Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

Client certificate not getting passed to remote server

 
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am trying to connect to a server that requries mutual authentication.
My trust store has the server's certificate as well as the root verisign certificate that it was signed with.
My keystore has the client certificate and the private key.

Using this keystore and trust store I am able to successfully connect to the external server from one of my servers.

However the remote server responds with "This page requires a client certificate" when I send the request using the same keystore and trust store from a different server.
command line:
java -Djavax.net.debug=ssl -classpath $JAVA_CLASSPATH -Djavax.net.ssl.keyStore=/test/client.keystore -Djavax.net.ssl.keyStorePassword=aaaaa123 -Djavax.net.ssl.trustStore=/test/cacerts -Djavax.net.ssl.trustStorePassword=aaaaa123 SimpleTest


On turning on ssl debugging I do not see any exceptions, everything seems to be working as expected.

What can I do to troubleshoot this?

Thanks!
 
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

... and trust store from a different server.



I don't understand this statement. If the server certificates are signed by verisign, then all your client needs to authenticate the server is verisign's root certificate in your truststore. Similarly, if the server wants your client to authenticate, then it will send a list of the DNs of CA it trusts. Your client certificate must be signed by one of those CAs. Finally, you should be able to see this happening in the debug trace, so I don't know what you mean when you say that the trace looks normal. Can you post the trace?
 
Cindy Jones
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am not able to post the full response since javaranch does not allow some characters

use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is : /home/me/blisstest/bliss_client.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : blissclient
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=bhnast.support@bhnetwork.com, CN=BHN AST, T=Programmer, OU="Security Phrase - A2Ac3r+!", OU=Company - Networks, OU="www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)99", OU=Data Center, O=bliss Prepaid Solutions
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits
modulus: 159083502905030151121815193434458327732755021954926293287213887144734015985753874634497177274890469016118777572135081036056959705422717347732896794605673253022032843859535368174521566522144970943678518746234483395580415777422046844054419780497758704849691466370760437535873407753858501123458045858366788329597
public exponent: 65537
Validity: [From: Wed Mar 05 16:00:00 PST 2008,
To: Fri Mar 06 15:59:59 PST 2009]
Issuer: CN=bliss Prepaid Solutions CA, OU=Class 2 OnSite Individual Subscriber CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O=bliss Prepaid Solutions, C=US
SerialNumber: [ 769ed3a8 a02a78a4 5ba2ce46 e974f444]

Certificate Extensions: 5
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
]

[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://onsitecrl.verisign.com/blissPrepaidSolutionsDataCenter/LatestCRL.crl]
]]

[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa

]] ]
]

[5]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

]
trustStore is: /usr/jdk1.5.0_16/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:

...
...

init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
main, setSoTimeout(0) called
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1225329643 bytes = { 230, 13, 112, 174, 70, 5, 218, 138, 122, 53, 180, 124, 223, 168, 57, 89, 157, 9, 57, 219, 4, 246, 15, 98, 132, 42, 10, 180 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 79
main, WRITE: SSLv2 client hello message, length = 107
main, READ: TLSv1 Handshake, length = 2630
*** ServerHello, TLSv1
RandomCookie: GMT: 1225329941 bytes = { 27, 15, 87, 194, 55, 192, 178, 148, 2, 67, 20, 78, 137, 181, 168, 149, 50, 11, 81, 176, 251, 60, 17, 107, 218, 242, 100, 120 }
Session ID: {217, 37, 0, 0, 15, 44, 250, 248, 190, 226, 46, 124, 77, 222, 115, 63, 214, 177, 87, 211, 20, 182, 252, 212, 149, 202, 7, 90, 124, 59, 120, 16}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain

***
Found trusted certificate:
[
[
Version: V1
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

Key: Sun RSA public key, 1024 bits
modulus: 141400322044550516865173371773024584879899609644618927642375342633349057300960400037232334924701046781298765077061770383151646234219179990772047200045837817821582483532549791304588064624083040538534190301571832597441704620988055765289140138246856927863523873759538652326729606982847841094220861282830980236711
public exponent: 65537
Validity: [From: Sun Jan 28 16:00:00 PST 1996,
To: Tue Aug 01 16:59:59 PDT 2028]
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
SerialNumber: [ 70bae41d 10d92934 b638ca7b 03ccbabf]

