SSL not working between Linux and Windows - ssl

I have gone through loads of material present on internet for SSL. I followed the steps and created self signed certificate on server (linux) using keytool. Server keystore was already having an entry as ( CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown), my new certificate was second entry as ( CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server ). Then I exported the certificate(.cer) using keytool and copied same on my client(windows). I then imported server generated certificate to client trustore. Now when I try to communicate using SSL it fails everytime. I turned on SSL debug on client. Below is the log
adding as trusted cert:
Subject: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Issuer: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Algorithm: RSA; Serial number: 0x3bd2165e
Valid from Fri Oct 21 13:08:11 IST 2016 until Thu Jan 19 13:08:11 IST 2017
adding as trusted cert:
Subject: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Issuer: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Algorithm: RSA; Serial number: 0x46dac56d
Valid from Fri Oct 21 13:20:47 IST 2016 until Thu Jan 19 13:20:47 IST 2017
***
found key for : Client
chain [0] = [
[
Version: V3
Subject: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 19643942881710234591525118408612815215632338692166465250629734200981703093763200559775845583913404371567241804832487728799610532434766533695993759141114319525441958126364976642955560446067359829730544145500409447935888670367709958247941184557182316292540918805424085096889405623367353240389104083404287642633808982388623942568195322780929142023222276129235672938020453213230922184807911898395818264624343113898437136096266829934433793735074739359988881755805184514603338282021635155460130597302085016075305135792447640646817495498043975883348791446660517781531653507565586938242488813328480016900010365926159926261191
public exponent: 65537
Validity: [From: Fri Oct 21 13:20:47 IST 2016,
To: Thu Jan 19 13:20:47 IST 2017]
Issuer: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
SerialNumber: [ 46dac56d]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 72 B5 E3 14 98 BD 53 F3 69 33 96 A5 71 F5 99 2B r.....S.i3..q..+
0010: 22 0F B9 F6 "...
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 21 16 B3 C9 5D BC EB 71 35 78 95 8E BF 30 72 AC !...]..q5x...0r.
0010: D1 42 AA B7 C1 8B 23 FD 67 DF 6F 36 85 E8 C6 05 .B....#.g.o6....
0020: A4 7B E7 A5 B5 3A FC 0C 88 29 3D C3 CD C2 88 8D .....:...)=.....
0030: 86 3A BF 14 85 93 01 75 5E 6E 01 87 44 A9 0A 21 .:.....u^n..D..!
0040: A2 F0 C3 05 9C 40 7B 89 61 DB 84 28 73 89 0F 3A .....#..a..(s..:
0050: B7 96 E8 63 30 29 8A B5 11 4C D2 7E A8 17 6F 0F ...c0)...L....o.
0060: 4E C7 4A AD E0 A8 6E 68 CE 72 FE DD DE F7 1C 84 N.J...nh.r......
0070: 20 C9 C4 CA F1 6A 3B C0 F9 A8 DD 03 0B EF 04 03 ....j;.........
0080: 40 BA 37 F6 B6 9C BE FF A9 E6 0E BF E6 32 B8 B3 #.7..........2..
0090: 0A EB 0F F7 EA 23 93 D1 17 D7 6E 94 0C 98 4C 90 .....#....n...L.
00A0: 40 21 DE 39 09 A9 16 2A 97 DD 2D E5 C0 FC FE 2E #!.9...*..-.....
00B0: AE 36 0C 04 6D A8 8F 1D B8 2B 99 54 7C AD 4F 8C .6..m....+.T..O.
00C0: 01 9C C2 07 77 81 A7 6C 07 2D A3 75 1D 4E E4 16 ....w..l.-.u.N..
00D0: 7E D0 BD E4 79 0F B6 9C C8 62 2E D6 E1 AC 35 58 ....y....b....5X
00E0: 22 B2 8C 4B FE 9A 06 C4 53 C1 8F 45 EA 61 3A 7F "..K....S..E.a:.
00F0: 3C D1 15 0D A8 27 3E 0F AB F5 8F DA 78 05 5F AE <....'>.....x._.
]
***
trigger seeding of SecureRandom
done seeding SecureRandom
keyStore is : D:\\Development\\Workspace\\Eclipse\\testSSL\\Sample\\.keystore
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : Client
chain [0] = [
[
Version: V3
Subject: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 19643942881710234591525118408612815215632338692166465250629734200981703093763200559775845583913404371567241804832487728799610532434766533695993759141114319525441958126364976642955560446067359829730544145500409447935888670367709958247941184557182316292540918805424085096889405623367353240389104083404287642633808982388623942568195322780929142023222276129235672938020453213230922184807911898395818264624343113898437136096266829934433793735074739359988881755805184514603338282021635155460130597302085016075305135792447640646817495498043975883348791446660517781531653507565586938242488813328480016900010365926159926261191
public exponent: 65537
Validity: [From: Fri Oct 21 13:20:47 IST 2016,
To: Thu Jan 19 13:20:47 IST 2017]
Issuer: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
SerialNumber: [ 46dac56d]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 72 B5 E3 14 98 BD 53 F3 69 33 96 A5 71 F5 99 2B r.....S.i3..q..+
0010: 22 0F B9 F6 "...
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 21 16 B3 C9 5D BC EB 71 35 78 95 8E BF 30 72 AC !...]..q5x...0r.
0010: D1 42 AA B7 C1 8B 23 FD 67 DF 6F 36 85 E8 C6 05 .B....#.g.o6....
0020: A4 7B E7 A5 B5 3A FC 0C 88 29 3D C3 CD C2 88 8D .....:...)=.....
0030: 86 3A BF 14 85 93 01 75 5E 6E 01 87 44 A9 0A 21 .:.....u^n..D..!
0040: A2 F0 C3 05 9C 40 7B 89 61 DB 84 28 73 89 0F 3A .....#..a..(s..:
0050: B7 96 E8 63 30 29 8A B5 11 4C D2 7E A8 17 6F 0F ...c0)...L....o.
0060: 4E C7 4A AD E0 A8 6E 68 CE 72 FE DD DE F7 1C 84 N.J...nh.r......
0070: 20 C9 C4 CA F1 6A 3B C0 F9 A8 DD 03 0B EF 04 03 ....j;.........
0080: 40 BA 37 F6 B6 9C BE FF A9 E6 0E BF E6 32 B8 B3 #.7..........2..
0090: 0A EB 0F F7 EA 23 93 D1 17 D7 6E 94 0C 98 4C 90 .....#....n...L.
00A0: 40 21 DE 39 09 A9 16 2A 97 DD 2D E5 C0 FC FE 2E #!.9...*..-.....
00B0: AE 36 0C 04 6D A8 8F 1D B8 2B 99 54 7C AD 4F 8C .6..m....+.T..O.
00C0: 01 9C C2 07 77 81 A7 6C 07 2D A3 75 1D 4E E4 16 ....w..l.-.u.N..
00D0: 7E D0 BD E4 79 0F B6 9C C8 62 2E D6 E1 AC 35 58 ....y....b....5X
00E0: 22 B2 8C 4B FE 9A 06 C4 53 C1 8F 45 EA 61 3A 7F "..K....S..E.a:.
00F0: 3C D1 15 0D A8 27 3E 0F AB F5 8F DA 78 05 5F AE <....'>.....x._.
]
***
trustStore is: D:\Development\Workspace\Eclipse\testSSL\Sample\.keystore
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Issuer: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Algorithm: RSA; Serial number: 0x3bd2165e
Valid from Fri Oct 21 13:08:11 IST 2016 until Thu Jan 19 13:08:11 IST 2017
adding as trusted cert:
Subject: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Issuer: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Algorithm: RSA; Serial number: 0x46dac56d
Valid from Fri Oct 21 13:20:47 IST 2016 until Thu Jan 19 13:20:47 IST 2017
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1476980696 bytes = { 63, 74, 124, 176, 200, 133, 175, 107, 173, 166, 115, 188, 94, 103, 2, 237, 54, 77, 30, 244, 166, 94, 22, 118, 220, 68, 182, 101 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 149
main, READ: TLSv1 Handshake, length = 893
*** ServerHello, TLSv1
RandomCookie: GMT: 1476980313 bytes = { 231, 179, 63, 173, 107, 35, 84, 125, 43, 218, 134, 171, 63, 175, 41, 97, 49, 69, 68, 114, 75, 255, 22, 5, 125, 125, 124, 228 }
Session ID: {88, 9, 238, 89, 11, 220, 101, 208, 32, 106, 9, 30, 220, 143, 218, 47, 199, 2, 7, 90, 179, 24, 198, 139, 59, 34, 141, 169, 98, 186, 165, 87}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 95112623927847376021742911976482809760928286563374389538614118188348331948203986176617263611529390313893505980510111828145989572854367203125102386298954935692697121151897799979668903275037476471253143679337867450398842776382716002256891170241471053163351903550915614869043680655531661128282766400131123099323
public exponent: 65537
Validity: [From: Wed Jan 02 01:20:42 IST 2013,
To: Sat Jan 06 01:20:42 IST 2018]
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
SerialNumber: [ 50e33e12]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 3F 48 66 AE 51 1D 5C 0C E9 0D 88 DD CD 48 84 B7 ?Hf.Q.\......H..
0010: 9A B3 70 79 C9 43 0E 4D B1 1E 10 5B 7A EB DC 6B ..py.C.M...[z..k
0020: 9B 15 E4 9E 9C 94 39 1C E7 CF 0E 2C D0 A8 A0 1D ......9....,....
0030: A1 A4 E4 63 A0 37 AA 98 72 31 77 56 16 31 49 B9 ...c.7..r1wV.1I.
0040: 8D BD A1 D7 53 BF 82 69 9C C7 B6 2A F0 FA A2 2D ....S..i...*...-
0050: C2 34 25 23 9C DA B6 74 D5 E0 CC 27 45 A9 8C 41 .4%#...t...'E..A
0060: 23 8B 33 A8 92 72 46 77 E0 10 E7 C6 38 9D 1D A8 #.3..rFw....8...
0070: E5 B2 B3 B5 58 99 B3 BD 1C E3 B0 39 54 F2 EB 46 ....X......9T..F
]
***
CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
X.509
adding as trusted cert:
Subject: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Issuer: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Algorithm: RSA; Serial number: 0x3bd2165e
Valid from Fri Oct 21 13:08:11 IST 2016 until Thu Jan 19 13:08:11 IST 2017
adding as trusted cert:
Subject: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Issuer: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Algorithm: RSA; Serial number: 0x46dac56d
Valid from Fri Oct 21 13:20:47 IST 2016 until Thu Jan 19 13:20:47 IST 2017
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
When I checked logs carefully I noticed Server is sending only first certificate in chain of certificates to client i.e,. ( CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown ), my newly created certificate is not present. Am I doing something wrong?

Related

What could cause forbidden 403 after successful SSL handshake?

I have a question about an TLS connection I am making inside my Java application to an external party.
The TLS handshake seems to finish without any issues. (See log below).
But I still get a 403 forbidden from the web server I am trying to hit.
Because the SSL handshake has finished does it means I can rule out certificates as being the problem? i.e. Is it more likely to be like a firewall blocking me on the other side?
Also can anyone think of anything else I can do on my side to get more information about why things might be going wrong? I ask this question because at the moment I feel like I have exhausted all avenues of investigation.
thanks
[api-blah-v1-132].http.requester.apiHttpblahRequestConfig.worker(5), READ: TLSv1 Handshake, length = 2704
*** ServerHello, TLSv1
RandomCookie: GMT: 1489311495 bytes = { 24, 166, 5, 115, 96, 245, 87, 168, 201, 0, 140, 169, 246, 167, 17, 130, 35, 82, 180, 20, 78, 118, 197, 139, 115, 85, 149, 249 }
Session ID: {240, 31, 0, 0, 187, 150, 112, 197, 105, 66, 166, 30, 38, 101, 157, 77, 70, 251, 210, 109, 66, 5, 150, 39, 144, 252, 165, 154, 98, 139, 28, 247}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: 24:d2:f9:be:4f:9b:34:9d:97:0a:87:7e:b3:00:a5:3b:9e:fd:13:83:1b:7c:57:f5
***
%% Initialized: [Session-5, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=myComppany.dns.com.au
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 20347157146520353095861639278208184247286986690713431491420841394784858170529375449223849853534354840929149706378303297947541892423057001636130580267149963843615721783983566141638311949114700827164868954418508313798333746643037746007234047993830271943749361746071066892915327273997666547176023092823087128341412638685856170738104070682226405621117015097115212087323270530842662099589771387988512876505892653094995664532977115190036204521785829075338794419227119436542735750611752914553559131212700916410969902308936242124816342527509957358809361641507658744635443218654637212447896897323865396709669621261450063512703
public exponent: 65537
Validity: [From: Tue May 16 10:07:21 AEST 2017,
To: Thu May 16 10:07:20 AEST 2019]
Issuer: CN=EDS_RootCA
SerialNumber: [ 3f6b1b9d 4e6a8491 479d4580 318d46b6]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 4F 30 4D 80 10 1F 88 3D 3B E3 7C 8A 45 C0 4C .O0M....=;...E.L
0010: 36 EF 64 C8 23 A5 A1 27 30 25 31 23 30 21 06 03 6.d.#..'0%1#0!..
0020: 55 04 03 1E 1A 00 45 00 44 00 53 00 5F 00 56 00 U.....E.D.S._.
0030: 52 00 5F 00 52 00 6F 00 6F 00 74 00 43 00 41 82 ._.R.o.o.t.C.A.
0040: 10 1F E5 AA 89 7F E6 11 82 4D FE D1 DB FA F4 7E .........M......
0050: 8D .
]
Algorithm: [SHA256withRSA]
Signature:
0000: 26 94 B7 78 21 EC 60 24 28 6E 7D C0 93 43 7A F8 &..x!.`$(n...Cz.
0010: 27 E8 BF 36 E1 B9 6E 41 4F 3B B7 7D 48 FB F4 77 '..6..nAO;..H..w
0020: 56 30 85 5E C1 5E 73 1A 79 7A B8 7F 48 DE 85 2F V0.^.^s.yz..H../
0030: 03 93 8F 78 15 28 65 4D 78 E1 DE 83 83 10 B0 97 ...x.(eMx.......
0040: 0C F2 8E D3 E7 E3 16 8E 1C C8 0D 6D 04 B9 64 81 ...........m..d.
0050: 59 B1 34 D7 2E 86 1C E0 CD D7 19 8E 7C 00 CA CD Y.4.............
0060: A5 3D 37 F0 31 24 E6 DC 01 66 9C D2 6A 25 FE 0A .=7.1$...f..j%..
0070: F9 02 B7 41 17 38 BA 74 05 34 EC 5D 3D DB 20 CB ...A.8.t.4.]=. .
]
***
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE>
<CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US>
<CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US>
<OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US>
<CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE>
<CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE>
<CN=GeoTrust Global CA, O=GeoTrust Inc., C=US>
<CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US>
<CN=SercoTcsRootCA>
<CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US>
<CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.>
<CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US>
<CN=Tenix IMES CA>
<CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com>
<CN=SercoTcsRootCA, DC=, DC=ap, DC=ser, DC=com>
<CN=EDS__RootCA>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
[api-blah-v1-132].http.requester.apiHttpblahRequestConfig.worker(5), WRITE: TLSv1 Handshake, length = 304
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 B3 1D 9D 31 6C 7D 0D D7 92 73 03 F0 6D 84 .....1l....s..m.
0010: 4D 6C BB 52 D7 26 C1 B0 58 82 90 23 29 DB AC 1C Ml.R.&..X..#)...
0020: DA 19 E1 6C A0 63 31 22 0D 39 05 FD 92 A6 43 A6 ...l.c1".9....C.
CONNECTION KEYGEN:
Client Nonce:
0000: 59 C5 17 07 63 E9 79 F6 63 5A 7A 43 66 8D 1C B2 Y...c.y.cZzCf...
0010: 60 6C 4A CF E4 86 9A 81 A2 2B C6 F0 5E 76 6A 93 `lJ......+..^vj.
Server Nonce:
0000: 59 C5 17 07 18 A6 05 73 60 F5 57 A8 C9 00 8C A9 Y......s`.W.....
0010: F6 A7 11 82 23 52 B4 14 4E 76 C5 8B 73 55 95 F9 ....#R..Nv..sU..
Master Secret:
0000: 74 FC 19 66 31 63 EB 6D 77 D0 90 35 89 AF 5E 2D t..f1c.mw..5..^-
0010: 92 07 CD 77 18 D4 8A B0 A4 ED D6 87 79 EC BA DC ...w........y...
0020: B5 85 EF BF 6E 44 60 08 93 10 18 89 42 37 58 45 ....nD`.....B7XE
Client MAC write Secret:
0000: C1 EA 83 8C DB D9 FC 4D BA B3 F0 CA 63 98 5F 3E .......M....c._>
0010: 5B E0 87 F0 [...
Server MAC write Secret:
0000: 8C 01 99 66 54 26 87 2A 16 96 6F 6B 96 8A F3 6B ...fT&.*..ok...k
0010: 84 8C 9E D9 ....
Client write key:
0000: 96 E6 14 E2 F6 85 B8 93 51 90 2C CA 86 05 0F FE ........Q.,.....
Server write key:
0000: 96 4C 43 E0 3A FB 05 72 3B 91 6B DB D8 1D 41 67 .LC.:..r;.k...Ag
Client write IV:
0000: BB AA 2B 91 63 10 62 EA B6 8E 2D 48 DD 8A 6C EE ..+.c.b...-H..l.
Server write IV:
0000: 25 30 3F 0A 96 D4 D9 1B F2 B1 92 29 62 CD 0D 4D %0?........)b..M
[api-blah-v1-132].http.requester.apiHttpblahRequestConfig.worker(5), WRITE: TLSv1 Change Cipher Spec, length = 32
*** Finished
verify_data: { 232, 153, 163, 243, 22, 33, 213, 172, 119, 46, 247, 107 }
***
[api-blah-v1-132].http.requester.apiHttpblahRequestConfig.worker(5), WRITE: TLSv1 Handshake, length = 48
[api-blah-v1-132].http.requester.apiHttpblahRequestConfig.worker(5), READ: TLSv1 Change Cipher Spec, length = 32
[api-blah-v1-132].http.requester.apiHttpblahRequestConfig.worker(5), READ: TLSv1 Handshake, length = 48
*** Finished
verify_data: { 232, 126, 65, 13, 112, 166, 63, 121, 201, 0, 57, 110 }
***
%% Cached client session: [Session-5, TLS_RSA_WITH_AES_128_CBC_SHA]
WARN 2017-09-22 23:58:32,052 [[api-blah-v1-132].apiHttpListenerConfig.worker.02] org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://support.cxf.module.mule.org/}ProxyService#{http://support.cxf.module.mule.org/}invoke has thrown exception, unwinding now\norg.apache.cxf.interceptor.Fault: Response code 403 mapped as failure.\n
Because the SSL handshake has finished does it means I can rule out certificates as being the problem?
Yes.
i.e. Is it more likely to be like a firewall blocking me on the other side?
No.
It is the Web server denying you permission to access the requested resource. There is no reason why a successful TLS handshake alone should permit you that access. It is up to the Web server who can access what.
So I looked at this more. I discovered that you have to be very careful with reading the output posted.
Although the handshake reports as successful there is a message in the handshake as follows. This basically means that the handshake failed although the first packet may have been sent.
Warning: no suitable certificate found - continuing without client authentication
There was a problem with my keystore and that was that it did not have the certificate of the issuer in it.

Paypal Handshake failure - IBM WCS/WAS

we have updated the SSL protocol to use SSL_TLSv2 (which should allow TLSv1, TLSv1.1 and TLSv1.2) and we are using https://api.sandbox.paypal.com/2.0/ endpoint URL to connect to paypal. We have added VeriSign Class 3 Public Primary Certification Authority - G5 certificate to our keystore. But still we are getting handshake failure.
Error LOG:
javax.xml.ws.soap.SOAPFaultException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure". javax.xml.ws.soap.SOAPFaultException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at org.apache.axis2.jaxws.marshaller.impl.alt.MethodMarshallerUtils.createSystemException(MethodMarshallerUtils.java:1363)
at org.apache.axis2.jaxws.marshaller.impl.alt.MethodMarshallerUtils.demarshalFaultResponse(MethodMarshallerUtils.java:1089)
at org.apache.axis2.jaxws.marshaller.impl.alt.DocLitBareMethodMarshaller.demarshalFaultResponse(DocLitBareMethodMarshaller.java:417)
at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.getFaultResponse(JAXWSProxyHandler.java:626)
at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.createResponse(JAXWSProxyHandler.java:566)
at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.invokeSEIMethod(JAXWSProxyHandler.java:432)
at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.invoke(JAXWSProxyHandler.java:213)
at com.sun.proxy.$Proxy62.setExpressCheckout(Unknown Source)
Please find the logs below (After enabling SSL Debug)
[6/29/16 12:17:29:389 IST] 00000211 WSChannelFram A CHFW0019I: The Transport Channel Service has started chain HttpsOutboundChain:web-proxy.corp.hp.com:8088:706802748:api.sandbox.paypal.com:-1.
adding as trusted cert:
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Subject: CN=localhost, OU=Root Certificate, OU=localhost, OU=localhost, O=IBM, C=US
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Issuer: CN=localhost, OU=Root Certificate, OU=localhost, OU=localhost, O=IBM, C=US
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Algorithm: RSA; Serial number: 0x9256ccd0f74
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Valid from Mon Mar 28 18:05:23 IST 2016 until Tue Mar 25 18:05:23 IST 2031
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O adding as trusted cert:
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Algorithm: RSA; Serial number: 0x250ce8e030612e9f2b89f7054d7cf8fd
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Valid from Wed Nov 08 05:30:00 IST 2006 until Mon Nov 08 05:29:59 IST 2021
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O adding as trusted cert:
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Subject: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Algorithm: RSA; Serial number: 0x513fb9743870b73440418d30930699ff
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O Valid from Thu Oct 31 05:30:00 IST 2013 until Tue Oct 31 05:29:59 IST 2023
[6/29/16 12:17:30:016 IST] 00000211 SystemOut O
[6/29/16 12:17:30:019 IST] 00000211 SystemOut O ***
[6/29/16 12:17:30:019 IST] 00000211 SystemOut O found key for : default
[6/29/16 12:17:30:020 IST] 00000211 SystemOut O chain [0] = [
[
Version: V3
Subject: CN=localhost, OU=localhost, OU=localhost, O=IBM, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: IBMJCE RSA Public Key:
modulus:
26167541711086627791578871564616365051862711740169857710554547535189479149908374929516177090517001379910396688828760654542434329119238956286945379132186129759458751111248999650559731436488161569437501148312306505875762201215861268858168483037657932583161029509501700884430074843289607373839133072877375577360636060242737127872859949426685225542431385914834039901653766669062129732208534425904601424824899456065980585969976422194265319042002149984018361515399815820913269930221749561374832898783792638898537082727405570885654709258468168429473416388030507181343754356665510039104609297653873247510424200394843741361793
public exponent:
65537
Validity: [From: Mon Mar 28 18:05:24 IST 2016,
To: Tue Mar 28 18:05:24 IST 2017]
Issuer: CN=localhost, OU=Root Certificate, OU=localhost, OU=localhost, O=IBM, C=US
SerialNumber: [10056828754800]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:WCDE80_180144-BASE-8a713340-a4f8-4abe-ae41-aaedf50c06bd]]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 41 79 84 39 4f 6c 37 6f Ay.9Ol7o
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 16 f9 9f a4 29 1d f4 17 7d 80 6e 34 e7 47 5b b2 ..........n4.G..
0010: 1c fd 5b 08 92 b8 24 e7 51 04 67 71 0a 91 1c 88 ........Q.gq....
0020: 63 c4 02 99 94 dd a2 21 93 0e 58 f0 5b 94 54 27 c.........X...T.
0030: 02 d1 fe 65 8d 05 78 4d 35 02 c4 28 f9 d5 3b 11 ...e..xM5.......
0040: 95 28 d4 87 b2 2c e2 e5 77 f8 06 55 f4 f3 72 ec ........w..U..r.
0050: c9 95 6f 1e 9c a4 02 f5 41 8d 50 c0 c0 5c df 5f ..o.....A.P.....
0060: 2f dd 90 2f 8c a1 53 f3 8b a4 5f 25 37 30 06 b9 ......S.....70..
0070: 2d a2 24 7b 4c bb 60 56 0b a4 b3 6e 73 a0 71 12 ....L..V...ns.q.
0080: ab 30 df 4d 27 3c 2b 8c 66 c5 b1 b5 56 e5 3c 41 .0.M....f...V..A
0090: 65 42 d4 d6 c2 8a ec 4e ec cc c1 62 49 75 ed 1c eB.....N...bIu..
00a0: 1d c3 f6 d0 dd 79 d4 a0 9c 1e ce 1a a8 ac 0b 68 .....y.........h
00b0: b4 50 cb 6b 92 8b 9e 99 96 2c ff 5b f8 63 2e a4 .P.k.........c..
00c0: fa 4c 82 13 8d 6d 5c 49 6b 32 49 41 4d 3f 8a eb .L...m.Ik2IAM...
00d0: 16 77 60 3e 84 af 7d 38 ed 06 7d 7c b9 69 0c 50 .w.....8.....i.P
00e0: f6 59 10 d4 70 76 8c 0d 23 40 68 66 7c be d0 a7 .Y..pv....hf....
00f0: 5d 43 55 c7 5e 31 6c ef 25 cc ec 6b d3 05 4f e8 .CU..1l....k..O.
]
[6/29/16 12:17:30:020 IST] 00000211 SystemOut O chain [1] = [
[
Version: V3
Subject: CN=localhost, OU=Root Certificate, OU=localhost, OU=localhost, O=IBM, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: IBMJCE RSA Public Key:
modulus:
19904753990009309220640490407026050840230290478827945495559467830914675305969718816314697475824624971015421979520946317273041884889483490534710677359598087244263711680653006429506370864649858288482237624045812419537775828964539312096597139584695395163230244568608219831591052376071824331577827894488085049089178639843811986500484212726449214616765323493684584926518468131402057026630937301877109272783156174698101767247279976634672974959576739431097029244885330417865240554525368272023593234999310504632854754949649989504797724839753383392964247687587360456802376083021433419450872358735106842206689297528583371429329
public exponent:
65537
Validity: [From: Mon Mar 28 18:05:23 IST 2016,
To: Tue Mar 25 18:05:23 IST 2031]
Issuer: CN=localhost, OU=Root Certificate, OU=localhost, OU=localhost, O=IBM, C=US
SerialNumber: [10056343818100]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:WCDE80_180144-BASE-8a713340-a4f8-4abe-ae41-aaedf50c06bd]]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 c3 48 d5 8e 43 b9 e0 ..H..C..
