StartTls, ApacheDS Problem - ldap

I have been struggling in getting Start Tls to work for my ldap server. I have configured a keystore and password in a spring context file. My configuration seems to work for SSL but Star Tls is causing goosebumps. I have added StarTlsHandler as an ExtendedOperationHandler in wrapper of my LDAP Server. Do I need to configure anything else as well.
I am using JDK 1.6.0_15
Keystore and password are hard coded at the moment, they seem OK when I use SSL or debug.
I am using JLdap Client to test my implementation.
Here is a code snippet I have added for Handler:
ldapServer.setKeystoreFile("C:/jdk/dgekey.ks");
ldapServer.setCertificatePassword("secret");
ldapServer.addExtendedOperationHandler(new StartTlsHandler());
Below you can see stack trace on the server side, client trace is further down:
2011-05-10 12:51:29,345 [rThread-4861-21] DEBUG [org.apache.directory.server.ldap.handlers.extended.StartTlsHandler] Setting LDAP Service
2011-05-10 12:51:29,345 [rThread-4861-21] DEBUG [org.apache.directory.server.ldap.handlers.extended.StartTlsHandler] provider = SUN version 1.6
2011-05-10 12:58:31,029 [rThread-4861-21] ERROR [org.apache.directory.server.core.security.CoreKeyStoreSpi] ERR_68 Failed on attempt to extract key.
java.lang.IllegalStateException: ERR_436 Names used for principals must be normalized!
at org.apache.directory.server.core.LdapPrincipal.(LdapPrincipal.java:76)
at org.apache.directory.server.core.security.CoreKeyStoreSpi.getTlsEntry(CoreKeyStoreSpi.java:84)
at org.apache.directory.server.core.security.CoreKeyStoreSpi.engineGetKey(CoreKeyStoreSpi.java:231)
at java.security.KeyStore.getKey(KeyStore.java:763)
at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.(SunX509KeyManagerImpl.java:113)
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at org.apache.directory.server.ldap.handlers.extended.StartTlsHandler.setLdapServer(StartTlsHandler.java:170)
at org.apache.directory.server.ldap.LdapServer.startNetwork(LdapServer.java:542)
at org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:446)
at com..ldap.apacheds.LdapServerWrapper.afterPropertiesSet(LdapServerWrapper.java:103)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1469)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1409)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:574)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4655)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:5364)
at com.sun.enterprise.web.WebModule.start(WebModule.java:345)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:986)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:970)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:704)
at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1649)
at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1254)
at com.sun.enterprise.server.WebModuleDeployEventListener.moduleDeployed(WebModuleDeployEventListener.java:182)
at com.sun.enterprise.server.WebModuleDeployEventListener.moduleDeployed(WebModuleDeployEventListener.java:278)
at com.sun.enterprise.admin.event.AdminEventMulticaster.invokeModuleDeployEventListener(AdminEventMulticaster.java:1005)
at com.sun.enterprise.admin.event.AdminEventMulticaster.handleModuleDeployEvent(AdminEventMulticaster.java:992)
at com.sun.enterprise.admin.event.AdminEventMulticaster.processEvent(AdminEventMulticaster.java:470)
at com.sun.enterprise.admin.event.AdminEventMulticaster.multicastEvent(AdminEventMulticaster.java:182)
at com.sun.enterprise.admin.server.core.DeploymentNotificationHelper.multicastEvent(DeploymentNotificationHelper.java:308)
at com.sun.enterprise.deployment.phasing.DeploymentServiceUtils.multicastEvent(DeploymentServiceUtils.java:231)
at com.sun.enterprise.deployment.phasing.ServerDeploymentTarget.sendStartEvent(ServerDeploymentTarget.java:298)
at com.sun.enterprise.deployment.phasing.ApplicationStartPhase.runPhase(ApplicationStartPhase.java:132)
at com.sun.enterprise.deployment.phasing.DeploymentPhase.executePhase(DeploymentPhase.java:108)
at com.sun.enterprise.deployment.phasing.PEDeploymentService.executePhases(PEDeploymentService.java:966)
at com.sun.enterprise.deployment.phasing.PEDeploymentService.start(PEDeploymentService.java:609)
at com.sun.enterprise.deployment.phasing.PEDeploymentService.start(PEDeploymentService.java:653)
at com.sun.enterprise.admin.mbeans.ApplicationsConfigMBean.start(ApplicationsConfigMBean.java:773)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.admin.MBeanHelper.invokeOperationInBean(MBeanHelper.java:390)
at com.sun.enterprise.admin.MBeanHelper.invokeOperationInBean(MBeanHelper.java:373)
at com.sun.enterprise.admin.config.BaseConfigMBean.invoke(BaseConfigMBean.java:477)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
at sun.reflect.GeneratedMethodAccessor15.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.admin.util.proxy.ProxyClass.invoke(ProxyClass.java:90)
at $Proxy1.invoke(Unknown Source)
at com.sun.enterprise.admin.server.core.jmx.SunoneInterceptor.invoke(SunoneInterceptor.java:304)
at com.sun.enterprise.interceptor.DynamicInterceptor.invoke(DynamicInterceptor.java:170)
at com.sun.enterprise.admin.jmx.remote.server.callers.InvokeCaller.call(InvokeCaller.java:69)
at com.sun.enterprise.admin.jmx.remote.server.MBeanServerRequestHandler.handle(MBeanServerRequestHandler.java:155)
at com.sun.enterprise.admin.jmx.remote.server.servlet.RemoteJmxConnectorServlet.processRequest(RemoteJmxConnectorServlet.java:122)
at com.sun.enterprise.admin.jmx.remote.server.servlet.RemoteJmxConnectorServlet.doPost(RemoteJmxConnectorServlet.java:193)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:427)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:315)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:287)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:218)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:291)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:666)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:597)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:872)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:264)
at com.sun.enterprise.web.connector.grizzly.WorkerThreadImpl.run(WorkerThreadImpl.java:117)
****Client Trace via javax.net.debug=all;****
keyStore is : C:/jdk/cacerts
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\jdk\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f
Valid from Wed Oct 25 10:36:00 CEST 2006 until Sat Oct 25 10:36:00 CEST 2036
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1288255192 bytes = { 100, 146, 27, 29, 47, 10, 97, 247, 253, 145, 49, 147, 239, 157, 90, 4, 34, 15, 99, 243, 191, 156, 251, 25, 64, 42, 210, 231 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 4D C9 37 D8 64 92 1B 1D 2F 0A ...E..M.7.d.../.
0010: 61 F7 FD 91 31 93 EF 9D 5A 04 22 0F 63 F3 BF 9C a...1...Z.".c...
0020: FB 19 40 2A D2 E7 00 00 1E 00 04 00 05 00 2F 00 ..#........../.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 01 00 .........
main, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............#...
0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
0040: 00 11 4D C9 37 D8 64 92 1B 1D 2F 0A 61 F7 FD 91 ..M.7.d.../.a...
0050: 31 93 EF 9D 5A 04 22 0F 63 F3 BF 9C FB 19 40 2A 1...Z.".c.....#
0060: D2 E7 ..
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Error: LDAPException: Could not negotiate a secure connection (91) Connect Error
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


