLines+0x6a
24 000000ea2e69a880 00007ffb48057c51 mshtml!CDisplay::RecalcView+0x54
25 000000ea2e69a8c0 00007ffb4803af3d mshtml!CFlowLayout::CalcTextSize+0x303
26 000000ea2e69aa30 00007ffb4805a85d mshtml!CFlowLayout::CalcSizeCoreCompat+0x4a9
27 000000ea2e69afa0 00007ffb47b13a7f mshtml!CFlowLayout::CalcSizeVirtual+0x89
28 000000ea2e69b030 00007ffb4806969e mshtml!CLayout::CalcSize+0x247
29 000000ea2e69b1e0 00007ffb480694a8 mshtml!CFlowLayout::MeasureSite+0x42b
2a 000000ea2e69b360 00007ffb4806936f mshtml!CFlowLayout::GetSiteWidth+0x123
2b 000000ea2e69b410 00007ffb48069959 mshtml!CLSMeasurer::GetSiteWidth+0xaf
2c 000000ea2e69b490 00007ffb4806b97b mshtml!CLineServices::VerticalAlignOneObjectFast+0x443
2d 000000ea2e69b560 00007ffb4806ea8a mshtml!CLineServices::VerticalAlignObjectsFast+0x2da
2e 000000ea2e69b6a0 00007ffb483648f0 mshtml!CLSMeasurer::Measure+0x3c6
2f 000000ea2e69b730 00007ffb48273b4d mshtml!CLSMeasurer::MeasureLine+0x3c
30 000000ea2e69b780 00007ffb48078d35 mshtml!CRecalcLinePtr::MeasureLine+0x2a6
31 000000ea2e69b8f0 00007ffb48065115 mshtml!CDisplay::RecalcLines+0x51f
32 000000ea2e69c4a0 00007ffb4807ea6c mshtml!CDisplay::UpdateView+0x1cc
33 000000ea2e69c670 00007ffb48059fde mshtml!CFlowLayout::CommitChanges+0xcb
34 000000ea2e69c770 00007ffb4803af3d mshtml!CFlowLayout::CalcTextSize+0x51c
35 000000ea2e69c8e0 00007ffb4805a85d mshtml!CFlowLayout::CalcSizeCoreCompat+0x4a9
36 000000ea2e69ce50 00007ffb47b13a7f mshtml!CFlowLayout::CalcSizeVirtual+0x89
37 000000ea2e69cee0 00007ffb48059e0c mshtml!CLayout::CalcSize+0x247
38 000000ea2e69d090 00007ffb480547b7 mshtml!CFlowLayout::DoLayout+0x461
39 000000ea2e69d200 00007ffb4797eea9 mshtml!CView::ExecuteLayoutTasks+0xe3
3a 000000ea2e69d290 00007ffb4820e9da mshtml!CView::EnsureView+0x43f
3b 000000ea2e69d370 00007ffb48356a72 mshtml!CElement::EnsureRecalcNotify+0xa4
3c 000000ea2e69d3b0 00007ffb47d095ff mshtml!CElement::EnsureRecalcNotify+0x1e
3d 000000ea2e69d3f0 00007ffb47d04046 mshtml!CDisplayPointer::MoveToMarkupPointer+0xaf
3e 000000ea2e69d460 00007ffb47d0446a mshtml!CSelectionManager::CreateTrackerForContext+0x19e
3f 000000ea2e69d500 00007ffb47d0434b mshtml!CSelectionManager::SetEditContext+0xe6
40 000000ea2e69d580 00007ffb47d04e65 mshtml!CSelectionManager::SetEditContextFromElement+0x18b
41 000000ea2e69d670 00007ffb47d07764 mshtml!CSelectionManager::SetInitialEditContext+0x45
42 000000ea2e69d6b0 00007ffb47d086bc mshtml!CSelectionManager::Initialize+0x2a8
43 000000ea2e69d6e0 00007ffb47a45272 mshtml!CHTMLEditor::Initialize+0x15c
44 000000ea2e69d760 00007ffb47cefa20 mshtml!CDoc::GetHTMLEditor+0x11a
45 000000ea2e69d7a0 00007ffb47c43116 mshtml!CElement::InjectInternal+0x807
46 000000ea2e69d960 00007ffb47cc5b29 mshtml!CElement::InjectTextOrHTML+0x38d
47 000000ea2e69da40 00007ffb47d4fc7d mshtml!CElement::put_innerText+0x29
48 000000ea2e69da80 00007ffb47c48429 mshtml!GS_BSTR+0x12b
49 000000ea2e69daf0 00007ffb47cdfed0 mshtml!CBase::ContextInvokeEx+0x658
4a 000000ea2e69dc10 00007ffb4820d0bd mshtml!CElement::VersionedInvokeEx+0xb7
4b 000000ea2e69dcc0 00007ffb465fa1e4 mshtml!CBase::PrivateInvokeEx+0x179
4c 000000ea2e69dd40 00007ffb466df12e jscript9!HostDispatch::CallInvokeEx+0x1b6
4d 000000ea2e69de10 00007ffb466df05b jscript9!HostDispatch::PutValueByDispId+0xb6
4e 000000ea2e69ded0 00007ffb466df00f jscript9!HostDispatch::PutValue+0x37
4f 000000ea2e69df10 00007ffb46734757 jscript9!HostDispatch::SetPropertyCore+0x6a
50 000000ea2e69df40 00007ffb4656420c jscript9!Js::JavascriptOperators::OP_SetProperty+0x2f8
51 000000ea2e69dfd0 00007ffb465644a2 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x80
52 000000ea2e69e050 00007ffb4650e240 jscript9!Js::InterpreterStackFrame::Process+0x5553
53 000000ea2e69e390 000000ea217d0ddb jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x386
54 000000ea2e69e680 00007ffb46509eb3 js!CPrintDoc_RectComplete [res://ieframe.dll/preview.js # 2660,1]
55 000000ea2e69e6b0 00007ffb4672ae52 jscript9!amd64_CallFunction+0x93
56 000000ea2e69e710 00007ffb4650e240 jscript9!Js::InterpreterStackFrame::Process+0x1071
57 000000ea2e69ea50 000000ea217d0dfb jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x386
58 000000ea2e69ec90 00007ffb46509eb3 js!OnRectCompleteNext [res://ieframe.dll/preview.js # 742,1]
59 000000ea2e69ecc0 00007ffb4672ae52 jscript9!amd64_CallFunction+0x93
5a 000000ea2e69ed30 00007ffb4650e240 jscript9!Js::InterpreterStackFrame::Process+0x1071
5b 000000ea2e69f070 000000ea217d0de3 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x386
5c 000000ea2e69f2e0 00007ffb46509eb3 js!anonymous [Unknown script code # 1,1]
5d 000000ea2e69f310 00007ffb46509af1 jscript9!amd64_CallFunction+0x93
5e 000000ea2e69f360 00007ffb46509cfe jscript9!Js::JavascriptFunction::CallFunction<1>+0x6d
5f 000000ea2e69f3a0 00007ffb46509dff jscript9!Js::JavascriptFunction::CallRootFunction+0x110
60 000000ea2e69f480 00007ffb46509d58 jscript9!ScriptSite::CallRootFunction+0x63
61 000000ea2e69f4e0 00007ffb46623c42 jscript9!ScriptSite::Execute+0x122
62 000000ea2e69f570 00007ffb46658594 jscript9!JavascriptDispatch::InvokeOnSelf+0x102
63 000000ea2e69f5f0 00007ffb466586ab jscript9!JavascriptDispatch::InvokeEx+0x1e4
64 000000ea2e69f700 00007ffb480d43a9 jscript9!JavascriptDispatch::Invoke+0x7b
65 000000ea2e69f750 00007ffb47c84e73 mshtml!CWindow::ExecuteCallbackScript+0x144
66 000000ea2e69f8d0 00007ffb4797e57e mshtml!CWindow::FireTimeOut+0x295
67 000000ea2e69f960 00007ffb486236a1 mshtml!CPaintBeat::ProcessTimers+0x327
68 000000ea2e69fa00 00007ffb47a45ee9 mshtml!CPaintBeat::OnWMTimer+0x61
69 000000ea2e69fa30 00007ffb4796e166 mshtml!FormsOnTimer+0x9f
6a 000000ea2e69fa80 00007ffb7ad324fd mshtml!GlobalWndProc+0x1c6
6b 000000ea2e69fb00 00007ffb7ad32357 user32!UserCallWinProcCheckWow+0x149
6c 000000ea2e69fbd0 00007ffb48667b84 user32!DispatchMessageWorker+0x1a7
6d 000000ea2e69fc50 00007ffb785513f2 mshtml!ModelessThreadProc+0x1c4
6e 000000ea2e69fce0 00007ffb7aec54f4 kernel32!BaseThreadInitThunk+0x22
6f 000000ea2e69fd10 0000000000000000 ntdll!RtlUserThreadStart+0x34
I want to route all http requests to a https service using the spring cloud gateway but always receive a handshake_failure.
Routing everything to https://google.com for example works, but to my own service with its private certificate, created and signed by my own private CA, it does not, although I provided the matching truststore via -Djavax.net.ssl.trustStore and set useInsecureTrustManager: true. So what is wrong here?