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 87 17 da 78 ef 39 12 f0 d2 1b f0 11 70 9d 83 96 ...x.9......p...
0010: 00 70 6f bd 2d 19 6c 5b 64 3f 75 8b cf 61 ae b9 .po...l.d.u..a..
0020: 2c 6c b4 cd da b7 6e 6f 03 1b 9f f0 ff 07 6f ff .l....no......o.
0030: a1 79 a7 4a 08 e6 2a 1c 4e 5b 13 75 03 9d ab 88 .y.J....N..u....
0040: 79 be ca e3 e7 c5 66 ab f9 49 96 06 b4 81 2b 3a y.....f..I......
0050: 33 5b c1 bd c9 e4 c7 07 10 61 5c 38 0f 5d a6 b1 3........a.8....
0060: 40 93 bf ec 37 34 34 d2 ec 30 3d ae 9a 80 6b ca ....744..0....k.
0070: 1b 43 58 73 be ec 1b 41 70 3f 11 1c f3 42 a0 e6 .CXs...Ap....B..
0080: ce d5 a3 a5 37 a7 c9 46 34 3e ac a1 32 bd c3 6e ....7..F4...2..n
0090: 07 49 e0 e3 2e 85 f4 04 6b 68 80 58 a3 32 58 1c .I......kh.X.2X.
00a0: 06 90 e2 64 1a 8d 68 20 e4 a2 28 56 cf d6 06 76 ...d..h....V...v
00b0: eb 53 4f d1 90 3b 82 b0 fc 61 47 3d 3d 4b dd 03 .SO......aG..K..
00c0: 59 e4 03 7e 7e 00 47 51 2f f4 f2 17 f8 34 d1 bd Y.....GQ.....4..
00d0: 24 b9 12 8c 8e b9 18 32 4e 89 a3 fe 6e ec 3f 9b .......2N...n...
00e0: 33 0d a0 f3 45 4c 88 04 97 3d 31 07 33 81 5a 11 3...EL....1.3.Z.
00f0: e8 1d d1 68 2e 50 66 8a 4e f7 77 3c 64 82 60 a8 ...h.Pf.N.w.d...
]
[6/29/16 12:17:30:020 IST] 00000211 SystemOut O ***
[6/29/16 12:17:30:022 IST] 00000211 SystemOut O ***
[6/29/16 12:17:30:022 IST] 00000211 SystemOut O found key for : paypal
[6/29/16 12:17:30:022 IST] 00000211 SystemOut O chain [0] = [
[
Version: V3
Subject: C=US, ST=CA, L=Santa Clara, O=HP, CN=hpbiztest_api1.hp.com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
167767787854827133772476094878602356419059997517346374275255466537187831576020199052607407432097460847863697600517067858769595716996015976450736236072075948148640801631718329787519229056273024787589358929246179803681154066413328089574908636575846498188850427968011672902341432046713914611785901831874548450751
public exponent:
65537
Validity: [From: Tue Jan 10 01:00:44 IST 2012,
To: Fri Jan 07 01:00:44 IST 2022]
Issuer: EMAILADDRESS=re#paypal.com, CN=sandbox_camerchapi, OU=sandbox_certs, O="PayPal, Inc.", L=San Jose, ST=California, C=US
SerialNumber: [1049731]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 2a 5c 68 2b fd 0a 5f 62 71 32 51 2b 25 66 cf 65 ..h....bq2Q..f.e
0010: a4 ca 06 2a d3 f1 ae 58 6d d0 bf a3 c4 e2 2e a4 .......Xm.......
0020: 98 5b 4a 01 c1 09 aa ba e9 d3 91 a0 09 d8 bf c1 ..J.............
0030: 28 17 b8 9c 7c 15 7a 08 1b ff 92 71 98 2c 28 11 ......z....q....
0040: c4 97 6f 23 fc d7 4f 3f 09 b1 5a c9 06 f2 49 6d ..o...O...Z...Im
0050: 11 d5 87 fc d4 3e 25 1d 91 fe ff 4d 67 a8 ec a4 ...........Mg...
0060: b2 4d 5e 39 5d ef 7e 6b e8 f7 86 b7 2b 35 d6 d5 .M.9...k.....5..
0070: f0 24 6c 7a 0f bc 15 9e e2 84 3c f5 80 81 d2 01 ..lz............
]
[6/29/16 12:17:30:022 IST] 00000211 SystemOut O ***
[6/29/16 12:17:30:023 IST] 00000211 SystemOut O SSLContextImpl: Using X509ExtendedKeyManager com.ibm.ws.ssl.core.WSX509KeyManager
[6/29/16 12:17:30:023 IST] 00000211 SystemOut O SSLContextImpl: Using X509TrustManager com.ibm.ws.ssl.core.WSX509TrustManager
[6/29/16 12:17:30:023 IST] 00000211 SystemOut O JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
[6/29/16 12:17:30:023 IST] 00000211 SystemOut O trigger seeding of SecureRandom
[6/29/16 12:17:30:023 IST] 00000211 SystemOut O done seeding SecureRandom
[6/29/16 12:17:30:023 IST] 00000211 SystemOut O Using SSLEngineImpl.
[6/29/16 12:17:30:023 IST] 00000211 SystemOut O SSLv3 protocol was requested but was not enabled
[6/29/16 12:17:30:025 IST] 00000211 SystemOut O SSLv3 protocol was requested but was not enabled
[6/29/16 12:17:30:027 IST] 00000211 SystemOut O IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
[6/29/16 12:17:30:027 IST] 00000211 SystemOut O
Is initial handshake: true
[6/29/16 12:17:30:027 IST] 00000211 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
[6/29/16 12:17:30:027 IST] 00000211 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
[6/29/16 12:17:30:027 IST] 00000211 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
[6/29/16 12:17:30:027 IST] 00000211 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
[6/29/16 12:17:30:027 IST] 00000211 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
[6/29/16 12:17:30:027 IST] 00000211 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
[6/29/16 12:17:30:027 IST] 00000211 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
[6/29/16 12:17:30:029 IST] 00000211 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
[6/29/16 12:17:30:029 IST] 00000211 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
[6/29/16 12:17:30:029 IST] 00000211 SystemOut O %% No cached client session
[6/29/16 12:17:30:030 IST] 00000211 SystemOut O *** ClientHello, TLSv1
[6/29/16 12:17:30:030 IST] 00000211 SystemOut O RandomCookie: GMT: 1467182850 bytes = { 165, 170, 151, 64, 41, 40, 119, 74, 254, 115, 32, 213, 78, 45, 52, 66, 73, 224, 116, 255, 176, 137, 93, 27, 30, 166, 193, 21 }
[6/29/16 12:17:30:030 IST] 00000211 SystemOut O Session ID: {}
[6/29/16 12:17:30:030 IST] 00000211 SystemOut O Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA]
[6/29/16 12:17:30:030 IST] 00000211 SystemOut O Compression Methods: { 0 }
[6/29/16 12:17:30:030 IST] 00000211 SystemOut O Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
[6/29/16 12:17:30:030 IST] 00000211 SystemOut O Extension server_name, server_name: [host_name: web-proxy.corp.hp.com]
[6/29/16 12:17:30:030 IST] 00000211 SystemOut O ***
[6/29/16 12:17:30:030 IST] 00000211 SystemOut O [write] MD5 and SHA1 hashes: len = 92
[6/29/16 12:17:30:031 IST] 00000211 SystemOut O 0000: 01 00 00 58 03 01 57 73 6f 02 a5 aa 97 40 29 28 ...X..Wso.......