Currently TlsHandler can only read the certificate from the uid=admin,ou=system entry. Can you try after setting your certificate and keys to the appropriate attribute values of the admin entry (uid=admin,ou=system). I will try to fix this in the latest trunk. (Appreciate if you can file a bug report).

Related

Local tomcat is not starting and not able to connect to Oracle RDS after updating RDS Server SSL to 1.2 from 1.0

Local tomcat is not starting and it is failing when trying to creating bean that connects to Oracle DB. The error is java.sql.SQLRecoverableException: IO Error: Connection reset. The only change we made is, we used ojdbc8.jar dependency in Pom.xml earlier it has ojdbc6.jar. I am running the tomcat on jdk 1.8
library/java/javavirtualmachines/jdk1.8.0_162.jdk/Contents/home/jre/
We have imported the rds-ca-2019-root.der in to the cacerts file.
library/java/javavirtualmachines/jdk1.8.0_162.jdk/Contents/home/jre/lib/security/cacerts
This is happening after updating the SSL_VERSION to 1.2 on Oracle 12.2.0.1 RDS server.
Here is the stacktrace.
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'abcDB' defined in class path resource [applicationContext.xml]: Invocation of init method failed; nested exception is javax.naming.NamingException: Unexpected exception resolving reference [Root exception is java.sql.SQLException: Cannot create PoolableConnectionFactory (IO Error: Connection reset)]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1455)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.AbstractBeanFactory.getTypeForFactoryBean(AbstractBeanFactory.java:1355)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryBean(AbstractAutowireCapableBeanFactory.java:710)
at org.springframework.beans.factory.support.AbstractBeanFactory.isTypeMatch(AbstractBeanFactory.java:519)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:319)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:298)
at org.springframework.beans.factory.BeanFactoryUtils.beanNamesForTypeIncludingAncestors(BeanFactoryUtils.java:142)
at org.springframework.orm.jpa.EntityManagerFactoryUtils.findEntityManagerFactory(EntityManagerFactoryUtils.java:97)
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor.findNamedEntityManagerFactory(PersistenceAnnotationBeanPostProcessor.java:511)
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor.findEntityManagerFactory(PersistenceAnnotationBeanPostProcessor.java:493)
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor$PersistenceElement.resolveEntityManager(PersistenceAnnotationBeanPostProcessor.java:657)
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor$PersistenceElement.getResourceToInject(PersistenceAnnotationBeanPostProcessor.java:630)
at org.springframework.beans.factory.annotation.InjectionMetadata$InjectedElement.inject(InjectionMetadata.java:150)
at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:87)
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor.postProcessPropertyValues(PersistenceAnnotationBeanPostProcessor.java:339)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1106)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:848)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:790)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:707)
at org.glassfish.jersey.server.spring.AutowiredInjectResolver.getBeanFromSpringContext(AutowiredInjectResolver.java:104)
at org.glassfish.jersey.server.spring.AutowiredInjectResolver.resolve(AutowiredInjectResolver.java:96)
at org.jvnet.hk2.internal.ClazzCreator.resolve(ClazzCreator.java:211)
at org.jvnet.hk2.internal.ClazzCreator.resolveAllDependencies(ClazzCreator.java:234)
at org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:357)
at org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:471)
at org.jvnet.hk2.internal.SingletonContext$1.compute(SingletonContext.java:83)
at org.jvnet.hk2.internal.SingletonContext$1.compute(SingletonContext.java:71)
at org.glassfish.hk2.utilities.cache.Cache$OriginThreadAwareFuture$1.call(Cache.java:97)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.glassfish.hk2.utilities.cache.Cache$OriginThreadAwareFuture.run(Cache.java:154)
at org.glassfish.hk2.utilities.cache.Cache.compute(Cache.java:199)
at org.jvnet.hk2.internal.SingletonContext.findOrCreate(SingletonContext.java:122)
at org.jvnet.hk2.internal.Utilities.createService(Utilities.java:2022)
at org.jvnet.hk2.internal.ServiceHandleImpl.getService(ServiceHandleImpl.java:114)
at org.jvnet.hk2.internal.ServiceHandleImpl.getService(ServiceHandleImpl.java:88)
at org.glassfish.jersey.internal.inject.Providers.getAllRankedProviders(Providers.java:247)
at org.glassfish.jersey.server.ApplicationHandler.getProcessingProviders(ApplicationHandler.java:772)
at org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:537)
at org.glassfish.jersey.server.ApplicationHandler.access$500(ApplicationHandler.java:184)
at org.glassfish.jersey.server.ApplicationHandler$3.call(ApplicationHandler.java:350)
at org.glassfish.jersey.server.ApplicationHandler$3.call(ApplicationHandler.java:347)
at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
at org.glassfish.jersey.internal.Errors.processWithException(Errors.java:255)
at org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:347)
at org.glassfish.jersey.servlet.WebComponent.<init>(WebComponent.java:392)
at org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:177)
at org.glassfish.jersey.servlet.ServletContainer.init(ServletContainer.java:369)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1144)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1091)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:985)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4875)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5189)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1412)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1402)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.naming.NamingException: Unexpected exception resolving reference [Root exception is java.sql.SQLException: Cannot create PoolableConnectionFactory (IO Error: Connection reset)]
at org.apache.naming.NamingContext.lookup(NamingContext.java:856)
at org.apache.naming.NamingContext.lookup(NamingContext.java:159)
at org.apache.naming.NamingContext.lookup(NamingContext.java:827)
at org.apache.naming.NamingContext.lookup(NamingContext.java:173)
at org.apache.naming.factory.ResourceLinkFactory.getObjectInstance(ResourceLinkFactory.java:152)
at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:321)
at org.apache.naming.NamingContext.lookup(NamingContext.java:839)
at org.apache.naming.NamingContext.lookup(NamingContext.java:159)
at org.apache.naming.NamingContext.lookup(NamingContext.java:827)
at org.apache.naming.NamingContext.lookup(NamingContext.java:159)
at org.apache.naming.NamingContext.lookup(NamingContext.java:827)
at org.apache.naming.NamingContext.lookup(NamingContext.java:159)
at org.apache.naming.NamingContext.lookup(NamingContext.java:827)