My spring cloud gateway config:
server:
port: ${PORT:8081}
spring:
application:
name: gateway-service
cloud:
gateway:
httpclient:
ssl:
useInsecureTrustManager: true
routes:
- id: after_route
uri: https://my.server:2900/server/ping
predicates:
- After=2017-01-20T17:42:47.789-07:00[America/Denver]
And the log out put with -Djavax.net.debug=all:
2019-07-30 14:14:27.206 INFO 8257 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$ddc24342] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.1.6.RELEASE)
2019-07-30 14:14:27.315 INFO 8257 --- [ main] com.tobias.gateway.Gateway : No active profile set, falling back to default profiles: default
2019-07-30 14:14:27.704 INFO 8257 --- [ main] o.s.cloud.context.scope.GenericScope : BeanFactory id=90eb380c-f88b-3401-b688-6ef3ead8e5f1
2019-07-30 14:14:27.724 INFO 8257 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$ddc24342] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.950 CEST|SSLContextImpl.java:427|System property jdk.tls.client.cipherSuites is set to 'null'
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.953 CEST|SSLContextImpl.java:427|System property jdk.tls.server.cipherSuites is set to 'null'
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.974 CEST|SSLCipher.java:437|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.984 CEST|SSLContextImpl.java:401|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|01|main|2019-07-30 14:14:27.984 CEST|SSLContextImpl.java:410|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
...
... Lots of other ignored cipher suites
...
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.009 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.009 CEST|TrustStoreManager.java:311|Reload the trust store
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.022 CEST|TrustStoreManager.java:318|Reload trust certs
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.022 CEST|TrustStoreManager.java:323|Reloaded 1 trust certs
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.026 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.026 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.026 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.040 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.041 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.041 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.042 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.048 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.049 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.049 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.049 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.055 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.056 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.056 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.056 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.068 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.068 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [After]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Before]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Between]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Cookie]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Header]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Host]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Method]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Path]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Query]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [ReadBodyPredicateFactory]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [RemoteAddr]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Weight]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [CloudFoundryRouteService]
2019-07-30 14:14:28.828 INFO 8257 --- [ main] o.s.b.web.embedded.netty.NettyWebServer : Netty started on port(s): 8081
2019-07-30 14:14:28.832 INFO 8257 --- [ main] com.tobias.gateway.Gateway : Started Gateway in 2.114 seconds (JVM running for 2.72)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.298 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.298 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.298 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.299 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.299 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.299 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.308 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe2048
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe3072
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe4096
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe6144
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe8192
javax.net.ssl|WARNING|29|reactor-http-nio-6|2019-07-30 14:14:36.313 CEST|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|29|reactor-http-nio-6|2019-07-30 14:14:36.314 CEST|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|ALL|29|reactor-http-nio-6|2019-07-30 14:14:36.317 CEST|SignatureScheme.java:358|Ignore disabled signature sheme: rsa_md5
javax.net.ssl|INFO|29|reactor-http-nio-6|2019-07-30 14:14:36.317 CEST|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.317 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.318 CEST|ClientHello.java:651|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "BC 92 B0 0D 8A 40 3B CD E7 64 2D 46 A3 49 24 55 08 48 3A BC 02 B3 31 89 20 B2 F3 68 32 AF C4 82",
"session id" : "",
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]",
"compression methods" : "00",
"extensions" : [
]
}
)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.329 CEST|SSLEngineOutputRecord.java:507|WRITE: TLS12 handshake, length = 260
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.330 CEST|SSLEngineOutputRecord.java:525|Raw write (
0000: 16 03 03 01 04 01 00 01 00 03 03 BC 92 B0 0D 8A ................
0010: 40 3B CD E7 64 2D 46 A3 49 24 55 08 48 3A BC 02 #;..d-F.I$U.H:..
0020: B3 31 89 20 B2 F3 68 32 AF C4 82 00 00 10 C0 2C .1. ..h2.......,
0030: C0 2B C0 2F C0 13 C0 14 00 9C 00 2F 00 35 01 00 .+./......./.5..
0040: 00 C7 00 00 00 21 00 1F 00 00 1C 70 6C 61 79 67 .....!.....playg
0050: 72 6F 75 6E 64 2E 6D 61 63 68 69 6E 65 73 2E 6E round.machines.n
0060: 37 6C 61 62 2E 69 6F 00 05 00 05 01 00 00 00 00 7lab.io.........
0070: 00 0A 00 16 00 14 00 17 00 18 00 19 00 09 00 0A ................
0080: 00 0B 00 0C 00 0D 00 0E 00 16 00 0B 00 02 01 00 ................
0090: 00 0D 00 28 00 26 04 03 05 03 06 03 08 04 08 05 ...(.&..........
00A0: 08 06 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 ................
00B0: 03 03 03 01 03 02 02 03 02 01 02 02 00 32 00 28 .............2.(
00C0: 00 26 04 03 05 03 06 03 08 04 08 05 08 06 08 09 .&..............
00D0: 08 0A 08 0B 04 01 05 01 06 01 04 02 03 03 03 01 ................
00E0: 03 02 02 03 02 01 02 02 00 11 00 09 00 07 02 00 ................
00F0: 04 00 00 00 00 00 17 00 00 00 2B 00 07 06 03 03 ..........+.....
0100: 03 02 03 01 FF 01 00 01 00 .........
)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.357 CEST|SSLEngineInputRecord.java:177|Raw read (
0000: 15 03 03 00 02 02 28 ......(
)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.358 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 alert, length = 2
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.359 CEST|Alert.java:232|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|ERROR|29|reactor-http-nio-6|2019-07-30 14:14:36.360 CEST|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:672)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:627)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:443)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:422)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:295)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1332)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1227)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:682)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:617)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:534)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Thread.java:834)}
)
Ok, I found the answer after playing around with the server ssl configuration. The service that I route to ist a spring boot application and its ssl config restricts the cipher suites to use like this:
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
And that suite can not be handled by the spring cloud gateway. If I do not set that property at all, it works.
But now I would like to know what suites the spring cloud gateway supports? And why is that a problem of the gateway at all?
When I try to access our website through IE11, SSL handshake failed. On IE, following error is displayed.
SSL Error on IE
I enabled SSL debug logging on tomcat. Result is attached.
SSL debug log
I also did a packet trace through wireshark. Result is attached.
Packet Trace
Can somebody help me in understanding, why IE sent RST and handshake is unsuccessful?
For convenience, here is the SSL debug log copy.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
https-jsse-nio2-10443-exec-7, READ: TLSv1.2 Handshake, length = 175
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1545319557 bytes = { 241, 102, 68, 19, 196, 186, 58, 2, 142, 179, 180, 186, 80, 189, 251, 212, 30, 48, 78, 122, 139, 95, 16, 6, 61, 81, 9, 233 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension status_request, data: 01:00:00:00:00
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA256withRSA, SHA384withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA1withECDSA, SHA1withDSA, SHA512withRSA, SHA512withECDSA
Unsupported extension type_35, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Extension extended_master_secret
Unsupported extension type_24, data: 00:10:03:02:01:00
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-3, SSL_NULL_WITH_NULL_NULL]
Standard ciphersuite chosen: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
%% Negotiating: [Session-3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1545319557 bytes = { 97, 98, 78, 54, 18, 174, 216, 230, 116, 27, 86, 149, 238, 243, 141, 200, 231, 225, 54, 68, 118, 22, 87, 178, 217, 116, 246, 186 }
Session ID: {92, 28, 181, 133, 160, 19, 139, 114, 99, 216, 10, 155, 173, 137, 237, 25, 140, 59, 153, 195, 245, 204, 179, 49, 89, 205, 42, 221, 126, 28, 147, 57}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension extended_master_secret
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 26867932193095777263289930763858312315175451169911540270469975322434401554593517846489231467419363365037593818036593693556117551448063131659525311661292145333515905286916353710412662237765713687248571705693533912575809165971751779925378770578516513573848298027718280225066822697515300871707147459915587779589377876395738318963921532217111299410821422855058019420912762790697366719695263850247093569765798072591751245131093354944223958262752669165567038947970251243583487419772340666576477861756748688921273067030346748496043574503202045236644578277345107987729325458604284470785207456233675325551660606573693389742779
public exponent: 65537
Validity: [From: Mon Oct 22 08:56:19 EDT 2018,
To: Thu Oct 19 08:56:19 EDT 2028]
Issuer: CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US
SerialNumber: [ 29565e6b]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F4 F5 1B CB 86 A2 7F 5E 25 2C 5D 9D 62 B8 67 45 .......^%,].b.gE
0010: 06 B5 9E 82 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 16 F2 4F B7 B3 AC E9 87 27 18 C5 FC 9D 61 FF 58 ..O.....'....a.X
0010: A8 D5 9D D8 BA 9E 5A 1D E9 96 EC 17 C4 16 09 EB ......Z.........
0020: 6A F8 5E 3A 62 FC DF 73 13 A6 A7 54 D1 A0 E2 56 j.^:b..s...T...V
0030: 51 C9 7E 55 DA 89 80 1A 30 7E 31 2C 03 C4 90 84 Q..U....0.1,....