]
Algorithm: [MD2withRSA]
Signature:
0000: BB 4C 12 2B CF 2C 26 00 4F 14 13 DD A6 FB FC 0A .L.+.,&.O.......
0010: 11 84 8C F3 28 1C 67 92 2F 7C B6 C5 FA DF F0 E8 ....(.g./.......
0020: 95 BC 1D 8F 6C 2C A8 51 CC 73 D8 A4 C0 53 F0 4E ....l,.Q.s...S.N
0030: D6 26 C0 76 01 57 81 92 5E 21 F1 D1 B1 FF E7 D0 .&.v.W..^!......
0040: 21 58 CD 69 17 E3 44 1C 9C 19 44 39 89 5C DC 9C !X.i..D...D9.\..
0050: 00 0F 56 8D 02 99 ED A2 90 45 4C E4 BB 10 A4 3D ..V......EL....=
0060: F0 32 03 0E F1 CE F8 E8 C9 51 8C E6 62 9F E6 9F .2.......Q..b...
0070: C0 7D B7 72 9C C9 36 3A 6B 9F 4E A8 FF 64 0D 64 ...r..6:k.N..d.d

]
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 252, 68, 170, 44, 43, 136, 152, 251, 183, 132, 177, 131, 92, 222, 71, 163, 93, 51, 203, 177, 158, 98, 135, 151, 103, 153, 198, 117, 174, 242, 152, 184, 255, 144, 66, 156, 213, 154, 153, 12, 76, 222, 222, 53, 8, 41 }
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 FC 44 AA 2C 2B 88 98 FB B7 84 B1 83 5C DE ...D.,+.......\.
0010: 47 A3 5D 33 CB B1 9E 62 87 97 67 99 C6 75 AE F2 G.]3...b..g..u..
0020: 98 B8 FF 90 42 9C D5 9A 99 0C 4C DE DE 35 08 29 ....B.....L..5.)
CONNECTION KEYGEN:
Client Nonce:
0000: 49 09 0C EB E6 0D 70 AE 46 05 DA 8A 7A 35 B4 7C I.....p.F...z5..
0010: DF A8 39 59 9D 09 39 DB 04 F6 0F 62 84 2A 0A B4 ..9Y..9....b.*..
Server Nonce:
0000: 49 09 0D 15 1B 0F 57 C2 37 C0 B2 94 02 43 14 4E I.....W.7....C.N
0010: 89 B5 A8 95 32 0B 51 B0 FB 3C 11 6B DA F2 64 78 ....2.Q..<.k..dx
Master Secret:
0000: E4 93 E4 B9 0D D3 D0 72 C1 49 0C 5A A9 89 A4 68 .......r.I.Z...h
0010: 42 CF 47 5A 12 76 29 87 80 A0 96 26 3D C3 C2 51 B.GZ.v)....&=..Q
0020: B8 5B D3 8D E6 F2 23 6E 16 AE E1 D4 DA 80 CA D6 .[....#n........
Client MAC write Secret:
0000: DB C4 C6 CC 9A 27 1A E4 66 AB 05 3F A5 96 59 BD .....'..f..?..Y.
Server MAC write Secret:
0000: 89 37 61 85 B7 16 36 99 2A 6F 45 C2 2D 60 A7 09 .7a...6.*oE.-`..
Client write key:
0000: A1 45 0A E6 B1 BA 45 39 69 7C F9 B2 0E 8A B4 93 .E....E9i.......
Server write key:
0000: C4 20 7F 4C B1 25 E7 C6 45 D5 B0 C1 3E 79 99 EA . .L.%..E...>y..
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 222, 50, 148, 179, 147, 210, 51, 205, 180, 243, 1, 109 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 243, 109, 86, 19, 193, 240, 155, 134, 163, 242, 231, 199 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
main, WRITE: TLSv1 Application Data, length = 360
main, READ: TLSv1 Handshake, length = 20
*** HelloRequest (empty)
%% Client cached [Session-1, SSL_RSA_WITH_RC4_128_MD5]
%% Try resuming [Session-1, SSL_RSA_WITH_RC4_128_MD5] from port 33556
*** ClientHello, TLSv1
RandomCookie: GMT: 1225329644 bytes = { 172, 186, 75, 77, 132, 166, 226, 196, 89, 109, 235, 186, 123, 48, 220, 231, 213, 79, 199, 142, 5, 36, 0, 147, 221, 105, 173, 241 }
Session ID: {217, 37, 0, 0, 15, 44, 250, 248, 190, 226, 46, 124, 77, 222, 115, 63, 214, 177, 87, 211, 20, 182, 252, 212, 149, 202, 7, 90, 124, 59, 120, 16}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 127
main, READ: TLSv1 Handshake, length = 5735