at org.apache.naming.NamingContext.lookup(NamingContext.java:173)
at org.apache.naming.SelectorContext.lookup(SelectorContext.java:163)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at org.springframework.jndi.JndiTemplate$1.doInContext(JndiTemplate.java:154)
at org.springframework.jndi.JndiTemplate.execute(JndiTemplate.java:87)
at org.springframework.jndi.JndiTemplate.lookup(JndiTemplate.java:152)
at org.springframework.jndi.JndiTemplate.lookup(JndiTemplate.java:178)
at org.springframework.jndi.JndiLocatorSupport.lookup(JndiLocatorSupport.java:95)
at org.springframework.jndi.JndiObjectLocator.lookup(JndiObjectLocator.java:105)
at org.springframework.jndi.JndiObjectFactoryBean.lookupWithFallback(JndiObjectFactoryBean.java:201)
at org.springframework.jndi.JndiObjectFactoryBean.afterPropertiesSet(JndiObjectFactoryBean.java:187)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1514)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
... 71 more
Caused by: java.sql.SQLException: Cannot create PoolableConnectionFactory (IO Error: Connection reset)
at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:666)
at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:544)
at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getLogWriter(BasicDataSource.java:1064)
at org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory.createDataSource(BasicDataSourceFactory.java:568)
at org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory.getObjectInstance(BasicDataSourceFactory.java:240)
at org.apache.naming.factory.FactoryBase.getObjectInstance(FactoryBase.java:96)
at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:321)
at org.apache.naming.NamingContext.lookup(NamingContext.java:839)
... 96 more
Caused by: java.sql.SQLRecoverableException: IO Error: Connection reset
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:467)
at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:546)
at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:236)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:521)
at org.apache.tomcat.dbcp.dbcp2.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:55)
at org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:357)
at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactory(BasicDataSource.java:113)
at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:662)
... 103 more
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:210)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at oracle.net.ns.Packet.send(Packet.java:403)
at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:198)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:293)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1102)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:320)
... 111 more
Her is snippet from server.xml
<Resource auth="Container"
driverClassName="oracle.jdbc.driver.OracleDriver" initialSize="10"
jdbcInterceptors="org.apache.tomcat.jdbc.pool.interceptor.ConnectionState;org.apache.tomcat.jdbc.pool.interceptor.StatementFinalizer;org.apache.tomcat.jdbc.pool.interceptor.SlowQueryReportJmx(threshold=10000)"
jmxEnabled="true" logAbandoned="true" maxActive="100" maxIdle="100"
maxWaitMillis="10000" minEvictableIdleTimeMillis="30000" minIdle="10"
name="jdbc/abcDB" password="abc"
removeAbandonedOnMaintenance="true" removeAbandonedTimeout="7200"
testOnBorrow="true" testOnReturn="false" testWhileIdle="true"
timeBetweenEvictionRunsMillis="5000" type="javax.sql.DataSource"
url="jdbc:oracle:thin:#(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=abc-dev.abc.us-east-1.rds.amazonaws.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=abc)))"
username="abc" validationInterval="30000"
validationQuery="SELECT 1 FROM DUAL" />
when I added the debug -Djavax.net.debug=all
I see this one in logs
RandomCookie: GMT: 1614618626 bytes = { 97, 87, 237, 119, 129, 190, 112, 175, 246, 122, 149, 31, 204, 213, 84, 167, 116, 247, 182, 155, 162, 201, 216, 93, 78, 217, 52, 146 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=abc-dev.abc.us-east-1.rds.amazonaws.com]
***
[write] MD5 and SHA1 hashes: len = 185
0000: 01 00 00 B5 03 01 60 3D 20 02 61 57 ED 77 81 BE ......`= .aW.w..
0010: 70 AF F6 7A 95 1F CC D5 54 A7 74 F7 B6 9B A2 C9 p..z....T.t.....
0020: D8 5D 4E D9 34 92 00 00 2C C0 0A C0 14 00 35 C0 .]N.4...,.....5.
0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ....9.8...../...
0040: 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 0D 00 ..3.2...........
0050: 16 00 13 00 FF 01 00 00 60 00 0A 00 16 00 14 00 ........`.......
0060: 17 00 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 ................
0070: 0E 00 16 00 0B 00 02 01 00 00 17 00 00 00 00 00 ................
0080: 38 00 36 00 00 33 73 68 6F 72 74 73 2D 64 65 76 8.6..abc-dev
0090: 2E 63 39 64 66 79 71 6A 6F 62 74 71 66 2E 75 73 .abc.us
00A0: 2D 65 61 73 74 2D 31 2E 72 64 73 2E 61 6D 61 7A -east-1.rds.amaz
00B0: 6F 6E 61 77 73 2E 63 6F 6D onaws.com
localhost-startStop-1, WRITE: TLSv1 Handshake, length = 185
[write] MD5 and SHA1 hashes: len = 122
0000: 01 03 01 00 51 00 00 00 20 00 C0 0A 07 00 C0 00 ....Q... .......
0010: C0 14 00 00 35 00 C0 05 00 C0 0F 00 00 39 00 00 ....5........9..
0020: 38 00 C0 09 06 00 40 00 C0 13 00 00 2F 00 C0 04 8.....#...../...
0030: 01 00 80 00 C0 0E 00 00 33 00 00 32 00 C0 08 00 ........3..2....
0040: C0 12 00 00 0A 07 00 C0 00 C0 03 02 00 80 00 C0 ................
0050: 0D 00 00 16 00 00 13 00 00 FF 60 3D 20 02 61 57 ..........`= .aW
0060: ED 77 81 BE 70 AF F6 7A 95 1F CC D5 54 A7 74 F7 .w..p..z....T.t.
0070: B6 9B A2 C9 D8 5D 4E D9 34 92 .....]N.4.
localhost-startStop-1, WRITE: SSLv2 client hello message, length = 122
[Raw write]: length = 124
0000: 80 7A 01 03 01 00 51 00 00 00 20 00 C0 0A 07 00 .z....Q... .....
0010: C0 00 C0 14 00 00 35 00 C0 05 00 C0 0F 00 00 39 ......5........9
0020: 00 00 38 00 C0 09 06 00 40 00 C0 13 00 00 2F 00 ..8.....#...../.
0030: C0 04 01 00 80 00 C0 0E 00 00 33 00 00 32 00 C0 ..........3..2..
0040: 08 00 C0 12 00 00 0A 07 00 C0 00 C0 03 02 00 80 ................
0050: 00 C0 0D 00 00 16 00 00 13 00 00 FF 60 3D 20 02 ............`= .
0060: 61 57 ED 77 81 BE 70 AF F6 7A 95 1F CC D5 54 A7 aW.w..p..z....T.
0070: 74 F7 B6 9B A2 C9 D8 5D 4E D9 34 92 t......]N.4.
localhost-startStop-1, handling exception: java.net.SocketException: Connection reset
localhost-startStop-1, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
localhost-startStop-1, WRITE: TLSv1.2 Alert, length = 2
localhost-startStop-1, Exception sending alert: java.net.SocketException: Broken pipe (Write failed)
localhost-startStop-1, called closeSocket()
localhost-startStop-1, called close()
localhost-startStop-1, called closeInternal(true)
Mar 01, 2021 12:10:26 PM org.apache.naming.NamingContext lookup
Mar 01, 2021 12:10:26 PM org.apache.naming.NamingContext lookup
WARNING: Unexpected exception resolving reference
java.sql.SQLException: Cannot create PoolableConnectionFactory (IO Error: Connection reset)
Any help is greatly appreciated.
Thank you