0040: 62 B9 AA 6D 0C E0 33 CB 89 59 B3 89 59 48 7F B5 b..m..3..Y..YH..
0050: 55 6B 2F CA 37 E0 96 98 FB 75 73 1C EC 4D A8 3A Uk/.7....us..M.:
0060: 89 49 C9 EA AC 8A 2F 65 F1 4D 98 74 87 F8 2D 5E .I..../e.M.t..-^
0070: 89 60 49 17 04 79 F7 EA D4 B0 C3 FF 0B 6E 98 5C .`I..y.......n.\
0080: 9D 16 AE 00 09 55 38 DB 78 23 52 68 EC 79 43 16 .....U8.x#Rh.yC.
0090: EF 28 7E 9E 27 7C 31 FD 4F AB 25 A7 13 94 AC 88 .(..'.1.O.%.....
00A0: DE 60 A8 94 15 8D F0 32 AF 7C 3A F8 DA AD 7A EA .`.....2..:...z.
00B0: FB B4 AF 77 31 8C FC 20 52 CA 36 4A 9F 1A 3E 62 ...w1.. R.6J..>b
00C0: 01 F7 EF 72 FB 06 FC 7F 83 7A 0F FB 71 EA 4C C5 ...r.....z..q.L.
00D0: 0E 14 9D 64 89 7E 85 AE 76 A7 0A 21 4E 3F E5 17 ...d....v..!N?..
00E0: 35 39 DA A8 F5 84 41 C2 38 22 80 73 A0 91 E0 11 59....A.8".s....
00F0: 2D 4F B9 A9 B5 B9 37 7A 25 EE 73 3C 32 23 C6 19 -O....7z%.s<2#..
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 20009119234614195494302209861076680467201992809229109970753322221057487611764
public y coord: 17012831469688718179923828827485619723638464800697160800297861041710637731326
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=082>
<CN=294>
<CN=1136>
<CN=1363>
<CN=1274>
<CN=1278>
<CN=528>
<CN=107>
<CN=734>
<CN=624>
<CN=104>
<CN=373>
<CN=1407>
<CN=071>
<CN=1000>
<CN=450>
<CN=1330>
<CN=607>
<CN=1353>
<CN=059>
<CN=233>
<CN=151>
<CN=911>
<CN=1272>
<CN=1259>
<CN=815>
<CN=1084>
<CN=1106>
<CN=483>
<CN=575>
<CN=1398>
<CN=357>
<CN=976>
<CN=701>
<CN=605>
<CN=204>
<CN=382>
<CN=455>
<CN=1265>
<CN=914>
<CN=1400>
<CN=363>
<CN=541>
<CN=423>
<CN=391>
<CN=933>
<CN=157>
<CN=197>
<CN=610>
<CN=174>
<CN=1064>
<CN=348>
<CN=1355>
<CN=748>
<CN=955>
<CN=212>
<CN=820>
<CN=105>
<CN=202>
<CN=281>
<CN=823>
<CN=1248>
<CN=685>
<CN=1134>
<CN=220>
<CN=045>
<CN=580>
<CN=1061>
<CN=466>
<CN=987>
<CN=988>
<CN=064>
<CN=1086>
<CN=1364>
<CN=842>
<CN=973>
<CN=460>
<CN=069>
<CN=1307>
<CN=1381>
<CN=291>
<CN=699>
<CN=882>
<CN=1179>
<CN=683>
<CN=499>
<CN=594>
<CN=1045>
<CN=474>
<CN=793>
<CN=871>
<CN=632>
<CN=1216>
<CN=1035>
<CN=870>
<CN=874>
<CN=1463>
<CN=021>
<CN=1180>
<CN=891>
<CN=1011>
<CN=130>
<CN=375>
<CN=315>
<CN=888>
<CN=1004>
<CN=023>
<CN=1176>
<CN=290>
<CN=400>
<CN=969>
<CN=709>
<CN=886>
<CN=1396>
<CN=224>
<CN=1135>
<CN=304>
<CN=1240>
<CN=989>
<CN=358>
<CN=1122>
<CN=1104>
<CN=1389>
<CN=776>
<CN=975>
<CN=1103>
<CN=1303>
<CN=1293>
<CN=1209>
<CN=1166>
<CN=853>
<CN=651>
<CN=781>
<CN=347>
<CN=974>
<CN=694>
<CN=1159>
<CN=049>
<CN=158>
<CN=1297>
<CN=1172>
<CN=526>
<CN=1031>
<CN=1490>
<CN=1024>
<CN=300>
<CN=1076>
<CN=141>
<CN=706>
<CN=381>
<CN=619>
<CN=398>
<CN=1258>
<CN=1139>
<CN=146>
<CN=428>
<CN=703>
<CN=189>
<CN=677>
<CN=166>
<CN=1168>
<CN=1251>
<CN=556>
<CN=1085>
<CN=1001>
<CN=795>
<CN=676>
<CN=999>
<CN=156>
<CN=1074>
<CN=667>
<CN=1038>
<CN=960>
<CN=560>
<CN=501>
<CN=1243>
<CN=1483>
<CN=1420>
<CN=462>
<CN=079>
<CN=1461>
<CN=857>
<CN=851>
<CN=502>
<CN=1414>
<CN=807>
<CN=198>
<CN=1261>
<CN=438>
<CN=472>
<CN=012>
<CN=1187>
<CN=707>
<CN=716>
<CN=238>
<CN=1203>
<CN=554>
<CN=342>
<CN=240>
<CN=1392>
<CN=1315>
<CN=1370>
<CN=520>
<CN=1023>
<CN=881>
<CN=048>
<CN=388>
<CN=210>
<CN=209>
<CN=1090>
<CN=095>
<CN=777>
<CN=1436>
<CN=1108>
<CN=1462>
<CN=409>
<CN=1406>
<CN=979>
<CN=817>
<CN=1354>
<CN=801>
<CN=184>
<CN=540>
<CN=116>
<CN=1464>
<CN=406>
<CN=378>
<CN=691>
<CN=659>
<CN=635>
<CN=1413>
<CN=1302>
<CN=565>
<CN=805>
<CN=121>
<CN=700>
<CN=530>
<CN=1002>
<CN=964>
<CN=385>
<CN=1481>
<CN=616>
<CN=929>
<CN=1142>
<CN=489>
<CN=552>
<CN=956>
<CN=806>
<CN=1422>
<CN=1098>
<CN=328>
<CN=1202>
<CN=1280>
<CN=093>
<CN=578>
<CN=1123>
<CN=753>
<CN=190>
<CN=949>
<CN=1430>
<CN=497>
<CN=1428>
<CN=337>
<CN=1475>
<CN=313>
<CN=1417>
<CN=250>
<CN=159>
<CN=237>
<CN=087>
<CN=215>
<CN=1022>
<CN=915>
<CN=991>
<CN=893>
<CN=840>
<CN=425>
<CN=1079>
<CN=1020>
<CN=128>
<CN=487>
<CN=448>
<CN=1057>
<CN=1041>
<CN=1252>
<CN=216>
<CN=791>
<CN=1286>
<CN=199>
<CN=912>
<CN=1182>
<CN=1115>
<CN=260>
<CN=1394>
<CN=265>
<CN=771>
<CN=814>
<CN=1277>
<CN=479>
<CN=437>
<CN=075>
<CN=1050>
<CN=1371>
<CN=505>
<CN=014>
<CN=887>
<CN=1405>
<CN=231>
<CN=1424>
<CN=177>
<CN=1132>
<CN=033>
<CN=1331>
<CN=203>
<CN=772>
<CN=862>
<CN=416>
<CN=1455>
<CN=1266>
<CN=1010>
<CN=1465>
<CN=549>
<CN=1040>
<CN=1299>
<CN=047>
<CN=491>
<CN=350>
<CN=343>
<CN=006>
<CN=433>
<CN=1184>
<CN=731>
<CN=944>
<CN=1444>
<CN=1095>
<CN=843>
<CN=1291>
<CN=211>
<CN=320>
<CN=982>
<CN=1021>
<CN=135>
<CN=138>
<CN=844>
<CN=797>
<CN=1298>
<CN=031>
<CN=1260>
<CN=1169>
<CN=595>
<CN=747>
<CN=1473>
<CN=072>
<CN=513>
<CN=968>
<CN=846>
<CN=312>
<CN=562>
<CN=938>
<CN=1171>
<CN=1336>
<CN=946>
<CN=867>
<CN=490>
<CN=650>
<CN=1387>
<CN=080>
<CN=162>
<CN=330>
<CN=1015>
<CN=704>
<CN=1219>
<CN=1474>
<CN=755>
<CN=959>
<CN=1088>
<CN=997>
<CN=1003>
<CN=179>
<CN=1033>
<CN=1173>
<CN=621>
<CN=266>
<CN=028>
<CN=894>
<CN=1054>
<CN=427>
<CN=498>
<CN=379>
<CN=305>
<CN=401>
<CN=729>
<CN=1099>
<CN=1344>
<CN=1250>
<CN=219>
<CN=604>
<CN=935>
<CN=317>
<CN=735>
<CN=456>
<CN=1043>
<CN=761>
<CN=311>
<CN=757>
<CN=546>
<CN=684>
<CN=507>
<CN=148>
<CN=061>
<CN=693>
<CN=917>
<CN=1433>
<CN=191>
<CN=1359>
<CN=1263>
<CN=1321>
<CN=108>
<CN=345>
<CN=1144>
<CN=1233>
<CN=074>
<CN=821>
<CN=1411>
<CN=150>
<CN=961>
<CN=037>
<CN=1348>
<CN=1292>
<CN=1440>
<CN=1377>
<CN=279>
<CN=713>
<CN=739>
<CN=647>
<CN=395>
<CN=114>
<CN=407>
<CN=368>
<CN=276>
<CN=262>
<CN=1468>
<CN=1479>
<CN=921>
<CN=322>
<CN=067>
<CN=1231>
<CN=1141>
<CN=147>
<CN=062>
<CN=366>
<CN=1186>
<CN=1154>
<CN=1071>
<CN=570>
<CN=1427>
<CN=393>
<CN=030>
<CN=310>