*** ServerHello, TLSv1
RandomCookie: GMT: 1225329942 bytes = { 200, 227, 224, 199, 19, 24, 225, 42, 176, 149, 35, 249, 41, 94, 218, 6, 163, 75, 113, 83, 94, 3, 47, 118, 234, 130, 146, 99 }
Session ID: {115, 29, 0, 0, 188, 62, 198, 143, 135, 84, 158, 243, 220, 143, 51, 140, 26, 31, 156, 159, 192, 226, 20, 76, 199, 134, 11, 69, 250, 57, 217, 214}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=a2a.wildcardsystems.com, OU=Terms of use at www.verisign.com/rpa (c)05, OU=Systems, O=Wildcard Systems Inc., L=Sunrise, ST=Florida, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits
modulus: 144409453760146712806406338921954802637474902316763486890494738800226098047178148438733660649715098015098107832781949133842065968986926563471349491187971428185895281373789225816134527175306510546759796226355362570413089130592466580294786515028129399623805929299483497542047678971322172857899213432470997427529
public exponent: 65537
Validity: [From: Sun Jan 07 16:00:00 PST 2007,
To: Fri Jan 29 15:59:59 PST 2010]
Issuer: CN=VeriSign Class 3 Secure Server CA, OU=Terms of use at https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ 4758f97c ec032f2a 84394b57 24e101ac]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 62 30 60 A1 5E A0 5C 30 5A 30 58 30 56 16 09 .b0`.^.\0Z0X0V..
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14 4B 6B B9 28 96 06 0C BB .+......Kk.(....
0030: D0 52 38 9B 29 AC 4B 07 8B 21 05 18 30 26 16 24 .R8.).K..!..0&.$
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 31 sign.com/vslogo1
0060: 2E 67 69 66 .gif


[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6F EC AF A0 DD 8A A4 EF F5 2A 10 67 2D 3F 55 82 o........*.g-?U.
0010: BC D7 EF 25 ...%
]

]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRSecure-crl.verisign.com/SVRSecure2005.crl]
]]

[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa

]] ]
]

[6]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

[7]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com, accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://SVRSecure-aia.verisign.com/SVRSecure2005-aia.cer]
]

[8]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
...
...

chain [1] = [
[
Version: V3
Subject: CN=VeriSign Class 3 Secure Server CA, OU=Terms of use at https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 2048 bits
modulus: 18905729229464742433949840178165285210788629616064305164260843170201977241822595607598003983710482114887504542420063531704226365322091550579034120400511694538047325464426047959412241672706076731441028369861556999479337863789783838582999151810376013650218058341794419022809268802993425241541430009002110553726612125414429934927217253337526656605550620555845061032537869588361121949241772361851996536275260212221084778605793422355009443918198903890623415507477268041766919150091887619618794603091993360 637671933766441597921249204891707900552776893415739395596650548462810104696585021566385762017523199762687187467514321
public exponent: 65537
Validity: [From: Tue Jan 18 16:00:00 PST 2005,
To: Sun Jan 18 15:59:59 PST 2015]
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
SerialNumber: [ 75337d9a b0e1233b ae2d7de4 469162d4]