I was able to resolve this issue by updating the ojdbc6.jar to ojdbc8.jar in my local tomcat lib folder /Users/dev/apache-tomcat-8.5.60/lib
Thank you everyone

Problem Connecting to SSL 1.2 Host from Java - Ignoring Unsupported Cipher Suite for TLS v1

I am connecting to a finicky host that uses SSL v1.2.
It seems to be failing to connect due to the appropriate cipher not being found. I don't know why?
Host Configuration
Analyzing the host using immuniniweb.com shows it supports the following cipher suites (for TLSv1.2):
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Notes
The connection is using a certificate supplied by the host
The connection works using stunnel
The connection is for a non-HTTP protocol
The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files have been installed.
Connecting
However when I connect using java (jdk1.8.0_65 on MacOS) with the following options:
-Djavax.net.debug=SSL:handshake:verbose
-Djavax.net.debug=all
-Djdk.tls.client.protocols=TLSv1.2
-Dhttps.cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
-Dhttps.protocols=TLSv1.2
I get the following results:
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1564124670 bytes = { 182, 166, 70, 240, 207, 103, 192, 255, 249, 156, 39, 115, 16, 135, 116, 22, 247, 138, 216, 231, 235, 150, 230, 254, 147, 191, 153, 156 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
[write] MD5 and SHA1 hashes: len = 237
0000: 01 00 00 E9 03 03 5D 3B A6 FE B6 A6 46 F0 CF 67 ......];....F..g
0010: C0 FF F9 9C 27 73 10 87 74 16 F7 8A D8 E7 EB 96 ....'s..t.......
0020: E6 FE 93 BF 99 9C 00 00 64 C0 24 C0 28 00 3D C0 ........d.$.(.=.
0030: 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 C0 &.*.k.j.....5...
0040: 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 00 ..9.8.#.'.<.%.).
0050: 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 00 g.#...../.....3.
0060: 32 C0 2C C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 2.,.+.0.....2...
0070: A3 C0 2F 00 9C C0 2D C0 31 00 9E 00 A2 C0 08 C0 ../...-.1.......
0080: 12 00 0A C0 03 C0 0D 00 16 00 13 00 FF 01 00 00 ................
0090: 5C 00 0A 00 34 00 32 00 17 00 01 00 03 00 13 00 \...4.2.........
00A0: 15 00 06 00 07 00 09 00 0A 00 18 00 0B 00 0C 00 ................
00B0: 19 00 0D 00 0E 00 0F 00 10 00 11 00 02 00 12 00 ................
00C0: 04 00 05 00 14 00 08 00 16 00 0B 00 02 01 00 00 ................
00D0: 0D 00 1A 00 18 06 03 06 01 05 03 05 01 04 03 04 ................
00E0: 01 03 03 03 01 02 03 02 01 02 02 01 01 .............
NioProcessor-2, WRITE: TLSv1.2 Handshake, length = 237
[write] MD5 and SHA1 hashes: len = 206
0000: 01 03 03 00 A5 00 00 00 20 00 C0 24 00 C0 28 00 ........ ..$..(.
0010: 00 3D 00 C0 26 00 C0 2A 00 00 6B 00 00 6A 00 C0 .=..&..*..k..j..
0020: 0A 07 00 C0 00 C0 14 00 00 35 00 C0 05 00 C0 0F .........5......
0030: 00 00 39 00 00 38 00 C0 23 00 C0 27 00 00 3C 00 ..9..8..#..'..<.
0040: C0 25 00 C0 29 00 00 67 00 00 40 00 C0 09 06 00 .%..)..g..#.....
0050: 40 00 C0 13 00 00 2F 00 C0 04 01 00 80 00 C0 0E #...../.........
0060: 00 00 33 00 00 32 00 C0 2C 00 C0 2B 00 C0 30 00 ..3..2..,..+..0.
0070: 00 9D 00 C0 2E 00 C0 32 00 00 9F 00 00 A3 00 C0 .......2........
0080: 2F 00 00 9C 00 C0 2D 00 C0 31 00 00 9E 00 00 A2 /.....-..1......
0090: 00 C0 08 00 C0 12 00 00 0A 07 00 C0 00 C0 03 02 ................
00A0: 00 80 00 C0 0D 00 00 16 00 00 13 00 00 FF 5D 3B ..............];
00B0: A6 FE B6 A6 46 F0 CF 67 C0 FF F9 9C 27 73 10 87 ....F..g....'s..
00C0: 74 16 F7 8A D8 E7 EB 96 E6 FE 93 BF 99 9C t.............
NioProcessor-2, WRITE: SSLv2 client hello message, length = 206
[Raw write]: length = 208
0000: 80 CE 01 03 03 00 A5 00 00 00 20 00 C0 24 00 C0 .......... ..$..
0010: 28 00 00 3D 00 C0 26 00 C0 2A 00 00 6B 00 00 6A (..=..&..*..k..j
0020: 00 C0 0A 07 00 C0 00 C0 14 00 00 35 00 C0 05 00 ...........5....
0030: C0 0F 00 00 39 00 00 38 00 C0 23 00 C0 27 00 00 ....9..8..#..'..
0040: 3C 00 C0 25 00 C0 29 00 00 67 00 00 40 00 C0 09 <..%..)..g..#...
0050: 06 00 40 00 C0 13 00 00 2F 00 C0 04 01 00 80 00 ..#...../.......
0060: C0 0E 00 00 33 00 00 32 00 C0 2C 00 C0 2B 00 C0 ....3..2..,..+..
0070: 30 00 00 9D 00 C0 2E 00 C0 32 00 00 9F 00 00 A3 0........2......
0080: 00 C0 2F 00 00 9C 00 C0 2D 00 C0 31 00 00 9E 00 ../.....-..1....
0090: 00 A2 00 C0 08 00 C0 12 00 00 0A 07 00 C0 00 C0 ................
00A0: 03 02 00 80 00 C0 0D 00 00 16 00 00 13 00 00 FF ................
00B0: 5D 3B A6 FE B6 A6 46 F0 CF 67 C0 FF F9 9C 27 73 ];....F..g....'s
00C0: 10 87 74 16 F7 8A D8 E7 EB 96 E6 FE 93 BF 99 9C ..t.............
NioProcessor-2, called closeOutbound()
NioProcessor-2, closeOutboundInternal()
NioProcessor-2, SEND TLSv1.2 ALERT: warning, description = close_notify
NioProcessor-2, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 01 00 .......
NioProcessor-2, called closeInbound()
NioProcessor-2, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
NioProcessor-2, SEND TLSv1.2 ALERT: fatal, description = internal_error
NioProcessor-2, Exception sending alert: java.io.IOException: writer side was already closed.
NioProcessor-2, called closeOutbound()
NioProcessor-2, closeOutboundInternal()
Any ideas?

It appears that the problem is simply that the -Djdk.tls.client.protocols=TLSv1.2 option is not making its way through to the third party library that is creating the SSL connection.
Running a simple piece of code to perform the connection with that option works.
The giveaway was #user207421 's comment that SSLv2Hello seemed to be enabled - the documentation states that if you specify TSLv1.2 then SSLv2Hello is disabled already.