<CN=452>
<CN=1178>
<CN=1034>
<CN=732>
<CN=636>
<CN=458>
<CN=1016>
<CN=1107>
<CN=1147>
<CN=241>
<CN=896>
<CN=723>
<CN=1454>
<CN=688>
<CN=773>
<CN=1452>
<CN=426>
<CN=1485>
<CN=1198>
<CN=932>
<CN=1236>
<CN=602>
<CN=469>
<CN=985>
<CN=1197>
<CN=206>
<CN=796>
<CN=1489>
<CN=561>
<CN=653>
<CN=759>
<CN=1312>
<CN=1013>
<CN=662>
<CN=032>
<CN=623>
<CN=573>
<CN=115>
<CN=942>
<CN=812>
<CN=1447>
<CN=783>
<CN=1416>
<CN=371>
<CN=1082>
<CN=903>
<CN=780>
<CN=1358>
<CN=1162>
<CN=122>
<CN=022>
<CN=253>
<CN=869>
<CN=800>
<CN=194>
<CN=164>
<CN=365>
<CN=429>
<CN=170>
<CN=506>
<CN=1192>
<CN=1285>
<CN=503>
<CN=1287>
<CN=678>
<CN=1350>
<CN=1237>
<CN=1409>
<CN=178>
<CN=145>
<CN=711>
<CN=858>
<CN=719>
<CN=005>
<CN=1175>
<CN=884>
<CN=1019>
<CN=361>
<CN=947>
<CN=758>
<CN=571>
<CN=1025>
<CN=1322>
<CN=790>
<CN=1294>
<CN=222>
<CN=837>
<CN=389>
<CN=744>
<CN=1130>
<CN=256>
<CN=1431>
<CN=720>
<CN=1459>
<CN=436>
<CN=239>
<CN=113>
<CN=399>
<CN=649>
<CN=163>
<CN=728>
<CN=1174>
<CN=217>
<CN=027>
<CN=100>
<CN=883>
<CN=637>
<CN=1314>
<CN=085>
<CN=1375>
<CN=727>
<CN=945>
<CN=1126>
<CN=970>
<CN=890>
<CN=494>
<CN=779>
<CN=076>
<CN=485>
<CN=1110>
<CN=872>
<CN=998>
<CN=271>
<CN=063>
<CN=1466>
<CN=816>
<CN=1222>
<CN=397>
<CN=447>
<CN=527>
<CN=833>
<CN=825>
<CN=1140>
<CN=1339>
<CN=1068>
<CN=845>
<CN=741>
<CN=1226>
<CN=323>
<CN=864>
<CN=118>
<CN=171>
<CN=1234>
<CN=1380>
<CN=1116>
<CN=1471>
<CN=413>
<CN=1476>
<CN=218>
<CN=432>
<CN=1487>
<CN=1313>
<CN=1451>
<CN=408>
<CN=631>
<CN=041>
<CN=533>
<CN=854>
<CN=588>
<CN=232>
<CN=039>
<CN=1157>
<CN=547>
<CN=213>
<CN=612>
<CN=129>
<CN=629>
<CN=1214>
<CN=254>
<CN=1279>
<CN=994>
<CN=1264>
<CN=470>
<CN=751>
<CN=664>
<CN=332>
<CN=1491>
<CN=967>
<CN=1083>
<CN=1300>
<CN=1146>
<CN=1325>
<CN=1072>
<CN=557>
<CN=172>
<CN=827>
<CN=269>
<CN=1254>
<CN=051>
<CN=740>
<CN=579>
<CN=669>
<CN=550>
<CN=1138>
<CN=834>
<CN=516>
<CN=1097>
<CN=242>
<CN=1111>
<CN=390>
<CN=895>
<CN=514>
<CN=056>
<CN=1362>
<CN=1418>
<CN=316>
<CN=909>
<CN=665>
<CN=1478>
<CN=052>
<CN=1256>
<CN=268>
<CN=272>
<CN=384>
<CN=1027>
<CN=131>
<CN=1442>
<CN=566>
<CN=1094>
<CN=009>
<CN=1402>
<CN=1311>
<CN=1480>
<CN=1469>
<CN=828>
<CN=736>
<CN=134>
<CN=682>
<CN=586>
<CN=1225>
<CN=302>
<CN=717>
<CN=1319>
<CN=778>
<CN=1425>
<CN=951>
<CN=1051>
<CN=270>
<CN=1190>
<CN=077>
<CN=065>
<CN=698>
<CN=860>
<CN=1308>
<CN=1014>
<CN=1161>
<CN=919>
<CN=414>
<CN=569>
<CN=824>
<CN=1205>
<CN=900>
<CN=913>
<CN=1189>
<CN=193>
<CN=1170>
<CN=1112>
<CN=1412>
<CN=482>
<CN=173>
<CN=349>
<CN=937>
<CN=445>
<CN=003>
<CN=642>
<CN=1155>
<CN=461>
<CN=681>
<CN=420>
<CN=1343>
<CN=346>
<CN=1191>
<CN=286>
<CN=690>
<CN=092>
<CN=1360>
<CN=1255>
<CN=904>
<CN=567>
<CN=331>
<CN=591>
<CN=680>
<CN=954>
<CN=808>
<CN=309>
<CN=878>
<CN=633>
<CN=880>
<CN=175>
<CN=421>
<CN=314>
<CN=289>
<CN=1124>
<CN=873>
<CN=1269>
<CN=036>
<CN=1230>
<CN=1153>
<CN=1128>
<CN=1224>
<CN=534>
<CN=730>
<CN=936>
<CN=925>
<CN=1060>
<CN=752>
<CN=186>
<CN=1133>
<CN=525>
<CN=1048>
<CN=1366>
<CN=283>
<CN=972>
<CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US>
<CN=746>
<CN=1195>
<CN=1437>
<CN=1042>
<CN=524>
<CN=106>
<CN=529>
<CN=1368>
<CN=1316>
<CN=070>
<CN=643>
<CN=750>
<CN=038>
<CN=767>
<CN=435>
<CN=195>
<CN=1143>
<CN=1129>
<CN=251>
<CN=1296>
<CN=089>
<CN=628>
<CN=261>
<CN=227>
<CN=188>
<CN=957>
<CN=248>
<CN=1193>
<CN=892>
<CN=1289>
<CN=1026>
<CN=040>
<CN=922>
<CN=326>
<CN=966>
<CN=1310>
<CN=020>
<CN=356>
<CN=661>
<CN=258>
<CN=411>
<CN=1221>
<CN=1032>
<CN=459>
<CN=725>
<CN=015>
<CN=656>
<CN=096>
<CN=017>
<CN=620>
<CN=587>
<CN=1318>
<CN=582>
<CN=626>
<CN=1125>
<CN=235>
<CN=165>
<CN=334>
<CN=590>
<CN=167>
<CN=154>
<CN=288>
<CN=103>
<CN=756>
<CN=1117>
<CN=905>
<CN=360>
<CN=1337>
<CN=849>
<CN=221>
<CN=931>
<CN=1327>
<CN=386>
<CN=1208>
<CN=1077>
<CN=001>
<CN=818>
<CN=1391>
<CN=153>
<CN=908>
<CN=086>
<CN=417>
<CN=050>
<CN=1206>
<CN=1073>
<CN=668>
<CN=392>
<CN=924>
<CN=1007>
<CN=644>
<CN=1352>
<CN=1301>
<CN=1211>
<CN=1194>
<CN=876>
<CN=1376>
<CN=338>
<CN=263>
<CN=257>
<CN=803>
<CN=1334>
<CN=1069>
<CN=369>
<CN=518>
<CN=127>
<CN=274>
<CN=1446>
<CN=016>
<CN=1284>
<CN=185>
<CN=765>
<CN=083>
<CN=1268>
<CN=1105>
<CN=544>
<CN=101>
<CN=319>
<CN=1120>
<CN=1432>
<CN=509>
<CN=245>
<CN=1435>
<CN=559>
<CN=144>
<CN=362>
<CN=1188>
<CN=712>
<CN=364>
<CN=282>
<CN=1121>
<CN=225>
<CN=663>
<CN=1372>
<CN=543>
<CN=576>
<CN=1056>
<CN=1037>
<CN=517>
<CN=136>
<CN=531>
<CN=424>
<CN=380>
<CN=615>
<CN=285>
<CN=1404>
<CN=126>
<CN=519>
<CN=1046>
<CN=1087>
<CN=1383>
<CN=267>
<CN=838>
<CN=383>
<CN=002>
<CN=1177>
<CN=434>
<CN=648>
<CN=788>
<CN=789>
<CN=899>
<CN=1055>
<CN=354>
<CN=1338>
<CN=1163>
<CN=287>
<CN=1290>
<CN=563>
<CN=1467>
<CN=1439>
<CN=965>
<CN=1183>
<CN=671>
<CN=042>
<CN=865>
<CN=1253>
<CN=584>
<CN=538>
<CN=1093>
<CN=1009>
<CN=830>
<CN=1309>
<CN=1347>
<CN=1472>
<CN=091>
<CN=724>
<CN=259>
<CN=043>
<CN=670>
<CN=596>
<CN=1148>
<CN=1395>
<CN=430>
<CN=264>
<CN=826>
<CN=109>
<CN=140>
<CN=1445>
<CN=1078>
<CN=1257>
<CN=099>
<CN=948>
<CN=1165>
<CN=273>
<CN=993>
<CN=992>
<CN=088>
<CN=234>
<CN=1458>
<CN=1500>
<CN=848>
<CN=1365>
<CN=1220>
<CN=1092>
<CN=1245>
<CN=875>
<CN=813>
<CN=1030>
<CN=094>
<CN=1346>
<CN=589>
<CN=168>
<CN=325>
<CN=901>
<CN=252>
<CN=1429>
<CN=073>
<CN=1218>
<CN=183>
<CN=117>
<CN=1119>
<CN=577>
<CN=1397>
<CN=111>
<CN=536>
<CN=1246>
<CN=1393>
<CN=769>
<CN=831>
<CN=971>
<CN=1332>
<CN=614>
<CN=053>
<CN=415>
<CN=418>
<CN=708>
<CN=058>
<CN=029>
<CN=412>
<CN=782>
<CN=512>
<CN=1357>
<CN=229>
<CN=1448>
<CN=1497>
<CN=775>
<CN=1379>
<CN=714>
<CN=835>
<CN=1062>
<CN=372>
<CN=500>