Certificate Extensions: 8
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6F EC AF A0 DD 8A A4 EF F5 2A 10 67 2D 3F 55 82 o........*.g-?U.
0010: BC D7 EF 25 ...%
]
]

[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US]
SerialNumber: [ 70bae41d 10d92934 b638ca7b 03ccbabf]
]

[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[CN=Class3CA2048-1-45]]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3.crl]
]]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]

[7]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa

]] ]
]

[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: C3 7E 08 46 5D 91 36 CF 67 DC D7 A7 AF AF B8 22 ...F].6.g......"
0010: C3 8B 04 74 D3 B1 60 BC E6 FE B7 44 12 81 5B 31 ...t..`....D..[1
0020: 73 14 63 56 C6 72 2E D1 1A 03 43 5C 38 0A 50 4A s.cV.r....C\8.PJ
0030: 4D CD DA B6 19 A8 F4 99 0D AF E3 F7 D8 F1 75 28 M.............u(
0040: 65 F6 6A FE 9B F4 BD 52 D9 3F CB DA 16 CB A5 9E e.j....R.?......
0050: 2E 8E 66 52 78 3D 26 FA FE 94 36 88 4A 95 5E 2A ..fRx=&...6.J.^*
0060: 4C 19 EF 6E FA 82 3F 2D 03 EF D6 28 B3 37 18 CF L..n..?-...(.7..
0070: 42 B2 34 21 64 47 D3 20 6B 3A 4C DC E6 03 90 0C B.4!dG. k:L.....

]
***
Found trusted certificate:
[
[
Version: V1
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

Key: Sun RSA public key, 1024 bits
modulus: 141400322044550516865173371773024584879899609644618927642375342633349057300960400037232334924701046781298765077061770383151646234219179990772047200045837817821582483532549791304588064624083040538534190301571832597441704620988055765289140138246856927863523873759538652326729606982847841094220861282830980236711
public exponent: 65537
Validity: [From: Sun Jan 28 16:00:00 PST 1996,
To: Tue Aug 01 16:59:59 PDT 2028]
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
SerialNumber: [ 70bae41d 10d92934 b638ca7b 03ccbabf]

]
Algorithm: [MD2withRSA]
Signature:
0000: BB 4C 12 2B CF 2C 26 00 4F 14 13 DD A6 FB FC 0A .L.+.,&.O.......
0010: 11 84 8C F3 28 1C 67 92 2F 7C B6 C5 FA DF F0 E8 ....(.g./.......
0020: 95 BC 1D 8F 6C 2C A8 51 CC 73 D8 A4 C0 53 F0 4E ....l,.Q.s...S.N
0030: D6 26 C0 76 01 57 81 92 5E 21 F1 D1 B1 FF E7 D0 .&.v.W..^!......
0040: 21 58 CD 69 17 E3 44 1C 9C 19 44 39 89 5C DC 9C !X.i..D...D9.\..
0050: 00 0F 56 8D 02 99 ED A2 90 45 4C E4 BB 10 A4 3D ..V......EL....=
0060: F0 32 03 0E F1 CE F8 E8 C9 51 8C E6 62 9F E6 9F .2.......Q..b...
0070: C0 7D B7 72 9C C9 36 3A 6B 9F 4E A8 FF 64 0D 64 ...r..6:k.N..d.d