0010: 77 4a fe 73 20 d5 4e 2d 34 42 49 e0 74 ff b0 89 wJ.s..N.4BI.t...
0020: 5d 1b 1e a6 c1 15 00 00 0c 00 2f 00 33 00 32 00 ............3.2.
0030: 0a 00 16 00 13 01 00 00 23 ff 01 00 01 00 00 00 ................
0040: 00 1a 00 18 00 00 15 77 65 62 2d 70 72 6f 78 79 .......web.proxy
0050: 2e 63 6f 72 70 2e 68 70 2e 63 6f 6d .corp.hp.com
[6/29/16 12:17:30:031 IST] 00000211 SystemOut O WebContainer : 4, WRITE: TLSv1 Handshake, length = 92
[6/29/16 12:17:30:031 IST] 00000211 SystemOut O [Raw write]: length = 97
[6/29/16 12:17:30:031 IST] 00000211 SystemOut O 0000: 16 03 01 00 5c 01 00 00 58 03 01 57 73 6f 02 a5 ........X..Wso..
0010: aa 97 40 29 28 77 4a fe 73 20 d5 4e 2d 34 42 49 .....wJ.s..N.4BI
0020: e0 74 ff b0 89 5d 1b 1e a6 c1 15 00 00 0c 00 2f .t..............
0030: 00 33 00 32 00 0a 00 16 00 13 01 00 00 23 ff 01 .3.2............
0040: 00 01 00 00 00 00 1a 00 18 00 00 15 77 65 62 2d ............web.
0050: 70 72 6f 78 79 2e 63 6f 72 70 2e 68 70 2e 63 6f proxy.corp.hp.co
0060: 6d m
[6/29/16 12:17:30:371 IST] 00000211 SystemOut O [Raw read]: length = 5
[6/29/16 12:17:30:371 IST] 00000211 SystemOut O 0000: 15 03 01 00 02 .....
[6/29/16 12:17:30:371 IST] 00000211 SystemOut O [Raw read]: length = 2
[6/29/16 12:17:30:371 IST] 00000211 SystemOut O 0000: 02 28 ..
[6/29/16 12:17:30:371 IST] 00000211 SystemOut O WebContainer : 4, READ: TLSv1 Alert, length = 2
[6/29/16 12:17:30:371 IST] 00000211 SystemOut O WebContainer : 4, RECV TLSv1 ALERT: fatal, handshake_failure
[6/29/16 12:17:30:373 IST] 00000211 SystemOut O WebContainer : 4, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
[6/29/16 12:17:30:373 IST] 00000211 SystemOut O WebContainer : 4, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure

ssl connection failed because of sanity check fail

I am working in establishing a secure communication channel between a java server and a tls client. During the handshake, all goes well, the client Hello and server Hello messages are correct. Moreover, they both generate the same master secret for the engaged session. But at the really end of the handshake, server throws an exception telling "Ciphertext sanity check fails".
Client trace
0050 - 34 68 ed 2f 6e 4h./n
>>> TLS 1.2 ChangeCipherSpec [length 0001]
01
write to 0x1878b98 [0x18891f0] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
>>> TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c 14 54 0c 4d c0 22 62 90 c2 92 a1 d1
write to 0x1878b98 [0x18891f0] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 b7 76 bd-36 cd cd eb 8d 9f 34 46 ....(.v.6.....4F
0010 - 25 f7 61 cc cd a3 8e af-6d da 14 60 3c 0f 50 21 %.a.....m..`<.P!
0020 - f4 cc 7a a4 af cf 75 d8-48 54 ee b9 44 ..z...u.HT..D
read from 0x1878b98 [0x187f7e3] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02 .....
read from 0x1878b98 [0x187f7e8] (2 bytes => 2 (0x2))
0000 - 02 28 .(
<<< TLS 1.2 Alert [length 0002], fatal handshake_failure
02 28
Server's side:
[Raw read]: length = 5
0000: 14 03 03 00 01 .....
[Raw read]: length = 1
0000: 01 .
Thread-0, READ: TLSv1.2 Change Cipher Spec, length = 1
[Raw read]: length = 5
0000: 16 03 03 00 28 ....(
[Raw read]: length = 40
0000: B7 76 BD 36 CD CD EB 8D 9F 34 46 25 F7 61 CC CD .v.6.....4F%.a..
0010: A3 8E AF 6D DA 14 60 3C 0F 50 21 F4 CC 7A A4 AF ...m..`<.P!..z..
0020: CF 75 D8 48 54 EE B9 44 .u.HT..D
Thread-0, READ: TLSv1.2 Handshake, length = 40
%% Invalidated: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
Thread-0, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
Thread-0, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 28 ......(
Thread-0, called closeSocket()
Thread-0, handling exception: javax.net.ssl.SSLHandshakeException: ciphertext sanity check failed
What I can not understand is why the server is launching such exception while it succeeds in decrypting the ChangeCipherSpec message sent from the client? What could be the reason for such exception?
N.B: I already check and they both derived the same master key, here it is:
Server's side
CONNECTION KEYGEN:
Client Nonce:
0000: 48 B2 6C 02 B1 40 0B D9 6E 14 EB 7A 93 7D 2F 07 H.l..#..n..z../.
0010: 90 CF 1E 5D 65 8A 66 89 54 D4 60 50 BD AC AB 34 ...]e.f.T.`P...4
Server Nonce:
0000: 54 FD 9A E3 BB D4 15 61 A6 0C D3 30 FA 07 0A 16 T......a...0....
0010: 79 A8 79 0B 0A 81 00 95 9C CA C0 7A F1 FF 37 E7 y.y........z..7.
Master Secret:
0000: 39 5B EB 11 66 09 25 B5 6D E4 C7 86 E4 3E 10 BB 9[..f.%.m....>..
0010: B4 F0 D9 B7 BD 7D 8F AD 58 38 31 42 B6 90 53 AD ........X81B..S.
0020: 54 46 36 DC F5 75 8A 9D 77 58 D5 24 6C 96 90 02 TF6..u..wX.$l...
Client's side
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 54FD9AE3A3B3BF807F408FA830641F850702E986C27FC631AF8E8E3097038166
Session-ID-ctx:
Master-Key: 395BEB11660925B56DE4C786E43E10BBB4F0D9B7BD7D8FAD58383142B69053AD544636DCF5758A9D7758D5246C969002
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
Thanks in advance to you guys.

How to configure WSO2 ESB SSL access with HostnameVerifier AllowAll

I have been struggling with the configuration of WSO2 ESB for a few days now when trying to access an https web service. I have followed numerous pieces of advice and what I have done so far is to
import the web service client certificate into client-truststore.jks in repostory/resources/security
added proxy access parameters to repository/conf/axis2/axis2.xml (because the ESB is behind corporate firewall)
added AllowAll parameter to transportSender https in axis2.xml
restarted esb and still get the exception
http-nio-9443-exec-50, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http-nio-9443-exec-50, WRITE: TLSv1 Alert, length = 2
http-nio-9443-exec-50, called closeSocket()
http-nio-9443-exec-50, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching my.domain.com found
http-nio-9443-exec-50, WRITE: TLSv1 Application Data, length = 1
http-nio-9443-exec-50, WRITE: TLSv1 Application Data, length = 154
I am using jdk1.6_34 and tried with WSO2 ESB 4.5.1 and 4.6 with the same results.
The logging is showing the ssl handshake being started but then ends with the error above. All the googling suggests that the hostnameverifier parameter should do the trick but clearly doesn't. Is there somewhere else I should be configuring this or if this parameter is being overridden somewhere else? I have run out of options and places to look with this.
Edit:
I have had another attempt at this and by setting the host name in my hosts file to the CN specified in the client certificate I can now get a bit further but I am now getting another error which I can't seem to fathom out.
The specific error is "... no IV used for this cipher", but with the debug trace being
Found trusted certificate:
[
[
Version: V1
Subject: CN=mydomain.com, O=my o, ST=INTERFACES, C=GB
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:#### loads of numbers here ####
public exponent: 65537
Validity: [From: Mon Apr 22 14:26:25 BST 2013,
To: Tue Apr 22 14:26:25 BST 2014]
Issuer: CN=ath-st2-API-a, O=Northgate IS, ST=INTERFACES, C=GB
SerialNumber: [ a4cf31a6 9c0d920d]
]
Algorithm: [SHA1withRSA]
Signature:
### signature here ###
]
http-nio-9443-exec-13, READ: SSLv3 Handshake, length = 98
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=mydomain.com, O=my o, ST=INTERFACES, C=GB>
*** ServerHelloDone
http-nio-9443-exec-13, SEND SSLv3 ALERT: warning, description = no_certificate
http-nio-9443-exec-13, WRITE: SSLv3 Alert, length = 2
*** ClientKeyExchange, RSA PreMasterSecret, SSLv3
http-nio-9443-exec-13, WRITE: SSLv3 Handshake, length = 132
SESSION KEYGEN:
PreMaster Secret:
###master secret here ####
CONNECTION KEYGEN:
Client Nonce:
0000: 52 45 86 22 10 B0 E2 EF 19 10 B1 04 ED C9 6F B0 RE."..........o.
0010: C3 8E BC D6 2C C9 5E D0 CA 8E 88 6B 22 53 1D B0 ....,.^....k"S..
Server Nonce:
0000: 52 45 86 23 B0 56 30 EC 84 F0 48 C1 F7 31 0C 5C RE.#.V0...H..1.\
0010: 43 B3 CB 25 DA 19 4C 0E B1 71 CB 17 8E 0C 62 04 C..%..L..q....b.
Master Secret:
0000: C3 F4 6B 9B EB 50 67 BD 6C A8 F0 63 88 A1 5A C7 ..k..Pg.l..c..Z.
0010: E5 CD A4 9A 46 95 3F B3 13 2D 4E BF 77 2C 64 86 ....F.?..-N.w,d.
0020: 44 D2 89 B5 09 EE 96 E5 8B 8D E2 30 04 09 F2 D3 D..........0....
Client MAC write Secret:
0000: F7 76 83 C9 16 F5 CB 33 E3 43 3F 7B 68 2E 8A 6F .v.....3.C?.h..o
Server MAC write Secret:
0000: CC FB 14 CE 21 AD C8 BC 20 C1 A5 2B 0B 2B 83 35 ....!... ..+.+.5
Client write key:
0000: 9C 9E FA A5 68 6E 27 2C E0 6E 80 9D ED C9 1C 01 ....hn',.n......
Server write key:
0000: B7 5A 24 DD 6F 65 5A 7E C8 AD 4A 29 E4 09 08 6D .Z$.oeZ...J)...m
... no IV used for this cipher
http-nio-9443-exec-13, WRITE: SSLv3 Change Cipher Spec, length = 1
*** Finished
verify_data: { 174, 247, 182, 190, 5, 104, 242, 127, 216, 79, 94, 15, 215, 236, 236, 211, 30, 51, 116, 56, 138, 144, 19, 125, 0, 54, 52, 114, 173, 138, 170, 166, 24, 67, 108, 102 }
***
http-nio-9443-exec-13, WRITE: SSLv3 Handshake, length = 56
http-nio-9443-exec-13, READ: SSLv3 Alert, length = 2
http-nio-9443-exec-13, RECV SSLv3 ALERT: fatal, handshake_failure
http-nio-9443-exec-13, called closeSocket()
http-nio-9443-exec-13, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert
: handshake_failure
http-nio-9443-exec-13, WRITE: TLSv1 Application Data, length = 1
http-nio-9443-exec-13, WRITE: TLSv1 Application Data, length = 154
http-nio-9443-ClientPoller-0, called closeOutbound()
http-nio-9443-ClientPoller-0, closeOutboundInternal()
http-nio-9443-ClientPoller-0, SEND TLSv1 ALERT: warning, description = close_notify
http-nio-9443-ClientPoller-0, WRITE: TLSv1 Alert, length = 32
Finalizer, called close()
Finalizer, called closeInternal(true)
I have tried passing https.protocols=SSLv3,SSLv2Hello or https.protocols=SSLv3 in the axis2 config file as a to the https sender transport but this doesn't help either.
Suggestions welcome.
thanks
Conrad

StartTls, ApacheDS Problem

I have been struggling in getting Start Tls to work for my ldap server. I have configured a keystore and password in a spring context file. My configuration seems to work for SSL but Star Tls is causing goosebumps. I have added StarTlsHandler as an ExtendedOperationHandler in wrapper of my LDAP Server. Do I need to configure anything else as well.
I am using JDK 1.6.0_15
Keystore and password are hard coded at the moment, they seem OK when I use SSL or debug.
I am using JLdap Client to test my implementation.
Here is a code snippet I have added for Handler:
ldapServer.setKeystoreFile("C:/jdk/dgekey.ks");
ldapServer.setCertificatePassword("secret");
ldapServer.addExtendedOperationHandler(new StartTlsHandler());
Below you can see stack trace on the server side, client trace is further down:
2011-05-10 12:51:29,345 [rThread-4861-21] DEBUG [org.apache.directory.server.ldap.handlers.extended.StartTlsHandler] Setting LDAP Service
2011-05-10 12:51:29,345 [rThread-4861-21] DEBUG [org.apache.directory.server.ldap.handlers.extended.StartTlsHandler] provider = SUN version 1.6
2011-05-10 12:58:31,029 [rThread-4861-21] ERROR [org.apache.directory.server.core.security.CoreKeyStoreSpi] ERR_68 Failed on attempt to extract key.
java.lang.IllegalStateException: ERR_436 Names used for principals must be normalized!
at org.apache.directory.server.core.LdapPrincipal.(LdapPrincipal.java:76)
at org.apache.directory.server.core.security.CoreKeyStoreSpi.getTlsEntry(CoreKeyStoreSpi.java:84)
at org.apache.directory.server.core.security.CoreKeyStoreSpi.engineGetKey(CoreKeyStoreSpi.java:231)
at java.security.KeyStore.getKey(KeyStore.java:763)
at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.(SunX509KeyManagerImpl.java:113)
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at org.apache.directory.server.ldap.handlers.extended.StartTlsHandler.setLdapServer(StartTlsHandler.java:170)
at org.apache.directory.server.ldap.LdapServer.startNetwork(LdapServer.java:542)
at org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:446)
at com..ldap.apacheds.LdapServerWrapper.afterPropertiesSet(LdapServerWrapper.java:103)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1469)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1409)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:574)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4655)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:5364)
at com.sun.enterprise.web.WebModule.start(WebModule.java:345)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:986)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:970)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:704)
at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1649)
at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1254)
at com.sun.enterprise.server.WebModuleDeployEventListener.moduleDeployed(WebModuleDeployEventListener.java:182)
at com.sun.enterprise.server.WebModuleDeployEventListener.moduleDeployed(WebModuleDeployEventListener.java:278)
at com.sun.enterprise.admin.event.AdminEventMulticaster.invokeModuleDeployEventListener(AdminEventMulticaster.java:1005)
at com.sun.enterprise.admin.event.AdminEventMulticaster.handleModuleDeployEvent(AdminEventMulticaster.java:992)
at com.sun.enterprise.admin.event.AdminEventMulticaster.processEvent(AdminEventMulticaster.java:470)
at com.sun.enterprise.admin.event.AdminEventMulticaster.multicastEvent(AdminEventMulticaster.java:182)
at com.sun.enterprise.admin.server.core.DeploymentNotificationHelper.multicastEvent(DeploymentNotificationHelper.java:308)
at com.sun.enterprise.deployment.phasing.DeploymentServiceUtils.multicastEvent(DeploymentServiceUtils.java:231)
at com.sun.enterprise.deployment.phasing.ServerDeploymentTarget.sendStartEvent(ServerDeploymentTarget.java:298)
at com.sun.enterprise.deployment.phasing.ApplicationStartPhase.runPhase(ApplicationStartPhase.java:132)
at com.sun.enterprise.deployment.phasing.DeploymentPhase.executePhase(DeploymentPhase.java:108)
at com.sun.enterprise.deployment.phasing.PEDeploymentService.executePhases(PEDeploymentService.java:966)
at com.sun.enterprise.deployment.phasing.PEDeploymentService.start(PEDeploymentService.java:609)
at com.sun.enterprise.deployment.phasing.PEDeploymentService.start(PEDeploymentService.java:653)
at com.sun.enterprise.admin.mbeans.ApplicationsConfigMBean.start(ApplicationsConfigMBean.java:773)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.admin.MBeanHelper.invokeOperationInBean(MBeanHelper.java:390)
at com.sun.enterprise.admin.MBeanHelper.invokeOperationInBean(MBeanHelper.java:373)
at com.sun.enterprise.admin.config.BaseConfigMBean.invoke(BaseConfigMBean.java:477)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
at sun.reflect.GeneratedMethodAccessor15.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.admin.util.proxy.ProxyClass.invoke(ProxyClass.java:90)
at $Proxy1.invoke(Unknown Source)
at com.sun.enterprise.admin.server.core.jmx.SunoneInterceptor.invoke(SunoneInterceptor.java:304)
at com.sun.enterprise.interceptor.DynamicInterceptor.invoke(DynamicInterceptor.java:170)
at com.sun.enterprise.admin.jmx.remote.server.callers.InvokeCaller.call(InvokeCaller.java:69)
at com.sun.enterprise.admin.jmx.remote.server.MBeanServerRequestHandler.handle(MBeanServerRequestHandler.java:155)
at com.sun.enterprise.admin.jmx.remote.server.servlet.RemoteJmxConnectorServlet.processRequest(RemoteJmxConnectorServlet.java:122)
at com.sun.enterprise.admin.jmx.remote.server.servlet.RemoteJmxConnectorServlet.doPost(RemoteJmxConnectorServlet.java:193)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:427)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:315)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:287)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:218)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:291)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:666)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:597)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:872)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:264)
at com.sun.enterprise.web.connector.grizzly.WorkerThreadImpl.run(WorkerThreadImpl.java:117)
****Client Trace via javax.net.debug=all;****
keyStore is : C:/jdk/cacerts
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\jdk\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f
Valid from Wed Oct 25 10:36:00 CEST 2006 until Sat Oct 25 10:36:00 CEST 2036
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1288255192 bytes = { 100, 146, 27, 29, 47, 10, 97, 247, 253, 145, 49, 147, 239, 157, 90, 4, 34, 15, 99, 243, 191, 156, 251, 25, 64, 42, 210, 231 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 4D C9 37 D8 64 92 1B 1D 2F 0A ...E..M.7.d.../.
0010: 61 F7 FD 91 31 93 EF 9D 5A 04 22 0F 63 F3 BF 9C a...1...Z.".c...
0020: FB 19 40 2A D2 E7 00 00 1E 00 04 00 05 00 2F 00 ..#........../.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 01 00 .........
main, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............#...
0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
0040: 00 11 4D C9 37 D8 64 92 1B 1D 2F 0A 61 F7 FD 91 ..M.7.d.../.a...
0050: 31 93 EF 9D 5A 04 22 0F 63 F3 BF 9C FB 19 40 2A 1...Z.".c.....#
0060: D2 E7 ..
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Error: LDAPException: Could not negotiate a secure connection (91) Connect Error
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Currently TlsHandler can only read the certificate from the uid=admin,ou=system entry. Can you try after setting your certificate and keys to the appropriate attribute values of the admin entry (uid=admin,ou=system). I will try to fix this in the latest trunk. (Appreciate if you can file a bug report).