<CN=859>
<CN=453>
<CN=1239>
<CN=963>
<CN=1374>
<CN=1270>
<CN=1044>
<CN=084>
<CN=055>
<CN=1275>
<CN=810>
<CN=298>
<CN=1181>
<CN=564>
<CN=007>
<CN=522>
<CN=877>
<CN=745>
<CN=766>
<CN=1388>
<CN=1100>
<CN=1382>
<CN=277>
<CN=1006>
<CN=1212>
<CN=476>
<CN=1039>
<CN=996>
<CN=1109>
<CN=1460>
<CN=161>
<CN=119>
<CN=1118>
<CN=187>
<CN=980>
<CN=511>
<CN=123>
<CN=1434>
<CN=743>
<CN=1151>
<CN=297>
<CN=1410>
<CN=1207>
<CN=655>
<CN=718>
<CN=336>
<CN=454>
<CN=327>
<CN=930>
<CN=822>
<CN=953>
<CN=292>
<CN=1323>
<CN=024>
<CN=1317>
<CN=733>
<CN=396>
<CN=1213>
<CN=1199>
<CN=1283>
<CN=284>
<CN=444>
<CN=923>
<CN=214>
<CN=601>
<CN=645>
<CN=726>
<CN=201>
<CN=1361>
<CN=1242>
<CN=640>
<CN=861>
<CN=1340>
<CN=1326>
<CN=493>
<CN=1295>
<CN=180>
<CN=120>
<CN=608>
<CN=572>
<CN=1276>
<CN=1066>
<CN=1127>
<CN=344>
<CN=149>
<CN=1018>
<CN=568>
<CN=852>
<CN=1244>
<CN=798>
<CN=868>
<CN=060>
<CN=542>
<CN=523>
<CN=367>
<CN=1167>
<CN=1498>
<CN=532>
<CN=1356>
<CN=410>
<CN=255>
<CN=599>
<CN=1477>
<CN=1200>
<CN=786>
<CN=341>
<CN=247>
<CN=1499>
<CN=1450>
<CN=335>
<CN=403>
<CN=078>
<CN=1160>
<CN=200>
<CN=098>
<CN=666>
<CN=419>
<CN=539>
<CN=829>
<CN=301>
<CN=026>
<CN=646>
<CN=768>
<CN=990>
<CN=1036>
<CN=008>
<CN=794>
<CN=1482>
<CN=299>
<CN=1053>
<CN=638>
<CN=359>
<CN=1441>
<CN=125>
<CN=081>
<CN=464>
<CN=995>
<CN=137>
<CN=1215>
<CN=928>
<CN=1081>
<CN=958>
<CN=333>
<CN=1385>
<CN=449>
<CN=613>
<CN=1494>
<CN=181>
<CN=836>
<CN=600>
<CN=1328>
<CN=443>
<CN=370>
<CN=1349>
<CN=340>
<CN=687>
<CN=611>
<CN=496>
<CN=1384>
<CN=1271>
<CN=1185>
<CN=885>
<CN=819>
<CN=1065>
<CN=1210>
<CN=353>
<CN=1453>
<CN=1049>
<CN=439>
<CN=658>
<CN=934>
<CN=1341>
<CN=249>
<CN=521>
<CN=013>
<CN=351>
<CN=169>
<CN=792>
<CN=774>
<CN=537>
<CN=606>
<CN=1114>
<CN=548>
<CN=035>
<CN=784>
<CN=1008>
<CN=422>
<CN=394>
<CN=804>
<CN=907>
<CN=1158>
<CN=721>
<CN=1249>
<CN=770>
<CN=710>
<CN=275>
<CN=545>
<CN=749>
<CN=902>
<CN=555>
<CN=764>
<CN=1267>
<CN=939>
<CN=627>
<CN=374>
<CN=155>
<CN=705>
<CN=981>
<CN=715>
<CN=1149>
<CN=742>
<CN=307>
<CN=1320>
<CN=352>
<CN=1449>
<CN=208>
<CN=1378>
<CN=1367>
<CN=802>
<CN=639>
<CN=879>
<CN=057>
<CN=760>
<CN=1204>
<CN=597>
<CN=689>
<CN=477>
<CN=672>
<CN=738>
<CN=473>
<CN=019>
<CN=243>
<CN=465>
<CN=207>
<CN=1421>
<CN=133>
<CN=467>
<CN=1232>
<CN=244>
<CN=978>
<CN=1047>
<CN=697>
<CN=068>
<CN=660>
<CN=025>
<CN=641>
<CN=1150>
<CN=617>
<CN=855>
<CN=1102>
<CN=481>
<CN=1101>
<CN=468>
<CN=799>
<CN=763>
<CN=112>
<CN=182>
<CN=223>
<CN=1386>
<CN=1113>
<CN=1288>
<CN=920>
<CN=143>
<CN=1005>
<CN=1403>
<CN=1345>
<CN=230>
<CN=1401>
<CN=609>
<CN=280>
<CN=598>
<CN=1304>
<CN=488>
<CN=1470>
<CN=1273>
<CN=926>
<CN=811>
<CN=484>
<CN=510>
<CN=673>
<CN=1486>
<CN=1017>
<CN=832>
<CN=654>
<CN=1415>
<CN=515>
<CN=1012>
<CN=1329>
<CN=1063>
<CN=1052>
<CN=1137>
<CN=387>
<CN=592>
<CN=977>
<CN=558>
<CN=306>
<CN=762>
<CN=1495>
<CN=1228>
<CN=1080>
<CN=321>
<CN=226>
<CN=492>
<CN=847>
<CN=246>
<CN=278>
<CN=471>
<CN=630>
<CN=551>
<CN=451>
<CN=695>
<CN=625>
<CN=889>
<CN=1029>
<CN=622>
<CN=906>
<CN=696>
<CN=440>
<CN=1484>
<CN=1145>
<CN=535>
<CN=856>
<CN=1164>
<CN=754>
<CN=634>
<CN=1028>
<CN=1456>
<CN=1496>
<CN=574>
<CN=124>
<CN=950>
<CN=1373>
<CN=1390>
<CN=097>
<CN=984>
<CN=495>
<CN=446>
<CN=983>
<CN=110>
<CN=839>
<CN=010>
<CN=986>
<CN=910>
<CN=1457>
<CN=1217>
<CN=898>
<CN=034>
<CN=1335>
<CN=1058>
<CN=1229>
<CN=329>
<CN=431>
<CN=1342>
<CN=1333>
<CN=785>
<CN=692>
<CN=722>
<CN=192>
<CN=1369>
<CN=1282>
<CN=1152>
<CN=943>
<CN=553>
<CN=1247>
<CN=011>
<CN=674>
<CN=809>
<CN=318>
<CN=1426>
<CN=478>
<CN=1488>
<CN=863>
<CN=1059>
<CN=402>
<CN=1075>
<CN=004>
<CN=504>
<CN=1281>
<CN=508>
<CN=160>
<CN=1305>
<CN=377>
<CN=581>
<CN=652>
<CN=102>
<CN=657>
<CN=1223>
<CN=296>
<CN=303>
<CN=1438>
<CN=018>
<CN=1492>
<CN=441>
<CN=1235>
<CN=1241>
<CN=293>
<CN=1306>
<CN=152>
<CN=1408>
<CN=1262>
<CN=916>
<CN=139>
<CN=927>
<CN=1238>
<CN=176>
<CN=376>
<CN=593>
<CN=585>
<CN=405>
<CN=486>
<CN=404>
<CN=1399>
<CN=046>
<CN=940>
<CN=1196>
<CN=1227>
<CN=132>
<CN=457>
<CN=142>
<CN=737>
<CN=1493>
<CN=463>
<CN=675>
<CN=897>
<CN=1351>
<CN=841>
<CN=066>
<CN=1443>
<CN=205>
https-jsse-nio2-10443-exec-7, WRITE: TLSv1.2 Handshake, length = 16383
*** ServerHelloDone
https-jsse-nio2-10443-exec-7, WRITE: TLSv1.2 Handshake, length = 12558
https-jsse-nio2-10443-exec-9, called closeOutbound()
https-jsse-nio2-10443-exec-9, closeOutboundInternal()
https-jsse-nio2-10443-exec-9, SEND TLSv1.2 ALERT: warning, description = close_notify
https-jsse-nio2-10443-exec-9, WRITE: TLSv1.2 Alert, length = 2
Tomcat connector configuration is,
<Connector port="10443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxHttpHeaderSize="4096"
maxThreads="1050" minSpareThreads="25"
maxKeepAliveRequests="-1" keepAliveTimeout="180000"
enableLookups="false" disableUploadTimeout="true"
acceptCount="10" scheme="https" secure="true" SSLEnabled="true"
clientAuth="want" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"
connectionTimeout="180000"
keystoreFile="file.keystore"
keystorePass="file.pass" algorithm="SunX509"
truststoreFile="file.keystore"
truststorePass="file.pass"
truststoreType="JKS"
keyAlias="tomcat"
compression="on"
compressionMinSize="2048"
trustManagerClassName="com.tomcatssl.CustomTrustManager"
useServerCipherSuitesOrder="true"
ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
server="Clock Web Server"
compressableMimeType="text/html,text/xml,text/js,text/css"/>
Thank You
I'm not sure what would cause some browsers to work differently than others for sure, but I do have a guess.
When a server has a trust store configured (for a <Connector>/<SSLHostConfig>), it will advertise the list of trusted certificates to the client during the initial TLS handshake. If you have a huge number of certificates in your trust store, the server will (of course) send them all. If the client isn't expecting to receive a large number of certificates, it may fail when it runs out of space in e.g. a buffer to hold such things. My guess is that MSIE chokes on the long list of acceptable client certificates.
It's unusual for a server to use a <Connector>/<SSLHostConfig> with a large number of certificates in its trust store. Typically, if you need to trust certificates en masse, you generate a CA certificate and use it to sign the individual client certificates, keeping only that CA certificate in your trust store.
If you have a JVM-wide trust store being used for outgoing connections, then you might have a lot of certificates in there. You definitely don't want to use that one for the <Connector>/<SSLHostConfig> on your server. You should use a separate trust-store that contains only the certificates you expect to trust as client TLS certificates. Any other configuration is not secure.
For example, let's say you have VeriSign's root certificate in your trust store. That means anyone who has a client certificate signed by VeriSign can establish a connection with your server. That includes clients outside your organization or circle of trust. You should only include certificates in your trust store that you 100% trust every certificate they could ever have signed.
Make sure that your root certificate is trusted by the browser. For your case, the root is "Cisco Umbrella Root CA", which is not trusted. Follow these steps to import the certificate in browser : https://freesslcert.org/trust-freesslcert-in-browser
Am getting "org.apache.axis2.AxisFault: HTTP ( 403 )" error while calling a secured webservice from WebsphereApplicationServer7 (JRE 1.6). The service is just HTTPS and doesn't require any authentication. I imported the certificate to the Websphere server truststore through "Signer Certificates".
I can call the same service through the same Websphere JRE1.6 as standalone java program by adding the certificate to the cacerts using keytool command.
Any help is appreciated!
SSL DEBUG failure log:
O Using SSLEngineImpl.
O SSLv3 protocol was requested but was not enabled
O SSLv3 protocol was requested but was not enabled
O
Is initial handshake: true
O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
O %% Client cached [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA]
O %% Try resuming [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA] from port -1
O *** ClientHello, TLSv1
O RandomCookie: GMT: 1474467386 bytes = { 207 }
O Session ID: {16}
O Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RENEGO_PROTECTION_REQUEST]
O Compression Methods: { 0 }
O ***
O [write] MD5 and SHA1 hashes: len = 97
O 0000: ......X.........
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 97
O [Raw write]: length = 102
O 0000: ....a......X....
O [Raw read]: length = 5
O 0000: 16 03 01 00 51 ....Q
O [Raw read]: length = 81
O 0000: 02 00 00 4d 03 01 58 e3 96 0b 5b d1 87 59 13 41 ...M..X......Y.A
O ListenerContainer-1, READ: TLSv1 Handshake, length = 81
O *** ServerHello, TLSv1
O RandomCookie: GMT: 1474467339 bytes = { 91 }
O Session ID: {16,128}
O Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
O Compression Method: 0
O Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
O ***
O JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.2
O JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.2
O JsseJCE: Using KeyGenerator IbmTlsKeyMaterial from provider TBD via init
O CONNECTION KEYGEN:
O Client Nonce:
O Server Nonce:
O Master Secret:
O 0000: ..0..x.Q.....3..
O Client MAC write Secret:
O 0000: ..y..3..........
..M.
O Server MAC write Secret:
O 0000: 39 33 d2 cf a0 1c 20 fa e2 4f 02 a1 86 ff b5 c9 93.......O......
w..L
O Client write key:
O 0000: c7 3f fa 9b 84 98 44 bc 4d bb 69 5d 9d d2 71 db ......D.M.i...q.
O Server write key:
O 0000: dc df 01 38 e5 07 32 9e d4 1a b1 8a 5a e8 6f d4 ...8..2.....Z.o.
O Client write IV:
O 0000: a2 15 75 d4 8e d1 1b 4f 31 7b b1 e3 36 01 01 34 ..u....O1...6..4
O Server write IV:
O 0000: e6 46 38 f7 aa 03 f2 7e f4 fb 6b 9f cb 88 df 48 .F8.......k....H
O %% Server resumed [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA]
O [read] MD5 and SHA1 hashes: len = 81
O 0000: 02 00 00 4d 03 01 58 e3 96 0b 5b d1 87 59 13 41 ...M..X......Y.A
O [Raw read]: length = 5
O 0000: 14 03 01 00 01 .....
O [Raw read]: length = 1
O 0000: 01 .
O ListenerContainer-1, READ: TLSv1 Change Cipher Spec, length = 1
O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
O [Raw read]: length = 5
O 0000: 16 03 01 00 30 ....0
O [Raw read]: length = 48
O 0000: 32 d4 5a 8e 54 a3 bc d6 e4 38 f4 fb 3a 85 fa e1 2.Z.T....8......
O ListenerContainer-1, READ: TLSv1 Handshake, length = 48
O 0000: 14 00 00 0c 13 9c d6 b0 ca a6 cd e1 81 dd 8b c1 ................
O *** Finished
O verify_data: { 19, 156, 214, 176, 202, 166, 205, 225, 129, 221, 139, 193 }
O ***
O JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
O [read] MD5 and SHA1 hashes: len = 16
O 0000: 14 00 00 0c 13 9c d6 b0 ca a6 cd e1 81 dd 8b c1 ................
O JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
O ListenerContainer-1, WRITE: TLSv1 Change Cipher Spec, length = 1
O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
O *** Finished
O verify_data: { 56, 215, 170, 111, 66, 74, 59, 26, 94, 46, 231, 190 }
O ***
O [write] MD5 and SHA1 hashes: len = 16
O 0000: 14 00 00 0c 38 d7 aa 6f 42 4a 3b 1a 5e 2e e7 be ....8..oBJ......
O Padded plaintext before ENCRYPTION: len = 48
O 0000: 14 00 00 0c 38 d7 aa 6f 42 4a 3b 1a 5e 2e e7 be ....8..oBJ......
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 48
O [Raw write]: length = 6
O 0000: 14 03 01 00 01 01 ......
O [Raw write]: length = 53
O 0000: 16 03 01 00 30 aa a8 a4 54 00 fd ba 45 1b d8 e2 ....0...T...E...
O Padded plaintext before ENCRYPTION: len = 496
O 0000: 50 4f 53 54 20 2f 49 6c 61 6e 69 53 65 72 76 69 POST..IlaniServi
ce.svc.HTTP.1.1.
.Host..otlsap
p1..enterpri
se.sun.co
m.8090..Accept..
application.soap
.xml.multipart.r
elated.text....U
ser.Agent..IBM.W
ebServices.1.0..
Cache.Control..n
o.cache..Pragma.
.no.cache..SOAPA
ction...http...t
empuri.org.IIlan
iService.P
O ListenerContainer-1, WRITE: TLSv1 Application Data, length = 472
O [Raw write (bb)]: length = 501
O 0000: 17 03 01 01 f0 be c2 0c b6 1a 50 47 bc 99 d5 c3 ..........PG....
0010: a9 01 b0 05 0e f2 0b a8 32 a0 19 6f 48 35 3f a4 ........2..oH5..
O Padded plaintext before ENCRYPTION: len = 32
O 0000: 3c a3 cc cf c4 13 b4 7e 35 a6 26 d7 0e 78 9e 66 ........5....x.f
0010: 9f a9 2e 22 2f 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a ................
O ListenerContainer-1, WRITE: TLSv1 Application Data, length = 1
O Padded plaintext before ENCRYPTION: len = 480
O 0000: 73 6f 61 70 65 6e 76 3a 45 6e 76 65 6c 6f 70 65 soapenv.Envelope
.xmlns.soapenv..
http...schemas.x
mlsoap.org.soap.
envelope....soap
env.Body..ns2.Ad
justBalanc
e.xmlns..http...
schemas.datacont
ract.org.2004.07
O ListenerContainer-1, WRITE: TLSv1 Application Data, length = 456
O [Raw write (bb)]: length = 522
O 0000: 17 03 01 00 20 8b 55 88 99 5b b5 b6 2d 04 a0 b2 ......U.........
0010: 62 88 01 77 f9 d7 7d 58 8c 13 3e 61 0d 55 ab d2 b..w...X...a.U..
O [Raw read]: length = 5
O 0000: 16 03 01 00 20 .....
O [Raw read]: length = 32
O 0000: 9d 7f 17 1a 16 ca 52 b8 8c f6 6e e9 81 a1 e9 47 ......R...n....G
0010: 03 6c ac d4 25 e9 5f 90 a2 48 f7 a2 7c fe 5e 6e .l.......H.....n
O ListenerContainer-1, READ: TLSv1 Handshake, length = 32
O 0000: 00 00 00 00 f6 20 dc f4 08 0c 1a 51 c3 79 9f 04 ...........Q.y..
0010: 73 a2 e1 ea 8a ca dd d4 07 07 07 07 07 07 07 07 s...............
O ListenerContainer-1, RENEGOTIATE
O
Is initial handshake: false
O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
O *** HelloRequest (empty)
O %% Client cached [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA]
O %% Try resuming [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA] from port -1
O *** ClientHello, TLSv1
O RandomCookie: GMT: 1474467386 bytes = { 47, 48, 108, 24, 0, 145, 59, 124, 205, 83, 175, 151, 62, 250, 72, 23, 83, 219, 54, 35, 246, 240, 218, 216, 8, 185, 240, 129 }
O Session ID: {16, 48, 0, 0, 26, 118, 255, 9, 42, 147, 147, 244, 73, 27, 74, 188, 230, 10, 207, 45, 40, 144, 227, 82, 57, 194, 148, 119, 92, 41, 25, 128}
O Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA]
O Compression Methods: { 0 }
O Extension renegotiation_info, ri_length: 12, ri_connection_data: { 56, 215, 170, 111, 66, 74, 59, 26, 94, 46, 231, 190 }
O ***
O [write] MD5 and SHA1 hashes: len = 114
O 0000: 01 00 00 6e 03 01 58 e3 96 3a 2f 30 6c 18 00 91 ...n..X....0l...
O Padded plaintext before ENCRYPTION: len = 144
O 0000: 01 00 00 6e 03 01 58 e3 96 3a 2f 30 6c 18 00 91 ...n..X....0l...
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 144
O [Raw write]: length = 149
O 0000: 16 03 01 00 90 39 0c d3 85 c2 c7 a6 db 1b 19 c9 .....9..........
O [Raw read]: length = 5
O 0000: 16 03 01 03 c0 .....
O [Raw read]: length = 960
O 0000: 52 a5 c4 98 5e 3a ba 29 0c 5d 33 ba e7 a6 f6 9d R.........3.....
O ListenerContainer-1, READ: TLSv1 Handshake, length = 960
O 0000: 02 00 00 65 03 01 58 e3 96 0b d1 0f ec fc 78 bd ...e..X.......x.
O *** ServerHello, TLSv1
O RandomCookie: GMT: 1474467339 bytes = { 209, 15, 236, 252, 120, 189, 229, 92, 195, 178, 12, 253, 84, 35, 32, 141, 135, 199, 74, 135, 129, 147, 179, 39, 140, 238, 136, 245 }
O Session ID: {227, 16, 0, 0, 137, 23, 115, 18, 172, 166, 216, 5, 39, 117, 98, 130, 126, 247, 92, 123, 95, 173, 213, 94, 76, 116, 115, 203, 213, 63, 223, 177}
O Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
O Compression Method: 0
O Extension renegotiation_info, ri_length: 24, ri_connection_data: { 56, 215, 170, 111, 66, 74, 59, 26, 94, 46, 231, 190, 19, 156, 214, 176, 202, 166, 205, 225, 129, 221, 139, 193 }
O ***
O JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.2
O JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.2
O RI_Extension verification complete
O %% Initialized: [Session-8, SSL_RSA_WITH_AES_128_CBC_SHA]
O ** SSL_RSA_WITH_AES_128_CBC_SHA
O [read] MD5 and SHA1 hashes: len = 105
O 0000: 02 00 00 65 03 01 58 e3 96 0b d1 0f ec fc 78 bd ...e..X.......x.
O *** Certificate chain
O chain [0] = [
[
Version: V3
Subject: CN=OTLS..enterprise.sun.com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
23553703497639596335070510257137281846668772458655810320677790628829221930261149412925591183146781723536526781277172608739916146526544854651533994944277413821681774452388324836206810729946188205549925379818388956830834110706891819099617718057830110501768074462851693346833893969477290813937343022841978362903738008267590984351543136396192926768606970581686949544516090193350198903123024609160656153681262348428606470586055201848713219772934786602559592543952662556702629365940208481126300406324501533729138789679650468030591267044786502786266360792591465166026083070678688183035912219682765397505679240220734169611841
public exponent:
65537
Validity: [From: Mon Feb 27 07:21:04 EST 2017,
To: Mon Feb 26 19:00:00 EST 2018]
Issuer: CN=OTLS..enterprise.sun.com
SerialNumber: [157540854616312716013046194484672082663]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
1.3.6.1.5.5.7.3.1]
[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_Encipherment
Data_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 95 2e 1f 6b bf f4 08 1b 05 bc af 0b 83 2b d5 9e ...k............
]
O ***
O Found trusted certificate:
O [
[
Version: V3
Subject: CN=OTLS..enterprise.sun.com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
23553703497639596335070510257137281846668772458655810320677790628829221930261149412925591183146781723536526781277172608739916146526544854651533994944277413821681774452388324836206810729946188205549925379818388956830834110706891819099617718057830110501768074462851693346833893969477290813937343022841978362903738008267590984351543136396192926768606970581686949544516090193350198903123024609160656153681262348428606470586055201848713219772934786602559592543952662556702629365940208481126300406324501533729138789679650468030591267044786502786266360792591465166026083070678688183035912219682765397505679240220734169611841
public exponent:
65537
Validity: [From: Mon Feb 27 07:21:04 EST 2017,
To: Mon Feb 26 19:00:00 EST 2018]
Issuer: CN=OTLS..enterprise.sun.com
SerialNumber: [157540854616312716013046194484672082663]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
1.3.6.1.5.5.7.3.1]
[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_Encipherment
Data_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 95 2e 1f 6b bf f4 08 1b 05 bc af 0b 83 2b d5 9e ...k............
]
O [read] MD5 and SHA1 hashes: len = 806
O 0000: 0b 00 03 22 00 03 1f 00 03 1c 30 82 03 18 30 82 ..........0...0.
0010: 02 00 a0 03 02 01 02 02 10 76 85 43 d2 e9 21 07 .........v.C....
O *** CertificateRequest
O Cert Types: RSA, DSS, ECDSA
O Cert Authorities:
O <Empty>
O [read] MD5 and SHA1 hashes: len = 10
O 0000: 0d 00 00 06 03 01 02 40 00 00 ..........
O *** ServerHelloDone
O [read] MD5 and SHA1 hashes: len = 4
O 0000: 0e 00 00 00 ....
O ClientHandshaker: KeyManager com.ibm.ws.ssl.core.WSX509KeyManager
O matching alias: default
O *** Certificate chain
O chain [0] = [
[
Version: V3
Subject: CN=XQ1..enterprise.sun.com, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
110843921622147780318384621158214764705470317393194727986877851877285223474158936772266058764800503835209829711284711944290493529045508433479261112669514928128534895563063819307253434406155487303648611935061998559156762974027014248792380105199377095915876433187824227059900869413289818622830165728007892211197
public exponent:
65537
Validity: [From: Sun Mar 05 17:32:19 EST 2017,
To: Mon Mar 05 17:32:19 EST 2018]
Issuer: CN=XQ1..enterprise.sun.com, OU=Root Certificate, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
SerialNumber: [32229148073970]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:was70profile1-BASE-8665f1be-6c91-4f3f-9737-7ea56a84c9a7]]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4c 25 62 5f 59 c0 a9 87 L.b.Y...
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 64 3c 9d e8 00 ca f0 f9 9a 33 10 a1 16 39 3a 6d d........3...9.m
]
O chain [1] = [
[
Version: V3
Subject: CN=XQ1..enterprise.sun.com, OU=Root Certificate, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
133709287124393792230601765881699139284227312626945278928615499964607234524332116007234980646619761347476316748109684673947697597508730909561799232875111817433344405710867175697607140981134928059514395419168832779709507872705080489476741742323610788920900244447196181703106638720154734901400895308937603956483
public exponent:
65537
Validity: [From: Thu Dec 15 12:44:52 EST 2011,
To: Fri Dec 11 12:44:52 EST 2026]
Issuer: CN=XQ1..enterprise.sun.com, OU=Root Certificate, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
SerialNumber: [14851033508608]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:was70profile1-BASE-8665f1be-6c91-4f3f-9737-7ea56a84c9a7]]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4b be 7e 6a 81 18 dc 91 K..j....
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 7f 18 a5 d0 88 a1 95 d4 2c 8e b9 51 13 21 b5 df ...........Q....
]
O ***
O JsseJCE: Choose KeyGenerator for IbmTlsRsaPremasterSecret.
O JsseJCE: Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init
O JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider TBD via init
O PreMasterSecret: Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.2
O *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
O [write] MD5 and SHA1 hashes: len = 1857
O 0000: ...7..4...0...0.
O Padded plaintext before ENCRYPTION: len = 1888
O 0000: ...7..4...0...0.
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 1888
O SESSION KEYGEN:
O PreMaster Secret:
O 0000: ........Q.J...K.
O javax.crypto.spec.SecretKeySpec#13e5009
O JsseJCE: Using KeyGenerator IbmTlsMasterSecret from provider TBD via init
O JsseJCE: Using KeyGenerator IbmTlsKeyMaterial from provider TBD via init
O CONNECTION KEYGEN:
O Client Nonce:
O 0000: 58 e3 96 3a 2f 30 6c 18 00 91 3b 7c cd 53 af 97 X....0l......S..
O Server Nonce:
O 0000: 58 e3 96 0b d1 0f ec fc 78 bd e5 5c c3 b2 0c fd X.......x.......
O Master Secret:
O 0000: 31 f7 d1 f5 85 14 c3 3f b4 86 26 04 e9 5d 4a 80 1.............J.
O Client MAC write Secret:
O 0000: 3d f9 24 a2 e8 6b a3 3a 1d cb 1d 89 c4 92 14 dd .....k..........
O Server MAC write Secret:
O 0000: ...W......m.Z..2
O Client write key:
O 0000: p..9....U..f....
O Server write key:
O 0000: 12 69 bf 32 56 85 16 a8 ef f4 56 f7 2e 59 99 62 .i.2V.....V..Y.b
O Client write IV:
O 0000: fe 71 85 da 9e c1 4c 9b 2d 78 47 6d 6b 0b 14 47 .q....L..xGmk..G
O Server write IV:
O 0000: b6 00 6c c6 06 89 77 96 73 54 97 77 2b 92 91 6c ..l...w.sT.w...l
O JsseJCE: Using signature RSAforSSL from provider TBD via init
O JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.2
O JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.2
O Signatures: Using signature RSA from provider from initSignIBMJCE version 1.2
O *** CertificateVerify
O [write] MD5 and SHA1 hashes: len = 134
O 0000: 0f 00 00 82 00 80 8f 81 da ae ea d9 b0 80 7d f3 ................
O JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
O Padded plaintext before ENCRYPTION: len = 160
O 0000: 0f 00 00 82 00 80 8f 81 da ae ea d9 b0 80 7d f3 ................
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 160
O Padded plaintext before ENCRYPTION: len = 32
O 0000: ....R..u.iAt7.q.
O ListenerContainer-1, WRITE: TLSv1 Change Cipher Spec, length = 32
O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
O *** Finished
O verify_data: { 100 }
O ***
O [write] MD5 and SHA1 hashes: len = 16
O 0000: .....g........jd
O Padded plaintext before ENCRYPTION: len = 48
O 0000: .....g........jd
O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 48
O [Raw write]: length = 1893
O 0000: 16 03 01 07 60 30 e0 6b 5b 53 27 32 30 1a b2 be .....0.k.S.20...
O [Raw write]: length = 165
O 0000: 16 03 01 00 a0 42 1b 86 be 1e ac 1d 81 23 74 44 .....B........tD
O [Raw write]: length = 37
O 0000: 14 03 01 00 20 24 21 46 20 90 77 7a 1d 02 81 b2 .......F..wz....
O [Raw write]: length = 53
O 0000: ....0.3.a...x...
O [Raw read]: length = 5
O 0000: 14 03 01 00 20 .....
O [Raw read]: length = 32
O 0000: ...m.....x..0...
O ListenerContainer-1, READ: TLSv1 Change Cipher Spec, length = 32
O 0000: .O.......nJ...g.
O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
O [Raw read]: length = 5
O 0000: 16 03 01 00 30 ....0
O [Raw read]: length = 48
O 0000: 04 93 78 76 db 42 1d af 85 e9 bd 2b b8 7a d6 e6 ..xv.B.......z..
O ListenerContainer-1, READ: TLSv1 Handshake, length = 48
O 0000: 14 00 00 0c 77 2e ab 89 d0 91 9c 47 12 35 00 40 ....w......G.5..
O *** Finished
O verify_data: { 119, 46, 171, 137, 208, 145, 156, 71, 18, 53, 0, 64 }
O ***
O JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
O cached session [Session-8, SSL_RSA_WITH_AES_128_CBC_SHA]
O %% Cached client session: [Session-8, SSL_RSA_WITH_AES_128_CBC_SHA]
O [read] MD5 and SHA1 hashes: len = 16
O 0000: ....w......G.5..
O [Raw read (bb)]: length = 37
O 0000: 17 03 01 00 20 c4 23 30 6c 3e 32 03 92 8a a8 b8 .......0l.2.....
O Padded plaintext after DECRYPTION: len = 32
O 0000: 48 de e8 a9 44 bf cf 82 73 c1 a2 4c b7 01 8c 12 H...D...s..L....
O [Raw read (bb)]: length = 1429
O 0000: 17 03 01 05 90 ed 7b 79 7c b6 e2 b4 2e 17 54 68 .......y......Th
O Padded plaintext after DECRYPTION: len = 1424
O 0000: TTP.1.1.403.Forb
idden..Content.T
ype..text.html..
Server.http.eq
uiv..Content.Typ
e..content..text
.html..charset.i
so.8859.1......t
itle.403...Forbi
dden..Access.is.
denied...title..
Update: Successful truncated ssl log from Standalone IBM JRE Java client.
IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
*** ServerHello, TLSv1
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
JsseJCE: Choose KeyGenerator for IbmTlsRsaPremasterSecret.
JsseJCE: Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init
JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider TBD via init
PreMasterSecret: Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.2
JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
main, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
JsseJCE: Using MAC HmacSHA1 from provider TBD via init
main, READ: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
*** ServerHello, TLSv1
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0e 00 00 00 ....
ClientHandshaker: KeyManager com.ibm.jsse2.aJ
JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.2
JsseJCE: Using signature SHA1withECDSA from provider TBD via init
JsseJCE: Using signature NONEwithECDSA from provider TBD via init
JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.2
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJce: EC is available
*** Certificate chain
***
JsseJCE: Choose KeyGenerator for IbmTlsRsaPremasterSecret.
JsseJCE: Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init
JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider TBD via init
PreMasterSecret: Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.2
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
JsseJCE: Using MAC HmacSHA1 from provider TBD via init
MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
*** Finished
verify_data: { 216, 231, 207, 130, 172, 141, 204, 125, 55, 250, 84, 30 }
***
JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.2
cached session [Session-2, SSL_RSA_WITH_AES_128_CBC_SHA]
%% Cached client session: [Session-2, SSL_RSA_WITH_AES_128_CBC_SHA]
main, READ: TLSv1 Application Data, length = 720
TTP.1.1.200.OK..
Cache.Control..p
rivate..Content.
We fixed this issue by turning off "Client Certificate" requirement at IIS Server which was set to Optional before. We wanted One-way SSL but the server was set up for Two-way SSL Client Authentication.
It worked with standalone Java client because Java-Client was not sending the client certificate and as the "Client-Certificate" was Optional at IIS, it worked well.
However, Websphere Application Server was sending the default "Client-Certificate" to IIS and IIS obviously didn't have any clue on this certificate, hence it was failing.
This can be verified from the failure log in the question. Right after the "*** CertificateRequest", WAS-Client was sending the default-cert.
Browsium ION will allow you to set the highest java security globally, whilst reducing security for chosen specific applications. We advise to always keep the version of JRE on machines at the very latest version.
Download the latest (x86) version of Jre https://java.com/en/download/
Download Browsium ION - Browsium Ion Evaluation Kit
Create a profile and a Rule to swap from latest version to JRE 1.6 version. See the demo video Keep Java Up to Date" on our Website for simple instruction of how to do this.
Using a Browsium ION Custom file the Deployment.Properties file can be amended to change the SSL and TLS Security attributes.
Let me know if you need any help.