]
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US>
<OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 4 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US>
<EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
<EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
<CN=First Data Digital Certificates Inc. Certification Authority, O=First Data Digital Certificates Inc., C=US>
<EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
<OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US>
<CN=NetLock Uzleti (Class B) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU>
<CN=GTE CyberTrust Root, O=GTE Corporation, C=US>
<CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US>
<CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US>
<CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, ST=Hungary, C=HU>
<OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US>
<CN=GTE CyberTrust Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US>
<CN=NetLock Expressz (Class C) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU>
<CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.>
<CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com>
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 129, 11, 142, 186, 112, 168, 112, 221, 179, 50, 103, 31, 168, 62, 4, 165, 34, 219, 237, 81, 199, 166, 105, 58, 31, 122, 71, 189, 84, 158, 93, 13, 212, 15, 247, 128, 110, 247, 13, 119, 33, 232, 13, 13, 96, 186 }
main, WRITE: TLSv1 Handshake, length = 157
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 81 0B 8E BA 70 A8 70 DD B3 32 67 1F A8 3E ......p.p..2g..>
0010: 04 A5 22 DB ED 51 C7 A6 69 3A 1F 7A 47 BD 54 9E .."..Q..i:.zG.T.
0020: 5D 0D D4 0F F7 80 6E F7 0D 77 21 E8 0D 0D 60 BA ].....n..w!...`.
CONNECTION KEYGEN:
Client Nonce:
0000: 49 09 0C EC AC BA 4B 4D 84 A6 E2 C4 59 6D EB BA I.....KM....Ym..
0010: 7B 30 DC E7 D5 4F C7 8E 05 24 00 93 DD 69 AD F1 .0...O...$...i..
Server Nonce:
0000: 49 09 0D 16 C8 E3 E0 C7 13 18 E1 2A B0 95 23 F9 I..........*..#.
0010: 29 5E DA 06 A3 4B 71 53 5E 03 2F 76 EA 82 92 63 )^...KqS^./v...c
Master Secret:
0000: 05 C8 3B 7D 25 B9 1B 21 B8 95 E1 35 B4 FF 2C 63 ..;.%..!...5..,c
0010: B8 66 4E 6A BF 21 97 0A B3 D0 34 76 C8 0C 99 FB .fNj.!....4v....
0020: FC 7A 15 F8 42 75 5C D7 08 3F 75 2D 64 9F 8C FE .z..Bu\..?u-d...
Client MAC write Secret:
0000: 5F F2 7A BD 8E E8 45 A8 C8 44 B8 96 09 82 D0 FA _.z...E..D......
Server MAC write Secret:
0000: CF F8 64 30 2B 46 A0 AA 9F 7C 45 6D 94 E4 3D 68 ..d0+F....Em..=h
Client write key:
0000: 09 6A 49 DF 6D 90 62 87 E0 13 94 CB E9 22 0B D6 .jI.m.b......"..
Server write key:
0000: 0E 18 A0 D3 6F EA 90 C4 2C C0 0F AF 0E 81 97 E6 ....o...,.......
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 17
*** Finished
verify_data: { 190, 93, 186, 81, 17, 226, 46, 68, 214, 3, 49, 109 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 17
main, READ: TLSv1 Handshake, length = 32
*** Finished
 
Ranch Hand
Posts: 687
Mac
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am facing something similar as I am trying to connect to following URL https://accessgudid.nlm.nih.gov/api/v2/devices/lookup.json?udi=%2801%2910884521062856%2811%29141231%2817%29150707%2810%29A213B1%2821%291234

However the connection fails with following info.
%% Invalidated:  [Session-3, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


However our certificate works properly and I created proper certificate chain. I have tested to the the https://www.ssllabs.com and looks good.
 
Saloon Keeper
Posts: 7624
177
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ssllabs tests if a certificate is installed properly on a web server for access from the outside, besides other stuff. That has no bearing on how a JVM might use it when trying to connect from the server to the outside. The Security FAQ (linked from the top of this forum's home page) has an entry that covers this particular issue. In shory: the certificate needs to be installed in a place where the JVM will find it.
 
Jignesh Patel
Ranch Hand
Posts: 687
Mac
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have reinstalled jvm to ensure clean installation. However there is no change.
I have copied the stacktrace for the handshaking error at pastebin webpage.
It does seems our certificate gets added initially as per following:
 
Jignesh Patel
Ranch Hand
Posts: 687
Mac
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
But something fails at following place.

20:43:49,330 Extension unknown: DER encoded OCTET string =
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic