Related
When I try to access our website through IE11, SSL handshake failed. On IE, following error is displayed.
SSL Error on IE
I enabled SSL debug logging on tomcat. Result is attached.
SSL debug log
I also did a packet trace through wireshark. Result is attached.
Packet Trace
Can somebody help me in understanding, why IE sent RST and handshake is unsuccessful?
For convenience, here is the SSL debug log copy.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
https-jsse-nio2-10443-exec-7, READ: TLSv1.2 Handshake, length = 175
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1545319557 bytes = { 241, 102, 68, 19, 196, 186, 58, 2, 142, 179, 180, 186, 80, 189, 251, 212, 30, 48, 78, 122, 139, 95, 16, 6, 61, 81, 9, 233 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension status_request, data: 01:00:00:00:00
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA256withRSA, SHA384withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA1withECDSA, SHA1withDSA, SHA512withRSA, SHA512withECDSA
Unsupported extension type_35, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Extension extended_master_secret
Unsupported extension type_24, data: 00:10:03:02:01:00
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-3, SSL_NULL_WITH_NULL_NULL]
Standard ciphersuite chosen: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
%% Negotiating: [Session-3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1545319557 bytes = { 97, 98, 78, 54, 18, 174, 216, 230, 116, 27, 86, 149, 238, 243, 141, 200, 231, 225, 54, 68, 118, 22, 87, 178, 217, 116, 246, 186 }
Session ID: {92, 28, 181, 133, 160, 19, 139, 114, 99, 216, 10, 155, 173, 137, 237, 25, 140, 59, 153, 195, 245, 204, 179, 49, 89, 205, 42, 221, 126, 28, 147, 57}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension extended_master_secret
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 26867932193095777263289930763858312315175451169911540270469975322434401554593517846489231467419363365037593818036593693556117551448063131659525311661292145333515905286916353710412662237765713687248571705693533912575809165971751779925378770578516513573848298027718280225066822697515300871707147459915587779589377876395738318963921532217111299410821422855058019420912762790697366719695263850247093569765798072591751245131093354944223958262752669165567038947970251243583487419772340666576477861756748688921273067030346748496043574503202045236644578277345107987729325458604284470785207456233675325551660606573693389742779
public exponent: 65537
Validity: [From: Mon Oct 22 08:56:19 EDT 2018,
To: Thu Oct 19 08:56:19 EDT 2028]
Issuer: CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US
SerialNumber: [ 29565e6b]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F4 F5 1B CB 86 A2 7F 5E 25 2C 5D 9D 62 B8 67 45 .......^%,].b.gE
0010: 06 B5 9E 82 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 16 F2 4F B7 B3 AC E9 87 27 18 C5 FC 9D 61 FF 58 ..O.....'....a.X
0010: A8 D5 9D D8 BA 9E 5A 1D E9 96 EC 17 C4 16 09 EB ......Z.........
0020: 6A F8 5E 3A 62 FC DF 73 13 A6 A7 54 D1 A0 E2 56 j.^:b..s...T...V
0030: 51 C9 7E 55 DA 89 80 1A 30 7E 31 2C 03 C4 90 84 Q..U....0.1,....
0040: 62 B9 AA 6D 0C E0 33 CB 89 59 B3 89 59 48 7F B5 b..m..3..Y..YH..
0050: 55 6B 2F CA 37 E0 96 98 FB 75 73 1C EC 4D A8 3A Uk/.7....us..M.:
0060: 89 49 C9 EA AC 8A 2F 65 F1 4D 98 74 87 F8 2D 5E .I..../e.M.t..-^
0070: 89 60 49 17 04 79 F7 EA D4 B0 C3 FF 0B 6E 98 5C .`I..y.......n.\
0080: 9D 16 AE 00 09 55 38 DB 78 23 52 68 EC 79 43 16 .....U8.x#Rh.yC.
0090: EF 28 7E 9E 27 7C 31 FD 4F AB 25 A7 13 94 AC 88 .(..'.1.O.%.....
00A0: DE 60 A8 94 15 8D F0 32 AF 7C 3A F8 DA AD 7A EA .`.....2..:...z.
00B0: FB B4 AF 77 31 8C FC 20 52 CA 36 4A 9F 1A 3E 62 ...w1.. R.6J..>b
00C0: 01 F7 EF 72 FB 06 FC 7F 83 7A 0F FB 71 EA 4C C5 ...r.....z..q.L.
00D0: 0E 14 9D 64 89 7E 85 AE 76 A7 0A 21 4E 3F E5 17 ...d....v..!N?..
00E0: 35 39 DA A8 F5 84 41 C2 38 22 80 73 A0 91 E0 11 59....A.8".s....
00F0: 2D 4F B9 A9 B5 B9 37 7A 25 EE 73 3C 32 23 C6 19 -O....7z%.s<2#..
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 20009119234614195494302209861076680467201992809229109970753322221057487611764
public y coord: 17012831469688718179923828827485619723638464800697160800297861041710637731326
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=082>
<CN=294>
<CN=1136>
<CN=1363>
<CN=1274>
<CN=1278>
<CN=528>
<CN=107>
<CN=734>
<CN=624>
<CN=104>
<CN=373>
<CN=1407>
<CN=071>
<CN=1000>
<CN=450>
<CN=1330>
<CN=607>
<CN=1353>
<CN=059>
<CN=233>
<CN=151>
<CN=911>
<CN=1272>
<CN=1259>
<CN=815>
<CN=1084>
<CN=1106>
<CN=483>
<CN=575>
<CN=1398>
<CN=357>
<CN=976>
<CN=701>
<CN=605>
<CN=204>
<CN=382>
<CN=455>
<CN=1265>
<CN=914>
<CN=1400>
<CN=363>
<CN=541>
<CN=423>
<CN=391>
<CN=933>
<CN=157>
<CN=197>
<CN=610>
<CN=174>
<CN=1064>
<CN=348>
<CN=1355>
<CN=748>
<CN=955>
<CN=212>
<CN=820>
<CN=105>
<CN=202>
<CN=281>
<CN=823>
<CN=1248>
<CN=685>
<CN=1134>
<CN=220>
<CN=045>
<CN=580>
<CN=1061>
<CN=466>
<CN=987>
<CN=988>
<CN=064>
<CN=1086>
<CN=1364>
<CN=842>
<CN=973>
<CN=460>
<CN=069>
<CN=1307>
<CN=1381>
<CN=291>
<CN=699>
<CN=882>
<CN=1179>
<CN=683>
<CN=499>
<CN=594>
<CN=1045>
<CN=474>
<CN=793>
<CN=871>
<CN=632>
<CN=1216>
<CN=1035>
<CN=870>
<CN=874>
<CN=1463>
<CN=021>
<CN=1180>
<CN=891>
<CN=1011>
<CN=130>
<CN=375>
<CN=315>
<CN=888>
<CN=1004>
<CN=023>
<CN=1176>
<CN=290>
<CN=400>
<CN=969>
<CN=709>
<CN=886>
<CN=1396>
<CN=224>
<CN=1135>
<CN=304>
<CN=1240>
<CN=989>
<CN=358>
<CN=1122>
<CN=1104>
<CN=1389>
<CN=776>
<CN=975>
<CN=1103>
<CN=1303>
<CN=1293>
<CN=1209>
<CN=1166>
<CN=853>
<CN=651>
<CN=781>
<CN=347>
<CN=974>
<CN=694>
<CN=1159>
<CN=049>
<CN=158>
<CN=1297>
<CN=1172>
<CN=526>
<CN=1031>
<CN=1490>
<CN=1024>
<CN=300>
<CN=1076>
<CN=141>
<CN=706>
<CN=381>
<CN=619>
<CN=398>
<CN=1258>
<CN=1139>
<CN=146>
<CN=428>
<CN=703>
<CN=189>
<CN=677>
<CN=166>
<CN=1168>
<CN=1251>
<CN=556>
<CN=1085>
<CN=1001>
<CN=795>
<CN=676>
<CN=999>
<CN=156>
<CN=1074>
<CN=667>
<CN=1038>
<CN=960>
<CN=560>
<CN=501>
<CN=1243>
<CN=1483>
<CN=1420>
<CN=462>
<CN=079>
<CN=1461>
<CN=857>
<CN=851>
<CN=502>
<CN=1414>
<CN=807>
<CN=198>
<CN=1261>
<CN=438>
<CN=472>
<CN=012>
<CN=1187>
<CN=707>
<CN=716>
<CN=238>
<CN=1203>
<CN=554>
<CN=342>
<CN=240>
<CN=1392>
<CN=1315>
<CN=1370>
<CN=520>
<CN=1023>
<CN=881>
<CN=048>
<CN=388>
<CN=210>
<CN=209>
<CN=1090>
<CN=095>
<CN=777>
<CN=1436>
<CN=1108>
<CN=1462>
<CN=409>
<CN=1406>
<CN=979>
<CN=817>
<CN=1354>
<CN=801>
<CN=184>
<CN=540>
<CN=116>
<CN=1464>
<CN=406>
<CN=378>
<CN=691>
<CN=659>
<CN=635>
<CN=1413>
<CN=1302>
<CN=565>
<CN=805>
<CN=121>
<CN=700>
<CN=530>
<CN=1002>
<CN=964>
<CN=385>
<CN=1481>
<CN=616>
<CN=929>
<CN=1142>
<CN=489>
<CN=552>
<CN=956>
<CN=806>
<CN=1422>
<CN=1098>
<CN=328>
<CN=1202>
<CN=1280>
<CN=093>
<CN=578>
<CN=1123>
<CN=753>
<CN=190>
<CN=949>
<CN=1430>
<CN=497>
<CN=1428>
<CN=337>
<CN=1475>
<CN=313>
<CN=1417>
<CN=250>
<CN=159>
<CN=237>
<CN=087>
<CN=215>
<CN=1022>
<CN=915>
<CN=991>
<CN=893>
<CN=840>
<CN=425>
<CN=1079>
<CN=1020>
<CN=128>
<CN=487>
<CN=448>
<CN=1057>
<CN=1041>
<CN=1252>
<CN=216>
<CN=791>
<CN=1286>
<CN=199>
<CN=912>
<CN=1182>
<CN=1115>
<CN=260>
<CN=1394>
<CN=265>
<CN=771>
<CN=814>
<CN=1277>
<CN=479>
<CN=437>
<CN=075>
<CN=1050>
<CN=1371>
<CN=505>
<CN=014>
<CN=887>
<CN=1405>
<CN=231>
<CN=1424>
<CN=177>
<CN=1132>
<CN=033>
<CN=1331>
<CN=203>
<CN=772>
<CN=862>
<CN=416>
<CN=1455>
<CN=1266>
<CN=1010>
<CN=1465>
<CN=549>
<CN=1040>
<CN=1299>
<CN=047>
<CN=491>
<CN=350>
<CN=343>
<CN=006>
<CN=433>
<CN=1184>
<CN=731>
<CN=944>
<CN=1444>
<CN=1095>
<CN=843>
<CN=1291>
<CN=211>
<CN=320>
<CN=982>
<CN=1021>
<CN=135>
<CN=138>
<CN=844>
<CN=797>
<CN=1298>
<CN=031>
<CN=1260>
<CN=1169>
<CN=595>
<CN=747>
<CN=1473>
<CN=072>
<CN=513>
<CN=968>
<CN=846>
<CN=312>
<CN=562>
<CN=938>
<CN=1171>
<CN=1336>
<CN=946>
<CN=867>
<CN=490>
<CN=650>
<CN=1387>
<CN=080>
<CN=162>
<CN=330>
<CN=1015>
<CN=704>
<CN=1219>
<CN=1474>
<CN=755>
<CN=959>
<CN=1088>
<CN=997>
<CN=1003>
<CN=179>
<CN=1033>
<CN=1173>
<CN=621>
<CN=266>
<CN=028>
<CN=894>
<CN=1054>
<CN=427>
<CN=498>
<CN=379>
<CN=305>
<CN=401>
<CN=729>
<CN=1099>
<CN=1344>
<CN=1250>
<CN=219>
<CN=604>
<CN=935>
<CN=317>
<CN=735>
<CN=456>
<CN=1043>
<CN=761>
<CN=311>
<CN=757>
<CN=546>
<CN=684>
<CN=507>
<CN=148>
<CN=061>
<CN=693>
<CN=917>
<CN=1433>
<CN=191>
<CN=1359>
<CN=1263>
<CN=1321>
<CN=108>
<CN=345>
<CN=1144>
<CN=1233>
<CN=074>
<CN=821>
<CN=1411>
<CN=150>
<CN=961>
<CN=037>
<CN=1348>
<CN=1292>
<CN=1440>
<CN=1377>
<CN=279>
<CN=713>
<CN=739>
<CN=647>
<CN=395>
<CN=114>
<CN=407>
<CN=368>
<CN=276>
<CN=262>
<CN=1468>
<CN=1479>
<CN=921>
<CN=322>
<CN=067>
<CN=1231>
<CN=1141>
<CN=147>
<CN=062>
<CN=366>
<CN=1186>
<CN=1154>
<CN=1071>
<CN=570>
<CN=1427>
<CN=393>
<CN=030>
<CN=310>
<CN=452>
<CN=1178>
<CN=1034>
<CN=732>
<CN=636>
<CN=458>
<CN=1016>
<CN=1107>
<CN=1147>
<CN=241>
<CN=896>
<CN=723>
<CN=1454>
<CN=688>
<CN=773>
<CN=1452>
<CN=426>
<CN=1485>
<CN=1198>
<CN=932>
<CN=1236>
<CN=602>
<CN=469>
<CN=985>
<CN=1197>
<CN=206>
<CN=796>
<CN=1489>
<CN=561>
<CN=653>
<CN=759>
<CN=1312>
<CN=1013>
<CN=662>
<CN=032>
<CN=623>
<CN=573>
<CN=115>
<CN=942>
<CN=812>
<CN=1447>
<CN=783>
<CN=1416>
<CN=371>
<CN=1082>
<CN=903>
<CN=780>
<CN=1358>
<CN=1162>
<CN=122>
<CN=022>
<CN=253>
<CN=869>
<CN=800>
<CN=194>
<CN=164>
<CN=365>
<CN=429>
<CN=170>
<CN=506>
<CN=1192>
<CN=1285>
<CN=503>
<CN=1287>
<CN=678>
<CN=1350>
<CN=1237>
<CN=1409>
<CN=178>
<CN=145>
<CN=711>
<CN=858>
<CN=719>
<CN=005>
<CN=1175>
<CN=884>
<CN=1019>
<CN=361>
<CN=947>
<CN=758>
<CN=571>
<CN=1025>
<CN=1322>
<CN=790>
<CN=1294>
<CN=222>
<CN=837>
<CN=389>
<CN=744>
<CN=1130>
<CN=256>
<CN=1431>
<CN=720>
<CN=1459>
<CN=436>
<CN=239>
<CN=113>
<CN=399>
<CN=649>
<CN=163>
<CN=728>
<CN=1174>
<CN=217>
<CN=027>
<CN=100>
<CN=883>
<CN=637>
<CN=1314>
<CN=085>
<CN=1375>
<CN=727>
<CN=945>
<CN=1126>
<CN=970>
<CN=890>
<CN=494>
<CN=779>
<CN=076>
<CN=485>
<CN=1110>
<CN=872>
<CN=998>
<CN=271>
<CN=063>
<CN=1466>
<CN=816>
<CN=1222>
<CN=397>
<CN=447>
<CN=527>
<CN=833>
<CN=825>
<CN=1140>
<CN=1339>
<CN=1068>
<CN=845>
<CN=741>
<CN=1226>
<CN=323>
<CN=864>
<CN=118>
<CN=171>
<CN=1234>
<CN=1380>
<CN=1116>
<CN=1471>
<CN=413>
<CN=1476>
<CN=218>
<CN=432>
<CN=1487>
<CN=1313>
<CN=1451>
<CN=408>
<CN=631>
<CN=041>
<CN=533>
<CN=854>
<CN=588>
<CN=232>
<CN=039>
<CN=1157>
<CN=547>
<CN=213>
<CN=612>
<CN=129>
<CN=629>
<CN=1214>
<CN=254>
<CN=1279>
<CN=994>
<CN=1264>
<CN=470>
<CN=751>
<CN=664>
<CN=332>
<CN=1491>
<CN=967>
<CN=1083>
<CN=1300>
<CN=1146>
<CN=1325>
<CN=1072>
<CN=557>
<CN=172>
<CN=827>
<CN=269>
<CN=1254>
<CN=051>
<CN=740>
<CN=579>
<CN=669>
<CN=550>
<CN=1138>
<CN=834>
<CN=516>
<CN=1097>
<CN=242>
<CN=1111>
<CN=390>
<CN=895>
<CN=514>
<CN=056>
<CN=1362>
<CN=1418>
<CN=316>
<CN=909>
<CN=665>
<CN=1478>
<CN=052>
<CN=1256>
<CN=268>
<CN=272>
<CN=384>
<CN=1027>
<CN=131>
<CN=1442>
<CN=566>
<CN=1094>
<CN=009>
<CN=1402>
<CN=1311>
<CN=1480>
<CN=1469>
<CN=828>
<CN=736>
<CN=134>
<CN=682>
<CN=586>
<CN=1225>
<CN=302>
<CN=717>
<CN=1319>
<CN=778>
<CN=1425>
<CN=951>
<CN=1051>
<CN=270>
<CN=1190>
<CN=077>
<CN=065>
<CN=698>
<CN=860>
<CN=1308>
<CN=1014>
<CN=1161>
<CN=919>
<CN=414>
<CN=569>
<CN=824>
<CN=1205>
<CN=900>
<CN=913>
<CN=1189>
<CN=193>
<CN=1170>
<CN=1112>
<CN=1412>
<CN=482>
<CN=173>
<CN=349>
<CN=937>
<CN=445>
<CN=003>
<CN=642>
<CN=1155>
<CN=461>
<CN=681>
<CN=420>
<CN=1343>
<CN=346>
<CN=1191>
<CN=286>
<CN=690>
<CN=092>
<CN=1360>
<CN=1255>
<CN=904>
<CN=567>
<CN=331>
<CN=591>
<CN=680>
<CN=954>
<CN=808>
<CN=309>
<CN=878>
<CN=633>
<CN=880>
<CN=175>
<CN=421>
<CN=314>
<CN=289>
<CN=1124>
<CN=873>
<CN=1269>
<CN=036>
<CN=1230>
<CN=1153>
<CN=1128>
<CN=1224>
<CN=534>
<CN=730>
<CN=936>
<CN=925>
<CN=1060>
<CN=752>
<CN=186>
<CN=1133>
<CN=525>
<CN=1048>
<CN=1366>
<CN=283>
<CN=972>
<CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US>
<CN=746>
<CN=1195>
<CN=1437>
<CN=1042>
<CN=524>
<CN=106>
<CN=529>
<CN=1368>
<CN=1316>
<CN=070>
<CN=643>
<CN=750>
<CN=038>
<CN=767>
<CN=435>
<CN=195>
<CN=1143>
<CN=1129>
<CN=251>
<CN=1296>
<CN=089>
<CN=628>
<CN=261>
<CN=227>
<CN=188>
<CN=957>
<CN=248>
<CN=1193>
<CN=892>
<CN=1289>
<CN=1026>
<CN=040>
<CN=922>
<CN=326>
<CN=966>
<CN=1310>
<CN=020>
<CN=356>
<CN=661>
<CN=258>
<CN=411>
<CN=1221>
<CN=1032>
<CN=459>
<CN=725>
<CN=015>
<CN=656>
<CN=096>
<CN=017>
<CN=620>
<CN=587>
<CN=1318>
<CN=582>
<CN=626>
<CN=1125>
<CN=235>
<CN=165>
<CN=334>
<CN=590>
<CN=167>
<CN=154>
<CN=288>
<CN=103>
<CN=756>
<CN=1117>
<CN=905>
<CN=360>
<CN=1337>
<CN=849>
<CN=221>
<CN=931>
<CN=1327>
<CN=386>
<CN=1208>
<CN=1077>
<CN=001>
<CN=818>
<CN=1391>
<CN=153>
<CN=908>
<CN=086>
<CN=417>
<CN=050>
<CN=1206>
<CN=1073>
<CN=668>
<CN=392>
<CN=924>
<CN=1007>
<CN=644>
<CN=1352>
<CN=1301>
<CN=1211>
<CN=1194>
<CN=876>
<CN=1376>
<CN=338>
<CN=263>
<CN=257>
<CN=803>
<CN=1334>
<CN=1069>
<CN=369>
<CN=518>
<CN=127>
<CN=274>
<CN=1446>
<CN=016>
<CN=1284>
<CN=185>
<CN=765>
<CN=083>
<CN=1268>
<CN=1105>
<CN=544>
<CN=101>
<CN=319>
<CN=1120>
<CN=1432>
<CN=509>
<CN=245>
<CN=1435>
<CN=559>
<CN=144>
<CN=362>
<CN=1188>
<CN=712>
<CN=364>
<CN=282>
<CN=1121>
<CN=225>
<CN=663>
<CN=1372>
<CN=543>
<CN=576>
<CN=1056>
<CN=1037>
<CN=517>
<CN=136>
<CN=531>
<CN=424>
<CN=380>
<CN=615>
<CN=285>
<CN=1404>
<CN=126>
<CN=519>
<CN=1046>
<CN=1087>
<CN=1383>
<CN=267>
<CN=838>
<CN=383>
<CN=002>
<CN=1177>
<CN=434>
<CN=648>
<CN=788>
<CN=789>
<CN=899>
<CN=1055>
<CN=354>
<CN=1338>
<CN=1163>
<CN=287>
<CN=1290>
<CN=563>
<CN=1467>
<CN=1439>
<CN=965>
<CN=1183>
<CN=671>
<CN=042>
<CN=865>
<CN=1253>
<CN=584>
<CN=538>
<CN=1093>
<CN=1009>
<CN=830>
<CN=1309>
<CN=1347>
<CN=1472>
<CN=091>
<CN=724>
<CN=259>
<CN=043>
<CN=670>
<CN=596>
<CN=1148>
<CN=1395>
<CN=430>
<CN=264>
<CN=826>
<CN=109>
<CN=140>
<CN=1445>
<CN=1078>
<CN=1257>
<CN=099>
<CN=948>
<CN=1165>
<CN=273>
<CN=993>
<CN=992>
<CN=088>
<CN=234>
<CN=1458>
<CN=1500>
<CN=848>
<CN=1365>
<CN=1220>
<CN=1092>
<CN=1245>
<CN=875>
<CN=813>
<CN=1030>
<CN=094>
<CN=1346>
<CN=589>
<CN=168>
<CN=325>
<CN=901>
<CN=252>
<CN=1429>
<CN=073>
<CN=1218>
<CN=183>
<CN=117>
<CN=1119>
<CN=577>
<CN=1397>
<CN=111>
<CN=536>
<CN=1246>
<CN=1393>
<CN=769>
<CN=831>
<CN=971>
<CN=1332>
<CN=614>
<CN=053>
<CN=415>
<CN=418>
<CN=708>
<CN=058>
<CN=029>
<CN=412>
<CN=782>
<CN=512>
<CN=1357>
<CN=229>
<CN=1448>
<CN=1497>
<CN=775>
<CN=1379>
<CN=714>
<CN=835>
<CN=1062>
<CN=372>
<CN=500>
<CN=859>
<CN=453>
<CN=1239>
<CN=963>
<CN=1374>
<CN=1270>
<CN=1044>
<CN=084>
<CN=055>
<CN=1275>
<CN=810>
<CN=298>
<CN=1181>
<CN=564>
<CN=007>
<CN=522>
<CN=877>
<CN=745>
<CN=766>
<CN=1388>
<CN=1100>
<CN=1382>
<CN=277>
<CN=1006>
<CN=1212>
<CN=476>
<CN=1039>
<CN=996>
<CN=1109>
<CN=1460>
<CN=161>
<CN=119>
<CN=1118>
<CN=187>
<CN=980>
<CN=511>
<CN=123>
<CN=1434>
<CN=743>
<CN=1151>
<CN=297>
<CN=1410>
<CN=1207>
<CN=655>
<CN=718>
<CN=336>
<CN=454>
<CN=327>
<CN=930>
<CN=822>
<CN=953>
<CN=292>
<CN=1323>
<CN=024>
<CN=1317>
<CN=733>
<CN=396>
<CN=1213>
<CN=1199>
<CN=1283>