SSL error using curl/wget

Recently, I started seeing this problem on my Mac. I am able to download files or visit any https web page from Chrome, but I am not able to do that anymore with either curl or wget.
$ curl --verbose https://www.google.com/
* Trying 2607:f8b0:4007:803::2004...
* TCP_NODELAY set
* Connected to www.google.com (::1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /Users/tomkwong/anaconda3/ssl/cacert.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443
Here's the wget error:
$ wget --verbose https://www.google.com/
--2018-03-27 23:53:32-- https://www.google.com/
Resolving www.google.com (www.google.com)... 2607:f8b0:4007:803::2004, 172.217.14.68
Connecting to www.google.com (www.google.com)|2607:f8b0:4007:803::2004|:443... connected.
GnuTLS: The TLS connection was non-properly terminated.
Unable to establish SSL connection.
More information by using openssl command as requested. I'm unsure what to make sense out of it... looks like errno=54 means "Connection reset by peer".
$ openssl s_client -debug -connect www.google.com:443 -prexit
CONNECTED(00000003)
write to 0x7feb37558870 [0x7feb3800ca00] (307 bytes => 307 (0x133))
0000 - 16 03 01 01 2e 01 00 01-2a 03 03 73 60 8a 49 d5 ........*..s`.I.
0010 - ad 36 db 41 da 14 20 c9-85 7b f8 5b 2b b3 2b c0 .6.A.. ..{.[+.+.
0020 - b6 47 e1 c5 b9 75 b9 c2-9d d9 1c 00 00 ac c0 30 .G...u.........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31 ...g.#.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43 .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-00 07 c0 11 c0 07 c0 0c .<./...A........
00c0 - c0 02 00 05 00 04 c0 12-c0 08 00 16 00 13 00 10 ................
00d0 - 00 0d c0 0d c0 03 00 0a-00 ff 01 00 00 55 00 0b .............U..
00e0 - 00 04 03 00 01 02 00 0a-00 1c 00 1a 00 17 00 19 ................
00f0 - 00 1c 00 1b 00 18 00 1a-00 16 00 0e 00 0d 00 0b ................
0100 - 00 0c 00 09 00 0a 00 23-00 00 00 0d 00 20 00 1e .......#..... ..
0110 - 06 01 06 02 06 03 05 01-05 02 05 03 04 01 04 02 ................
0120 - 04 03 03 01 03 02 03 03-02 01 02 02 02 03 00 0f ................
0130 - 00 01 01 ...
read from 0x7feb37558870 [0x7feb38012000] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1522221838
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1522221838
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

Rebooting the computer fixes the problem!
I should have thought about that earlier :-)

SSL not working between Linux and Windows

I have gone through loads of material present on internet for SSL. I followed the steps and created self signed certificate on server (linux) using keytool. Server keystore was already having an entry as ( CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown), my new certificate was second entry as ( CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server ). Then I exported the certificate(.cer) using keytool and copied same on my client(windows). I then imported server generated certificate to client trustore. Now when I try to communicate using SSL it fails everytime. I turned on SSL debug on client. Below is the log
adding as trusted cert:
Subject: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Issuer: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Algorithm: RSA; Serial number: 0x3bd2165e
Valid from Fri Oct 21 13:08:11 IST 2016 until Thu Jan 19 13:08:11 IST 2017
adding as trusted cert:
Subject: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Issuer: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Algorithm: RSA; Serial number: 0x46dac56d
Valid from Fri Oct 21 13:20:47 IST 2016 until Thu Jan 19 13:20:47 IST 2017
***
found key for : Client
chain [0] = [
[
Version: V3
Subject: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 19643942881710234591525118408612815215632338692166465250629734200981703093763200559775845583913404371567241804832487728799610532434766533695993759141114319525441958126364976642955560446067359829730544145500409447935888670367709958247941184557182316292540918805424085096889405623367353240389104083404287642633808982388623942568195322780929142023222276129235672938020453213230922184807911898395818264624343113898437136096266829934433793735074739359988881755805184514603338282021635155460130597302085016075305135792447640646817495498043975883348791446660517781531653507565586938242488813328480016900010365926159926261191
public exponent: 65537
Validity: [From: Fri Oct 21 13:20:47 IST 2016,
To: Thu Jan 19 13:20:47 IST 2017]
Issuer: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
SerialNumber: [ 46dac56d]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 72 B5 E3 14 98 BD 53 F3 69 33 96 A5 71 F5 99 2B r.....S.i3..q..+
0010: 22 0F B9 F6 "...
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 21 16 B3 C9 5D BC EB 71 35 78 95 8E BF 30 72 AC !...]..q5x...0r.
0010: D1 42 AA B7 C1 8B 23 FD 67 DF 6F 36 85 E8 C6 05 .B....#.g.o6....
0020: A4 7B E7 A5 B5 3A FC 0C 88 29 3D C3 CD C2 88 8D .....:...)=.....
0030: 86 3A BF 14 85 93 01 75 5E 6E 01 87 44 A9 0A 21 .:.....u^n..D..!
0040: A2 F0 C3 05 9C 40 7B 89 61 DB 84 28 73 89 0F 3A .....#..a..(s..:
0050: B7 96 E8 63 30 29 8A B5 11 4C D2 7E A8 17 6F 0F ...c0)...L....o.
0060: 4E C7 4A AD E0 A8 6E 68 CE 72 FE DD DE F7 1C 84 N.J...nh.r......
0070: 20 C9 C4 CA F1 6A 3B C0 F9 A8 DD 03 0B EF 04 03 ....j;.........
0080: 40 BA 37 F6 B6 9C BE FF A9 E6 0E BF E6 32 B8 B3 #.7..........2..
0090: 0A EB 0F F7 EA 23 93 D1 17 D7 6E 94 0C 98 4C 90 .....#....n...L.
00A0: 40 21 DE 39 09 A9 16 2A 97 DD 2D E5 C0 FC FE 2E #!.9...*..-.....
00B0: AE 36 0C 04 6D A8 8F 1D B8 2B 99 54 7C AD 4F 8C .6..m....+.T..O.
00C0: 01 9C C2 07 77 81 A7 6C 07 2D A3 75 1D 4E E4 16 ....w..l.-.u.N..
00D0: 7E D0 BD E4 79 0F B6 9C C8 62 2E D6 E1 AC 35 58 ....y....b....5X
00E0: 22 B2 8C 4B FE 9A 06 C4 53 C1 8F 45 EA 61 3A 7F "..K....S..E.a:.
00F0: 3C D1 15 0D A8 27 3E 0F AB F5 8F DA 78 05 5F AE <....'>.....x._.
]
***
trigger seeding of SecureRandom
done seeding SecureRandom
keyStore is : D:\\Development\\Workspace\\Eclipse\\testSSL\\Sample\\.keystore
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : Client
chain [0] = [
[
Version: V3
Subject: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 19643942881710234591525118408612815215632338692166465250629734200981703093763200559775845583913404371567241804832487728799610532434766533695993759141114319525441958126364976642955560446067359829730544145500409447935888670367709958247941184557182316292540918805424085096889405623367353240389104083404287642633808982388623942568195322780929142023222276129235672938020453213230922184807911898395818264624343113898437136096266829934433793735074739359988881755805184514603338282021635155460130597302085016075305135792447640646817495498043975883348791446660517781531653507565586938242488813328480016900010365926159926261191
public exponent: 65537
Validity: [From: Fri Oct 21 13:20:47 IST 2016,
To: Thu Jan 19 13:20:47 IST 2017]
Issuer: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
SerialNumber: [ 46dac56d]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 72 B5 E3 14 98 BD 53 F3 69 33 96 A5 71 F5 99 2B r.....S.i3..q..+
0010: 22 0F B9 F6 "...
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 21 16 B3 C9 5D BC EB 71 35 78 95 8E BF 30 72 AC !...]..q5x...0r.
0010: D1 42 AA B7 C1 8B 23 FD 67 DF 6F 36 85 E8 C6 05 .B....#.g.o6....
0020: A4 7B E7 A5 B5 3A FC 0C 88 29 3D C3 CD C2 88 8D .....:...)=.....
0030: 86 3A BF 14 85 93 01 75 5E 6E 01 87 44 A9 0A 21 .:.....u^n..D..!
0040: A2 F0 C3 05 9C 40 7B 89 61 DB 84 28 73 89 0F 3A .....#..a..(s..:
0050: B7 96 E8 63 30 29 8A B5 11 4C D2 7E A8 17 6F 0F ...c0)...L....o.
0060: 4E C7 4A AD E0 A8 6E 68 CE 72 FE DD DE F7 1C 84 N.J...nh.r......
0070: 20 C9 C4 CA F1 6A 3B C0 F9 A8 DD 03 0B EF 04 03 ....j;.........
0080: 40 BA 37 F6 B6 9C BE FF A9 E6 0E BF E6 32 B8 B3 #.7..........2..
0090: 0A EB 0F F7 EA 23 93 D1 17 D7 6E 94 0C 98 4C 90 .....#....n...L.
00A0: 40 21 DE 39 09 A9 16 2A 97 DD 2D E5 C0 FC FE 2E #!.9...*..-.....
00B0: AE 36 0C 04 6D A8 8F 1D B8 2B 99 54 7C AD 4F 8C .6..m....+.T..O.
00C0: 01 9C C2 07 77 81 A7 6C 07 2D A3 75 1D 4E E4 16 ....w..l.-.u.N..
00D0: 7E D0 BD E4 79 0F B6 9C C8 62 2E D6 E1 AC 35 58 ....y....b....5X
00E0: 22 B2 8C 4B FE 9A 06 C4 53 C1 8F 45 EA 61 3A 7F "..K....S..E.a:.
00F0: 3C D1 15 0D A8 27 3E 0F AB F5 8F DA 78 05 5F AE <....'>.....x._.
]
***
trustStore is: D:\Development\Workspace\Eclipse\testSSL\Sample\.keystore
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Issuer: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Algorithm: RSA; Serial number: 0x3bd2165e
Valid from Fri Oct 21 13:08:11 IST 2016 until Thu Jan 19 13:08:11 IST 2017
adding as trusted cert:
Subject: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Issuer: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Algorithm: RSA; Serial number: 0x46dac56d
Valid from Fri Oct 21 13:20:47 IST 2016 until Thu Jan 19 13:20:47 IST 2017
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1476980696 bytes = { 63, 74, 124, 176, 200, 133, 175, 107, 173, 166, 115, 188, 94, 103, 2, 237, 54, 77, 30, 244, 166, 94, 22, 118, 220, 68, 182, 101 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 149
main, READ: TLSv1 Handshake, length = 893
*** ServerHello, TLSv1
RandomCookie: GMT: 1476980313 bytes = { 231, 179, 63, 173, 107, 35, 84, 125, 43, 218, 134, 171, 63, 175, 41, 97, 49, 69, 68, 114, 75, 255, 22, 5, 125, 125, 124, 228 }
Session ID: {88, 9, 238, 89, 11, 220, 101, 208, 32, 106, 9, 30, 220, 143, 218, 47, 199, 2, 7, 90, 179, 24, 198, 139, 59, 34, 141, 169, 98, 186, 165, 87}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 95112623927847376021742911976482809760928286563374389538614118188348331948203986176617263611529390313893505980510111828145989572854367203125102386298954935692697121151897799979668903275037476471253143679337867450398842776382716002256891170241471053163351903550915614869043680655531661128282766400131123099323
public exponent: 65537
Validity: [From: Wed Jan 02 01:20:42 IST 2013,
To: Sat Jan 06 01:20:42 IST 2018]
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
SerialNumber: [ 50e33e12]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 3F 48 66 AE 51 1D 5C 0C E9 0D 88 DD CD 48 84 B7 ?Hf.Q.\......H..
0010: 9A B3 70 79 C9 43 0E 4D B1 1E 10 5B 7A EB DC 6B ..py.C.M...[z..k
0020: 9B 15 E4 9E 9C 94 39 1C E7 CF 0E 2C D0 A8 A0 1D ......9....,....
0030: A1 A4 E4 63 A0 37 AA 98 72 31 77 56 16 31 49 B9 ...c.7..r1wV.1I.
0040: 8D BD A1 D7 53 BF 82 69 9C C7 B6 2A F0 FA A2 2D ....S..i...*...-
0050: C2 34 25 23 9C DA B6 74 D5 E0 CC 27 45 A9 8C 41 .4%#...t...'E..A
0060: 23 8B 33 A8 92 72 46 77 E0 10 E7 C6 38 9D 1D A8 #.3..rFw....8...
0070: E5 B2 B3 B5 58 99 B3 BD 1C E3 B0 39 54 F2 EB 46 ....X......9T..F
]
***
CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
X.509
adding as trusted cert:
Subject: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Issuer: CN=Server, OU=Server, O=Server, L=Server, ST=Server, C=Server
Algorithm: RSA; Serial number: 0x3bd2165e
Valid from Fri Oct 21 13:08:11 IST 2016 until Thu Jan 19 13:08:11 IST 2017
adding as trusted cert:
Subject: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Issuer: CN=Client, OU=Client, O=Client, L=Client, ST=Client, C=Client
Algorithm: RSA; Serial number: 0x46dac56d
Valid from Fri Oct 21 13:20:47 IST 2016 until Thu Jan 19 13:20:47 IST 2017
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
When I checked logs carefully I noticed Server is sending only first certificate in chain of certificates to client i.e,. ( CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown ), my newly created certificate is not present. Am I doing something wrong?

ssl connection failed because of sanity check fail

I am working in establishing a secure communication channel between a java server and a tls client. During the handshake, all goes well, the client Hello and server Hello messages are correct. Moreover, they both generate the same master secret for the engaged session. But at the really end of the handshake, server throws an exception telling "Ciphertext sanity check fails".
Client trace
0050 - 34 68 ed 2f 6e 4h./n
>>> TLS 1.2 ChangeCipherSpec [length 0001]
01
write to 0x1878b98 [0x18891f0] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
>>> TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c 14 54 0c 4d c0 22 62 90 c2 92 a1 d1
write to 0x1878b98 [0x18891f0] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 b7 76 bd-36 cd cd eb 8d 9f 34 46 ....(.v.6.....4F
0010 - 25 f7 61 cc cd a3 8e af-6d da 14 60 3c 0f 50 21 %.a.....m..`<.P!
0020 - f4 cc 7a a4 af cf 75 d8-48 54 ee b9 44 ..z...u.HT..D
read from 0x1878b98 [0x187f7e3] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02 .....
read from 0x1878b98 [0x187f7e8] (2 bytes => 2 (0x2))
0000 - 02 28 .(
<<< TLS 1.2 Alert [length 0002], fatal handshake_failure
02 28
Server's side:
[Raw read]: length = 5
0000: 14 03 03 00 01 .....
[Raw read]: length = 1
0000: 01 .
Thread-0, READ: TLSv1.2 Change Cipher Spec, length = 1
[Raw read]: length = 5
0000: 16 03 03 00 28 ....(
[Raw read]: length = 40
0000: B7 76 BD 36 CD CD EB 8D 9F 34 46 25 F7 61 CC CD .v.6.....4F%.a..
0010: A3 8E AF 6D DA 14 60 3C 0F 50 21 F4 CC 7A A4 AF ...m..`<.P!..z..
0020: CF 75 D8 48 54 EE B9 44 .u.HT..D
Thread-0, READ: TLSv1.2 Handshake, length = 40
%% Invalidated: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
Thread-0, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
Thread-0, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 28 ......(
Thread-0, called closeSocket()
Thread-0, handling exception: javax.net.ssl.SSLHandshakeException: ciphertext sanity check failed
What I can not understand is why the server is launching such exception while it succeeds in decrypting the ChangeCipherSpec message sent from the client? What could be the reason for such exception?
N.B: I already check and they both derived the same master key, here it is:
Server's side
CONNECTION KEYGEN:
Client Nonce:
0000: 48 B2 6C 02 B1 40 0B D9 6E 14 EB 7A 93 7D 2F 07 H.l..#..n..z../.
0010: 90 CF 1E 5D 65 8A 66 89 54 D4 60 50 BD AC AB 34 ...]e.f.T.`P...4
Server Nonce:
0000: 54 FD 9A E3 BB D4 15 61 A6 0C D3 30 FA 07 0A 16 T......a...0....
0010: 79 A8 79 0B 0A 81 00 95 9C CA C0 7A F1 FF 37 E7 y.y........z..7.
Master Secret:
0000: 39 5B EB 11 66 09 25 B5 6D E4 C7 86 E4 3E 10 BB 9[..f.%.m....>..
0010: B4 F0 D9 B7 BD 7D 8F AD 58 38 31 42 B6 90 53 AD ........X81B..S.
0020: 54 46 36 DC F5 75 8A 9D 77 58 D5 24 6C 96 90 02 TF6..u..wX.$l...
Client's side
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 54FD9AE3A3B3BF807F408FA830641F850702E986C27FC631AF8E8E3097038166
Session-ID-ctx:
Master-Key: 395BEB11660925B56DE4C786E43E10BBB4F0D9B7BD7D8FAD58383142B69053AD544636DCF5758A9D7758D5246C969002
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
Thanks in advance to you guys.