<CN=284>
<CN=444>
<CN=923>
<CN=214>
<CN=601>
<CN=645>
<CN=726>
<CN=201>
<CN=1361>
<CN=1242>
<CN=640>
<CN=861>
<CN=1340>
<CN=1326>
<CN=493>
<CN=1295>
<CN=180>
<CN=120>
<CN=608>
<CN=572>
<CN=1276>
<CN=1066>
<CN=1127>
<CN=344>
<CN=149>
<CN=1018>
<CN=568>
<CN=852>
<CN=1244>
<CN=798>
<CN=868>
<CN=060>
<CN=542>
<CN=523>
<CN=367>
<CN=1167>
<CN=1498>
<CN=532>
<CN=1356>
<CN=410>
<CN=255>
<CN=599>
<CN=1477>
<CN=1200>
<CN=786>
<CN=341>
<CN=247>
<CN=1499>
<CN=1450>
<CN=335>
<CN=403>
<CN=078>
<CN=1160>
<CN=200>
<CN=098>
<CN=666>
<CN=419>
<CN=539>
<CN=829>
<CN=301>
<CN=026>
<CN=646>
<CN=768>
<CN=990>
<CN=1036>
<CN=008>
<CN=794>
<CN=1482>
<CN=299>
<CN=1053>
<CN=638>
<CN=359>
<CN=1441>
<CN=125>
<CN=081>
<CN=464>
<CN=995>
<CN=137>
<CN=1215>
<CN=928>
<CN=1081>
<CN=958>
<CN=333>
<CN=1385>
<CN=449>
<CN=613>
<CN=1494>
<CN=181>
<CN=836>
<CN=600>
<CN=1328>
<CN=443>
<CN=370>
<CN=1349>
<CN=340>
<CN=687>
<CN=611>
<CN=496>
<CN=1384>
<CN=1271>
<CN=1185>
<CN=885>
<CN=819>
<CN=1065>
<CN=1210>
<CN=353>
<CN=1453>
<CN=1049>
<CN=439>
<CN=658>
<CN=934>
<CN=1341>
<CN=249>
<CN=521>
<CN=013>
<CN=351>
<CN=169>
<CN=792>
<CN=774>
<CN=537>
<CN=606>
<CN=1114>
<CN=548>
<CN=035>
<CN=784>
<CN=1008>
<CN=422>
<CN=394>
<CN=804>
<CN=907>
<CN=1158>
<CN=721>
<CN=1249>
<CN=770>
<CN=710>
<CN=275>
<CN=545>
<CN=749>
<CN=902>
<CN=555>
<CN=764>
<CN=1267>
<CN=939>
<CN=627>
<CN=374>
<CN=155>
<CN=705>
<CN=981>
<CN=715>
<CN=1149>
<CN=742>
<CN=307>
<CN=1320>
<CN=352>
<CN=1449>
<CN=208>
<CN=1378>
<CN=1367>
<CN=802>
<CN=639>
<CN=879>
<CN=057>
<CN=760>
<CN=1204>
<CN=597>
<CN=689>
<CN=477>
<CN=672>
<CN=738>
<CN=473>
<CN=019>
<CN=243>
<CN=465>
<CN=207>
<CN=1421>
<CN=133>
<CN=467>
<CN=1232>
<CN=244>
<CN=978>
<CN=1047>
<CN=697>
<CN=068>
<CN=660>
<CN=025>
<CN=641>
<CN=1150>
<CN=617>
<CN=855>
<CN=1102>
<CN=481>
<CN=1101>
<CN=468>
<CN=799>
<CN=763>
<CN=112>
<CN=182>
<CN=223>
<CN=1386>
<CN=1113>
<CN=1288>
<CN=920>
<CN=143>
<CN=1005>
<CN=1403>
<CN=1345>
<CN=230>
<CN=1401>
<CN=609>
<CN=280>
<CN=598>
<CN=1304>
<CN=488>
<CN=1470>
<CN=1273>
<CN=926>
<CN=811>
<CN=484>
<CN=510>
<CN=673>
<CN=1486>
<CN=1017>
<CN=832>
<CN=654>
<CN=1415>
<CN=515>
<CN=1012>
<CN=1329>
<CN=1063>
<CN=1052>
<CN=1137>
<CN=387>
<CN=592>
<CN=977>
<CN=558>
<CN=306>
<CN=762>
<CN=1495>
<CN=1228>
<CN=1080>
<CN=321>
<CN=226>
<CN=492>
<CN=847>
<CN=246>
<CN=278>
<CN=471>
<CN=630>
<CN=551>
<CN=451>
<CN=695>
<CN=625>
<CN=889>
<CN=1029>
<CN=622>
<CN=906>
<CN=696>
<CN=440>
<CN=1484>
<CN=1145>
<CN=535>
<CN=856>
<CN=1164>
<CN=754>
<CN=634>
<CN=1028>
<CN=1456>
<CN=1496>
<CN=574>
<CN=124>
<CN=950>
<CN=1373>
<CN=1390>
<CN=097>
<CN=984>
<CN=495>
<CN=446>
<CN=983>
<CN=110>
<CN=839>
<CN=010>
<CN=986>
<CN=910>
<CN=1457>
<CN=1217>
<CN=898>
<CN=034>
<CN=1335>
<CN=1058>
<CN=1229>
<CN=329>
<CN=431>
<CN=1342>
<CN=1333>
<CN=785>
<CN=692>
<CN=722>
<CN=192>
<CN=1369>
<CN=1282>
<CN=1152>
<CN=943>
<CN=553>
<CN=1247>
<CN=011>
<CN=674>
<CN=809>
<CN=318>
<CN=1426>
<CN=478>
<CN=1488>
<CN=863>
<CN=1059>
<CN=402>
<CN=1075>
<CN=004>
<CN=504>
<CN=1281>
<CN=508>
<CN=160>
<CN=1305>
<CN=377>
<CN=581>
<CN=652>
<CN=102>
<CN=657>
<CN=1223>
<CN=296>
<CN=303>
<CN=1438>
<CN=018>
<CN=1492>
<CN=441>
<CN=1235>
<CN=1241>
<CN=293>
<CN=1306>
<CN=152>
<CN=1408>
<CN=1262>
<CN=916>
<CN=139>
<CN=927>
<CN=1238>
<CN=176>
<CN=376>
<CN=593>
<CN=585>
<CN=405>
<CN=486>
<CN=404>
<CN=1399>
<CN=046>
<CN=940>
<CN=1196>
<CN=1227>
<CN=132>
<CN=457>
<CN=142>
<CN=737>
<CN=1493>
<CN=463>
<CN=675>
<CN=897>
<CN=1351>
<CN=841>
<CN=066>
<CN=1443>
<CN=205>
https-jsse-nio2-10443-exec-7, WRITE: TLSv1.2 Handshake, length = 16383
*** ServerHelloDone
https-jsse-nio2-10443-exec-7, WRITE: TLSv1.2 Handshake, length = 12558
https-jsse-nio2-10443-exec-9, called closeOutbound()
https-jsse-nio2-10443-exec-9, closeOutboundInternal()
https-jsse-nio2-10443-exec-9, SEND TLSv1.2 ALERT: warning, description = close_notify
https-jsse-nio2-10443-exec-9, WRITE: TLSv1.2 Alert, length = 2
Tomcat connector configuration is,
<Connector port="10443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxHttpHeaderSize="4096"
maxThreads="1050" minSpareThreads="25"
maxKeepAliveRequests="-1" keepAliveTimeout="180000"
enableLookups="false" disableUploadTimeout="true"
acceptCount="10" scheme="https" secure="true" SSLEnabled="true"
clientAuth="want" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"
connectionTimeout="180000"
keystoreFile="file.keystore"
keystorePass="file.pass" algorithm="SunX509"
truststoreFile="file.keystore"
truststorePass="file.pass"
truststoreType="JKS"
keyAlias="tomcat"
compression="on"
compressionMinSize="2048"
trustManagerClassName="com.tomcatssl.CustomTrustManager"
useServerCipherSuitesOrder="true"
ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
server="Clock Web Server"
compressableMimeType="text/html,text/xml,text/js,text/css"/>
Thank You
I'm not sure what would cause some browsers to work differently than others for sure, but I do have a guess.
When a server has a trust store configured (for a <Connector>/<SSLHostConfig>), it will advertise the list of trusted certificates to the client during the initial TLS handshake. If you have a huge number of certificates in your trust store, the server will (of course) send them all. If the client isn't expecting to receive a large number of certificates, it may fail when it runs out of space in e.g. a buffer to hold such things. My guess is that MSIE chokes on the long list of acceptable client certificates.
It's unusual for a server to use a <Connector>/<SSLHostConfig> with a large number of certificates in its trust store. Typically, if you need to trust certificates en masse, you generate a CA certificate and use it to sign the individual client certificates, keeping only that CA certificate in your trust store.
If you have a JVM-wide trust store being used for outgoing connections, then you might have a lot of certificates in there. You definitely don't want to use that one for the <Connector>/<SSLHostConfig> on your server. You should use a separate trust-store that contains only the certificates you expect to trust as client TLS certificates. Any other configuration is not secure.
For example, let's say you have VeriSign's root certificate in your trust store. That means anyone who has a client certificate signed by VeriSign can establish a connection with your server. That includes clients outside your organization or circle of trust. You should only include certificates in your trust store that you 100% trust every certificate they could ever have signed.
Make sure that your root certificate is trusted by the browser. For your case, the root is "Cisco Umbrella Root CA", which is not trusted. Follow these steps to import the certificate in browser : https://freesslcert.org/trust-freesslcert-in-browser
I have managed to configure the weblogic for the SSO with windows AD, however there are several questions on which I need clarity
1) When I access the application from my browser with the apache web server sitting in between, why is the weblogic requesting for a TGT with the SPN everytime(I can see that in weblogic console), even if it wants to get authenticated with the KDC this should have happened only once during start up and not with every request from same browser.
Theoretically Weblogic should never contact the KDC to validate the existing user's TGT.
2) If the same session key provided by the KDC is used between client and weblogic server for secure communication, they would never require to hit KDC in between unless the session key expires, in which case they also have an option to renew it, so a TGT is never required to be created for each request from browser to weblogic. Is it correct.
Weblogic console logs->
Found ticket for HTTP/APPDEV2011.domain.com#DOMAIN.COM to go to krbtgt/DOMAIN.COM#DOMAIN.COM expiring on Fri May 11 21:06:46 CDT 2018
Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is http_weblogic_test.keytab refreshKrb5Config is false principal is HTTP/APPDEV2011.domain.com#DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
KinitOptions cache name is D:\Users\ayadav.DOMAIN.000\krb5cc_ayadav
Acquire default native Credentials
default etypes for default_tkt_enctypes: 17 23.
LSA contains TGT for ayadav#DOMAIN.COM not HTTP/APPDEV2011.domain.com#DOMAIN.COM
Principal is HTTP/APPDEV2011.domain.com#DOMAIN.COM
null credentials from Ticket Cache
Looking for keys for: HTTP/APPDEV2011.domain.com#DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com#DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com#DOMAIN.COM
Looking for keys for: HTTP/APPDEV2011.domain.com#DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com#DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com#DOMAIN.COM
default etypes for default_tkt_enctypes: 17 23.
KrbAsReq creating message
KrbKdcReq send: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=163
KDCCommunication: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=163
KrbKdcReq send: #bytes read=207
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = DOMAIN.COMHTTPAPPDEV2011.domain.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KdcAccessibility: remove wcosp-dc01.domain.com
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Fri May 11 11:06:46 CDT 2018 1526054806000
suSec is 633784
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/DOMAIN.COM#DOMAIN.COM
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = DOMAIN.COMHTTPAPPDEV2011.domain.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 17 23.
Looking for keys for: HTTP/APPDEV2011.domain.com#DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com#DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com#DOMAIN.COM
Looking for keys for: HTTP/APPDEV2011.domain.com#DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com#DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com#DOMAIN.COM
default etypes for default_tkt_enctypes: 17 23.
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
KrbAsReq creating message
KrbKdcReq send: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=250
KDCCommunication: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=250
KrbKdcReq send: #bytes read=96
KrbKdcReq send: kdc=wcosp-dc01.domain.com TCP:88, timeout=30000, number of retries =3, #bytes=250
KDCCommunication: kdc=wcosp-dc01.domain.com TCP:88, timeout=30000,Attempt =1, #bytes=250
DEBUG: TCPClient reading 1602 bytes
KrbKdcReq send: #bytes read=1602
KdcAccessibility: remove wcosp-dc01.domain.com
Looking for keys for: HTTP/APPDEV2011.domain.com#DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com#DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com#DOMAIN.COM
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
KrbAsRep cons in KrbAsReq.getReply HTTP/APPDEV2011.domain.com
principal is HTTP/APPDEV2011.domain.com#DOMAIN.COM
Will use keytab
Commit Succeeded
>
Thanks
cannot decrypt HTTPS with Wireshark. the steps done are described as follows. can anybody help to throw light on this? thx!
step 1: start a http server
C:\Users\ebinshe\Documents\projects\test-openssl
λ echo 'hello, world.' >index.txt
C:\Users\ebinshe\Documents\projects\test-openssl
λ openssl s_server -key key.pem -cert cert.pem -WWW
Using default temp DH parameters
ACCEPT
step 2: test it with "openssl" and catch the traffic with "RawCap.exe"
C:\Users\ebinshe\Documents\projects\test-openssl
λ openssl s_client -crlf -cipher 'DHE-RSA-AES128-SHA' -host localhost -port 4433 -no_tls1_2
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC+zCCAeOgAwIBAgIJAJ6LbmE3wd3bMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
BAMMCWxvY2FsaG9zdDAeFw0xNzEwMjkxMDE0MjhaFw0xNzExMjgxMDE0MjhaMBQx
EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALZEnU+F4XknWZRvbtkZoKhbcoOguYUPbrucYREsjN+o9i4N8kmtNpiqDav+
J68Uk0r4o3WGhtAoaLdbqny1U+mWuMGUrwHi2fR1X7T6IZHOKLhqdbJLi9i3V7KD
7FLhz20ttbUQHaKlA5BqBiEYptRYOpFrK75R3UFdBGG8SBAoMitqzzLERwPbZDqH
Lk8ZWDLXLnmbDh0jda3B26yjCB9UHCwKJNCqqIDajmOhPq8khH32ZPQQ3NPndNTa
fob5e/vJgjBCHHX7wutIG6fUfuBnokUE2R+Wkg3iGu8fHQ0SY+6Wlmk+nTeJ+HeK
1anuqhwxjZ9Xj1HTGGJIS/JxIlsCAwEAAaNQME4wHQYDVR0OBBYEFOhulfYh0HDL
ItQwXVsceqOdlSx1MB8GA1UdIwQYMBaAFOhulfYh0HDLItQwXVsceqOdlSx1MAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKlMRvbkQIrvtBTJH7+1c/Dr
JFR0VhOdDHCDWm1mSw+o+REffaGJHzLUztq2fx7Tciqcsd+5E+RsNn7ySYxiMohD
ud25g/sBoGTqiayNGAJMOSK3/ndskXh9rnLzPBwJ1RRXcTn4aCYYSoddhyfM1Dzl
4SMQkPAW1uMWisPXfl9d7LFzC2wkMj/YswGNkKnEOUIjyfxgexaXgFbOf6+FrUmU
SWcBaw44YOwAYLEL7cVoOo9TXe/i3cSlNJMw6Q8306nnCiiyMAqDN2wTcQUzzDx6
jGGr5eDMuMLC5slWlOK1X7lEA1kNX6uPSktL2TGnzgq7a4nbxjBFHDDa/3/dcU8=
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 1890 bytes and written 442 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : DHE-RSA-AES128-SHA
Session-ID: 02F8CB0E6E0BD370A7128C5DE27FC8B3A65A8C212FB91E3A389FB447CB651769
Session-ID-ctx:
Master-Key: 907B687CA8045DCEFB9A168316B6D47C12CC8C6F9EEAB6590427610BD4ACB00CACC2170CB80370EBBF15E5E32204C211
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6c 5c 1b df f9 18 4b d0-5d c0 a9 f6 90 c1 d4 d1 l\....K.].......
0010 - 71 1e 4b f9 80 f4 f5 d3-fd 12 f7 92 11 2b a3 be q.K..........+..
0020 - 59 31 f2 39 84 cd c9 c6-1b 9b bb f9 9f dd 1c dd Y1.9............
0030 - 8d 97 3b 1f 75 6f 9c 78-dc 63 73 8b b7 ac 9d d0 ..;.uo.x.cs.....
0040 - 20 a3 f1 7e f5 c4 ae b4-56 d5 e1 bd e7 70 21 bb ..~....V....p!.
0050 - 08 f3 d3 6d fd 1b 6b a8-e6 92 de 13 c9 51 3e 0a ...m..k......Q>.
0060 - ee 54 98 0f 79 f3 fe cf-4f e2 a8 47 68 9e 58 f8 .T..y...O..Gh.X.
0070 - 9d f6 98 28 2d 7f 23 fc-f5 5e 34 ec 5c 30 43 a4 ...(-.#..^4.\0C.
0080 - e1 4c 3e 92 41 b2 f5 18-68 8f 6c f8 84 5c 11 3a .L>.A...h.l..\.:
0090 - 30 11 8a 7a 56 e0 18 3d-c3 27 a2 e5 26 f0 b4 2e 0..zV..=.'..&...
Compression: 1 (zlib compression)
Start Time: 1509640881
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
GET /index.txt HTTP/1.1
HTTP/1.0 200 ok
Content-type: text/plain
'hello, world.'
read:errno=0
step 3: create key.log from
Session-ID: 02F8CB0E6E0BD370A7128C5DE27FC8B3A65A8C212FB91E3A389FB447CB651769
Master-Key: 907B687CA8045DCEFB9A168316B6D47C12CC8C6F9EEAB6590427610BD4ACB00CACC2170CB80370EBBF15E5E32204C211
the resulted key.log
CLIENT_RANDOM 02F8CB0E6E0BD370A7128C5DE27FC8B3A65A8C212FB91E3A389FB447CB651769 907B687CA8045DCEFB9A168316B6D47C12CC8C6F9EEAB6590427610BD4ACB00CACC2170CB80370EBBF15E5E32204C211
step 4: point Wireshark SSL "(Pre)-Master-Secret log filename" to it.
load the traffic with Wireshark. the SSL data frames are not decrypted.
the Wireshark SSL debug log:
λ cat debug.log
Wireshark SSL debug log
Wireshark version: 2.4.2 (v2.4.2-0-gb6c63ae086)
GnuTLS version: 3.4.11
Libgcrypt version: 1.7.6
dissect_ssl enter frame #463 (first time)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 000000000836DF80
record: offset = 0, reported_length_remaining = 100
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 95, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 91 bytes, remaining 100
Calculating hash with offset 5 95
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01
dissect_ssl enter frame #465 (first time)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 000000000836DF80
record: offset = 0, reported_length_remaining = 1460
ssl_try_set_version found version 0x0302 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 58, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
Calculating hash with offset 5 58
ssl_try_set_version found version 0x0302 -> state 0x11
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0x0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA -> state 0x17
trying to use SSL keylog in C:\Users\ebinshe\sslkeylogfile.log
checking keylog line: # SSL/TLS secrets log file, generated by NSS
unrecognized line
checking keylog line: CLIENT_RANDOM DCD58E1764FDC7A5EA5BC169ED4C96C0D6661120F8A02E96D524F33C155DB934 4DF856122B924EC0E5CA53F1DCE0C95F1FEC1E315E552619DCB5E3963DCAD47A41FF301BAEA33743FADD2E636A0A1D52
matched client_random
tls13_change_key TLS version 0x302 is not 1.3
tls13_change_key TLS version 0x302 is not 1.3
record: offset = 63, reported_length_remaining = 1397
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 777, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 773 bytes, remaining 845
Calculating hash with offset 68 777
lookup(KeyID)[20]:
| 73 ab d9 0c d6 09 d6 06 b9 d7 28 b9 25 12 85 bb |s.........(.%...|
| c2 14 09 02 |.... |
ssl_find_private_key_by_pubkey: lookup result: 0000000000000000
record: offset = 845, reported_length_remaining = 615
need_desegmentation: offset = 845, reported_length_remaining = 615
dissect_ssl enter frame #466 (first time)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 000000000836DF80
record: offset = 0, reported_length_remaining = 786
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 781, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 777 bytes, remaining 786
Calculating hash with offset 5 781
dissect_ssl enter frame #466 (first time)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 000000000836DF80
record: offset = 0, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 4, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 5 length 0 bytes, remaining 9
Calculating hash with offset 5 4
dissect_ssl enter frame #468 (first time)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 000000000836DF80
record: offset = 0, reported_length_remaining = 342
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
Calculating hash with offset 5 262
trying to use SSL keylog in C:\Users\ebinshe\sslkeylogfile.log
ssl_load_keyfile file got deleted, trying to re-open
checking keylog line: # SSL/TLS secrets log file, generated by NSS
unrecognized line
checking keylog line: CLIENT_RANDOM DCD58E1764FDC7A5EA5BC169ED4C96C0D6661120F8A02E96D524F33C155DB934 4DF856122B924EC0E5CA53F1DCE0C95F1FEC1E315E552619DCB5E3963DCAD47A41FF301BAEA33743FADD2E636A0A1D52
matched client_random
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
record: offset = 267, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
trying to use SSL keylog in C:\Users\ebinshe\sslkeylogfile.log
ssl_load_keyfile file got deleted, trying to re-open
checking keylog line: # SSL/TLS secrets log file, generated by NSS
unrecognized line
checking keylog line: CLIENT_RANDOM DCD58E1764FDC7A5EA5BC169ED4C96C0D6661120F8A02E96D524F33C155DB934 4DF856122B924EC0E5CA53F1DCE0C95F1FEC1E315E552619DCB5E3963DCAD47A41FF301BAEA33743FADD2E636A0A1D52
matched client_random
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 273, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 64, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 103 offset 278 length 7643659 bytes, remaining 342
dissect_ssl enter frame #470 (first time)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 000000000836DF80
record: offset = 0, reported_length_remaining = 250
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 170, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175
Calculating hash with offset 5 170
ssl_save_master_key not saving empty (pre-)master secret for Session Ticket!
record: offset = 175, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_dissect_change_cipher_spec Not using Session resumption
trying to use SSL keylog in C:\Users\ebinshe\sslkeylogfile.log
ssl_load_keyfile file got deleted, trying to re-open
checking keylog line: # SSL/TLS secrets log file, generated by NSS
unrecognized line
checking keylog line: CLIENT_RANDOM DCD58E1764FDC7A5EA5BC169ED4C96C0D6661120F8A02E96D524F33C155DB934 4DF856122B924EC0E5CA53F1DCE0C95F1FEC1E315E552619DCB5E3963DCAD47A41FF301BAEA33743FADD2E636A0A1D52
matched client_random
ssl_finalize_decryption state = 0x417
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
record: offset = 181, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 64, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 83 offset 186 length 7227761 bytes, remaining 250
dissect_ssl enter frame #472 (first time)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 000000000836DF80
record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 80, ssl state 0x417
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl enter frame #474 (first time)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 000000000836DF80
record: offset = 0, reported_length_remaining = 117
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 112, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl enter frame #478 (first time)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 000000000836DF80
record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 48, ssl state 0x417
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl enter frame #463 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 100
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 91 bytes, remaining 100
dissect_ssl enter frame #465 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 1460
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
record: offset = 63, reported_length_remaining = 1397
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 773 bytes, remaining 845
record: offset = 845, reported_length_remaining = 615
need_desegmentation: offset = 845, reported_length_remaining = 615
dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 786
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 777 bytes, remaining 786
dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 14 offset 5 length 0 bytes, remaining 9
dissect_ssl enter frame #468 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 342
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
record: offset = 267, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
record: offset = 273, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 103 offset 278 length 7643659 bytes, remaining 342
dissect_ssl enter frame #470 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 250
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175
record: offset = 175, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
record: offset = 181, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 83 offset 186 length 7227761 bytes, remaining 250
dissect_ssl enter frame #472 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 23 Application Data
dissect_ssl enter frame #474 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 117
dissect_ssl3_record: content_type 23 Application Data
dissect_ssl enter frame #478 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert
dissect_ssl enter frame #463 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 100
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 91 bytes, remaining 100
dissect_ssl enter frame #465 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 1460
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
record: offset = 63, reported_length_remaining = 1397
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 773 bytes, remaining 845
record: offset = 845, reported_length_remaining = 615
need_desegmentation: offset = 845, reported_length_remaining = 615
dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 786
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 777 bytes, remaining 786
dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 14 offset 5 length 0 bytes, remaining 9
dissect_ssl enter frame #468 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 342
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
record: offset = 267, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
record: offset = 273, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 103 offset 278 length 7643659 bytes, remaining 342
dissect_ssl enter frame #470 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 250
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175
record: offset = 175, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
record: offset = 181, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 83 offset 186 length 7227761 bytes, remaining 250
dissect_ssl enter frame #472 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 23 Application Data
dissect_ssl enter frame #474 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 117
dissect_ssl3_record: content_type 23 Application Data
dissect_ssl enter frame #478 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert
dissect_ssl enter frame #463 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 100
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 91 bytes, remaining 100
dissect_ssl enter frame #463 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 100
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 91 bytes, remaining 100
dissect_ssl enter frame #465 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 1460
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
record: offset = 63, reported_length_remaining = 1397
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 773 bytes, remaining 845
record: offset = 845, reported_length_remaining = 615
need_desegmentation: offset = 845, reported_length_remaining = 615
dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 786
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 777 bytes, remaining 786
dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 14 offset 5 length 0 bytes, remaining 9
dissect_ssl enter frame #468 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 342
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
record: offset = 267, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
record: offset = 273, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 103 offset 278 length 7643659 bytes, remaining 342
dissect_ssl enter frame #470 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 250
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175
record: offset = 175, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
record: offset = 181, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 83 offset 186 length 7227761 bytes, remaining 250
dissect_ssl enter frame #472 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 23 Application Data
dissect_ssl enter frame #474 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 117
dissect_ssl3_record: content_type 23 Application Data
dissect_ssl enter frame #478 (already visited)
packet_from_server: is from server - FALSE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert
dissect_ssl enter frame #474 (already visited)
packet_from_server: is from server - TRUE
conversation = 000000000836D550, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 117
dissect_ssl3_record: content_type 23 Application Data
ok, i found the clue myself. even the most current openssl version, i.e. 1.1.0f has not supported key log. simply take Session-ID and Master-Key from the log doesn't work. the new option -keylogfile will be supported most probably in the next version of openssl. see the following for more details.
c:\Program Files (x86)\OpenSSL-Win32\bin
λ .\openssl.exe version -a
OpenSSL 1.1.0f 25 May 2017
built on: reproducible build, date unspecified
platform:
compiler: cl " "VC-WIN32
OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"
ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"
c:\Program Files (x86)\OpenSSL-Win32\bin
λ which openssl
c:\Program Files (x86)\OpenSSL-Win32\bin
λ "c:\Program Files (x86)\OpenSSL-Win32\bin\openssl.exe" s_client -crlf -connect localhost:4433 -keylogfile c:\Users\ebinshe\keylogfile.log
s_client: Option unknown option -keylogfile
s_client: Use -help for summary.
c:\Program Files (x86)\OpenSSL-Win32\bin
I am using http://webmoli.com/2009/08/29/single-sign-on-in-java-platform/
for SSO in java.
I have KDC Windows server 2008, in that i have created spn by using setspn command for testsso user. And using testsso#MYDOMAIN.COM as principal in jaas.con.
I have Tomcat server in Windows 7 machine(within AD). In this i have created one servlet as of jsp(from webmoli itself).
I sending browser request for that servlet from 3rd machine Windows XP(within AD).
But i get checksum failed error. Stacktrace as follws-
Auth is :: Negotiate Token is YIIE9wYGKwYBBQUCoIIE6zCCBOegJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBL0EggS5YIIEtQYJKoZIhvcSAQICAQBuggSkMIIEoKADAgEFoQMCAQ6iBwMFACAAAACjggPQYYIDzDCCA8igAwIBBaEKGwhDT1JFLkNPTaIkMCKgAwIBAqEbMBkbBEhUVFAbEXBjdml0YTI1LmNvcmUuY29to4IDjTCCA4mgAwIBF6EDAgEBooIDewSCA3coGnD2eNCklPBiuNkZE1ssoVPb1coS8Y1or/y8t3HEk9ME623bckx2+d2IG2tCeDylhxFz6Dy4edE9UP952TZj97YotDeME3ILm45vsN4lOzpXVOfPhVlN+KXXtdXMmKo5kLvuJNxIcT8ZbGFwo9CWcB5eYz9qTYFcE7ACogwPiydd4ibtEY4T9Zg98Pd9JGtBeG5Bxi7fYdKXKPt8X9Nb9/UeSkSDV/hDsQh/cSSPgrg9f/qiy35MvMwk930TJHxaauw7cdmBwQo9Ru66ooGxsDgyIHQXQB6GEXAh7lAvKirSRzw43Wg5Gm3S9EZA3SFd38ICf0bOT62imToOHEmO4cBtFTAbYc4v2AoH0H9ZHrtpv1ItK5EUrMduuHvvsXzuYKfgrf45Wrj7Mc6fIXij5eCmsgPxKaBYlbpMDClwdeSh0zCBkXBmbtrS5fPQwQyBjzTFMimOVQ7yLRQtoPOfGsOn0o+S1qc3SLd5q9Z7IFEafsaYwFES2b6iIYqjY6q8VGgp2mzqZAmdKk4ILeZwfHKHs59KhPaG7FC/YAMtG3TB6VH2uLmUx9dzLb+tCsx5qEETt0hKnO9oTfhgHTUb0O/QMp0eBp3lcQWKGFNvIjXZL25ugJKQW+I0kigXhuDq5gN8coH7ij51FAEfZ35A2YbddEGYzGLzQZFXn951Lkw3HlyQxMo1Qka1NDaMkTkTtECHIhW3qArucCNkXCg8N59OXduXI8z/wM0YYcBubaEMuyCxf5GmmhlxjhQ1bOvuu0CGyJk5tVqf8SOEDarN+kzle9jGNZFJetEgxKXBHbsClu+ektux5lWAwEIXboLhTLQv+h46HRru8xkgtxucCmOZYt0LCR30aD1s//U0w34T40n3fMlIEkrheJQ2bs/CigFQeUZyKMJ/oPPGwO1oleQ0q4+d8SjJL9kQzueHCOGz+/0m3LcsoInUXNaCYoF5lHaMV+qVZRJvdfVhCeHKL9uXLRKsjPHMJdOQTqNYoyAxOJ/N16UnJOsIu1feRK0ipzO9VNPuJI5ulcZqzOS+44i9BhYV6QY1oXZ3xVYLIOsQoZIVYOudfn68A+yO+LNsNsRRuXV+ZNWKW6C+SvRuIhqZcBBAS8AfVmzbxxqwpsgv4Z8un+W7t8tus+rqoy8RqjmeQ+8P3APGG20b1gah4BipAvZKhaSBtjCBs6ADAgEXooGrBIGoQ15WbDD8EQZKsUVM1rJuR5lu3EMiS5itx9pDddgBALaSrf+75w9/XfgyuXnzfXdmZgvZ9nE+AINPfmyY14yp2+tys5LsgOOncfvCaXEjR4Xr07E4JQWhTOT8ecsCLNObggVpxNGCfwxN7YlvHwBVaxPAbrOTrWAbIdfMe042ThBWWRLew048z5Il1iLxemJ10IyLsn3vakdnnz57uzM4PvaOLu57Bfic
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=192.168.10.84 UDP:88, timeout=30000, number of retries =3, #bytes=151
>>> KDCCommunication: kdc=192.168.10.84 UDP:88, timeout=30000,Attempt =1, #bytes=151
>>> KrbKdcReq send: #bytes read=245
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 1, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove 192.168.10.84
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed May 28 17:39:33 IST 2014 1401278973000
suSec is 896308
error code is 25
error Message is Additional pre-authentication required
realm is MYDOMAIN.COM
sname is krbtgt/MYDOMAIN.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 1, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=192.168.10.84 UDP:88, timeout=30000, number of retries =3, #bytes=233
>>> KDCCommunication: kdc=192.168.10.84 UDP:88, timeout=30000,Attempt =1, #bytes=233
>>> KrbKdcReq send: #bytes read=1404
>>> KdcAccessibility: remove 192.168.10.84
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply testsso
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Found KerberosKey for testsso#MYDOMAIN.COM
Found KerberosKey for testsso#MYDOMAIN.COM
Found KerberosKey for testsso#MYDOMAIN.COM
Found KerberosKey for testsso#MYDOMAIN.COM
Found KerberosKey for testsso#MYDOMAIN.COM
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at one.TEST$2.run(TEST.java:357)
at one.TEST$2.run(TEST.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at one.TEST.acceptSecurityContext(TEST.java:279)
at one.TEST.authenticate(TEST.java:146)
at one.TEST.doGet(TEST.java:103)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 32 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)
... 38 more
Please help me...
If I remember correctly this error is thrown when the service ticket is decrypted with a different key as it had been encrypted.
ktpass /out c:\tomcat.keytab /mapuser tc01#DEV.LOCAL
/princ HTTP/win-tc01.dev.local#DEV.LOCAL
/pass tc01pass /kvno 0
as described at http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html is only correct if you have a virgin account 'tc01'... AD will automatically increment key version number stored within AD when 'ktpass' is used consecutively.
Using plain java client i'm trying to connect to other webserver, It works on standlone but when i deploy on weblogic and try to connect it give below error.
Server :weblogic 10.3
Full stack trace of SSL: with below stactrace it easily sounds that handshake is happening but again its trying to connect and failing .please suggest me where i'm doing wrong.
code snippet i'm using :
FileInputStream fisjks = null;
FileInputStream fisTrusted = null;
String keyStoreType = "jks";
String passphrase = "password";
String passphraseTrusted = "password";
KeyStore ks = KeyStore.getInstance(keyStoreType);
fisjks = new FileInputStream("C:/CFC/Certs/client.jks");
ks.load(fisjks, passphrase.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, passphrase.toCharArray());
KeyStore ks1 = KeyStore.getInstance(keyStoreType);
fisTrusted = new FileInputStream("C:/CFC/Certs/clientTruststore.jks");
ks1.load(fisTrusted, passphraseTrusted.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory
.getInstance("PKIX");
tmf.init(ks1);
SSLContext sslc = SSLContext.getInstance("SSLv3");
sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
HttpsTransportInfo https = new HttpsTransportInfo();
https.setKeyManagers(kmf.getKeyManagers());
https.setTrustManagers(tmf.getTrustManagers());
error stack trace:
found key for : 1 chain [0] = [ [ Version: V3 Subject:
EMAILADDRESS=ravi-kumar.gullapalli#db.com, CN=dbsinlt3767, OU=deutsche
bank, O=deutsche bank, L=sg, ST=sg, C=sg Signature Algorithm:
SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits modulus:
144592527724012074845004082487794424487354455673579096476940872358533141438065735825819894128056692571922940458543755331194643176374687100664359963995916933269788855991350833527371185749001888440965012790605437863243747901365797345245355690011955852557580366177837112034836139958497356357064447873318654927713
public exponent: 65537 Validity: [From: Sun Mar 13 17:23:02 SGT
2011,
To: Wed Mar 07 17:23:02 SGT 2012] Issuer: EMAILADDRESS=ravi-kumar.gullapalli#db.com, CN=dbsinws3283, OU=deutsche
bank, O=deutsche bank, L=sg, ST=sg, C=sg SerialNumber: [ 1001]
Certificate Extensions: 4 [1]: ObjectId: 2.16.840.1.113730.1.13
Criticality=false Extension unknown: DER encoded OCTET string = 0000:
04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated
Certificat 0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [
KeyIdentifier [ 0000: 75 87 47 BE 09 C0 D9 C7 4F FB 5F 57 1D F7 77
99 u.G.....O._W..w. 0010: CF 12 FB DB
.... ] ]
[3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [
KeyIdentifier [ 0000: 96 83 10 39 C4 C0 8F 54 5E 0F 85 A0 9C D4 85
71 ...9...T^......q 0010: FC 55 39 9A
.U9. ]
]
* main, SEND TLSv1 ALERT: fatal, description = certificate_unknown main, WRITE: TLSv1 Alert, length = 2 [Raw write]: length = 7 0000: 15
03 01 00 02 02 2E ....... main, called
closeSocket() main, handling exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found at
weblogic.wsee.jaxrpc.ServiceImpl.throwServiceException(ServiceImpl.java:174)
at
weblogic.wsee.jaxrpc.ServiceImpl.loadWsdlDefinition(ServiceImpl.java:485)
at weblogic.wsee.jaxrpc.ServiceImpl.(ServiceImpl.java:119) at
com.db.luup.InvoiceAgentService_Impl.(Unknown Source) at
com.db.mobile.test.LuupMobileClientTest1.main(LuupMobileClientTest1.java:78)
Caused by: weblogic.wsee.wsdl.WsdlException: Failed to read wsdl file
from url due to -- javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found at
weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:313) at
weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305) at
weblogic.wsee.wsdl.WsdlSchema.parse(WsdlSchema.java:136) at
weblogic.wsee.wsdl.WsdlSchemaImport.parse(WsdlSchemaImport.java:99)
at weblogic.wsee.wsdl.WsdlSchema.parse(WsdlSchema.java:116) at
weblogic.wsee.wsdl.WsdlSchema.parse(WsdlSchema.java:73) at
weblogic.wsee.wsdl.WsdlTypes.parse(WsdlTypes.java:165) at
weblogic.wsee.wsdl.WsdlDefinitions.parseChild(WsdlDefinitions.java:520)
at weblogic.wsee.wsdl.WsdlExtensible.parse(WsdlExtensible.java:98)
at weblogic.wsee.wsdl.WsdlDefinitions.parse(WsdlDefinitions.java:468)
at weblogic.wsee.wsdl.WsdlDefinitions.parse(WsdlDefinitions.java:403)
at weblogic.wsee.wsdl.WsdlDefinitions.parse(WsdlDefinitions.java:389)
at weblogic.wsee.wsdl.WsdlFactory.parse(WsdlFactory.java:79) at
weblogic.wsee.wsdl.WsdlFactory.parse(WsdlFactory.java:66) at
weblogic.wsee.jaxrpc.ServiceImpl.loadWsdlDefinition(ServiceImpl.java:476)
... 3 more Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at
weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
at
weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
... 17 more Caused by: sun.security.validator.ValidatorException: No
trusted certificate found at
sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:330)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:110)
at sun.security.validator.Validator.validate(Validator.java:218) at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
... 32 more
The server didn't trust the client certificate, or vice versa.
If the error stack is from the client application, then the file C:/CFC/Certs/clientTruststore.jks must have the CA certificate for the server certifcate's Issuer.
"No trusted certificate found". The client cannot verify the server's certificate since a matching CA certificate is not found in the truststore.