Java server self-signed certificate + client certificate and SSL handshake_failure

狂风中的少年 提交于 2019-12-20 03:16:19

问题


I'm connecting to a web service which was used before successfully, however now they've changed hostname and sent me two .pem files; one is CA, and other is my new client certificate.

(I'm using Java 1.5, Spring + Spring Web Services with Apache httpclient, but I suspect my problem is with certificates, keys and SSL itself.)

I've imported both .pem files, as well as host's .crt which I exported from Firefox into my cacerts. However, I'm obviously doing something wrong since I get this exception:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1542)
    ...

When I turn on SSL logging with System.setProperty("javax.net.debug", "all"), I see that server certificate is accepted and then this happens after or somewhere during client key exchange:

setting up default SSLSocketFactory
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: D:\Central\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\wtpwebapps\CentraServer\WEB-INF\classes\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer:  EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Sat Jun 26 02:19:54 CEST 1999 until Wed Jun 26 02:19:54 CEST 2019

adding as trusted cert:
  Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
  Issuer:  CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
  Algorithm: RSA; Serial number: 0x20000bf
  Valid from Wed May 17 16:01:00 CEST 2000 until Sun May 18 01:59:00 CEST 2025

adding as trusted cert:
  Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
  Issuer:  CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
  Algorithm: RSA; Serial number: 0x374ad243
  Valid from Tue May 25 18:09:40 CEST 1999 until Sat May 25 18:39:40 CEST 2019

adding as trusted cert:
  Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  Issuer:  CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  Algorithm: RSA; Serial number: 0x20000b9
  Valid from Fri May 12 20:46:00 CEST 2000 until Tue May 13 01:59:00 CEST 2025

adding as trusted cert:
  Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE
  Issuer:  EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
  Algorithm: RSA; Serial number: 0x2
  Valid from Fri Mar 26 11:37:00 CET 2010 until Mon Mar 23 11:37:00 CET 2020

adding as trusted cert:
  Subject: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 3 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
  Issuer:  EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 3 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
  Algorithm: RSA; Serial number: 0x3eb
  Valid from Mon Mar 09 12:59:59 CET 1998 until Sat Jan 01 12:59:59 CET 2011

adding as trusted cert:
  Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
  Issuer:  EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
  Algorithm: RSA; Serial number: 0x94778886f4ca92c2
  Valid from Fri Mar 26 13:14:36 CET 2010 until Mon Mar 23 13:14:36 CET 2020

adding as trusted cert:
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
  Valid from Fri Oct 01 02:00:00 CEST 1999 until Thu Jul 17 01:59:59 CEST 2036

adding as trusted cert:
  Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021

adding as trusted cert:
  Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
  Issuer:  OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Jun 29 19:39:16 CEST 2004 until Thu Jun 29 19:39:16 CEST 2034

adding as trusted cert:
  Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
  Valid from Mon Jan 29 01:00:00 CET 1996 until Wed Aug 02 01:59:59 CEST 2028

adding as trusted cert:
  Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Issuer:  OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Algorithm: RSA; Serial number: 0x35def4cf
  Valid from Sat Aug 22 18:41:51 CEST 1998 until Wed Aug 22 18:41:51 CEST 2018

adding as trusted cert:
  Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
  Issuer:  OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
  Algorithm: RSA; Serial number: 0x3770cfb5
  Valid from Wed Jun 23 14:14:45 CEST 1999 until Sun Jun 23 14:14:45 CEST 2019

adding as trusted cert:
  Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021

adding as trusted cert:
  Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0x4
  Valid from Mon Jun 21 06:00:00 CEST 1999 until Sun Jun 21 06:00:00 CEST 2020

adding as trusted cert:
  Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x0
  Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021

adding as trusted cert:
  Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Issuer:  CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Algorithm: RSA; Serial number: 0x1b6
  Valid from Fri Aug 14 16:50:00 CEST 1998 until Thu Aug 15 01:59:00 CEST 2013

adding as trusted cert:
  Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer:  OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55
  Valid from Mon Jan 29 01:00:00 CET 1996 until Wed Aug 02 01:59:59 CEST 2028

adding as trusted cert:
  Subject: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
  Issuer:  EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
  Algorithm: RSA; Serial number: 0x3ea
  Valid from Mon Mar 09 12:59:59 CET 1998 until Sat Jan 01 12:59:59 CET 2011

adding as trusted cert:
  Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
  Issuer:  CN=GTE CyberTrust Root, O=GTE Corporation, C=US
  Algorithm: RSA; Serial number: 0x1a3
  Valid from Sat Feb 24 00:01:00 CET 1996 until Fri Feb 24 00:59:00 CET 2006

adding as trusted cert:
  Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
  Issuer:  CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
  Algorithm: RSA; Serial number: 0x389b113c
  Valid from Fri Feb 04 18:20:00 CET 2000 until Tue Feb 04 18:50:00 CET 2020

adding as trusted cert:
  Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Issuer:  OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
  Valid from Mon May 18 02:00:00 CEST 1998 until Wed Aug 02 01:59:59 CEST 2028

adding as trusted cert:
  Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x1
  Valid from Thu Aug 01 02:00:00 CEST 1996 until Fri Jan 01 00:59:59 CET 2021

adding as trusted cert:
  Subject: CN=Emporion CA, DC=emporion, DC=hr
  Issuer:  CN=Emporion CA, DC=emporion, DC=hr
  Algorithm: RSA; Serial number: 0x52fbeae95112b2aa48647da355f35330
  Valid from Thu Dec 14 08:53:07 CET 2006 until Wed Dec 14 08:55:04 CET 2011

adding as trusted cert:
  Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
  Issuer:  OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
  Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0
  Valid from Wed Nov 09 01:00:00 CET 1994 until Fri Jan 08 00:59:59 CET 2010

adding as trusted cert:
  Subject: EMAILADDRESS=aw@ypsilon.net, CN=adriatic, O=ypsilon.net ag, L=Frankfurt, C=DE
  Issuer:  EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
  Algorithm: RSA; Serial number: 0x3c
  Valid from Thu Jan 13 16:07:12 CET 2011 until Sun Jan 12 16:07:12 CET 2014

adding as trusted cert:
  Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
  Issuer:  CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
  Algorithm: RSA; Serial number: 0x380391ee
  Valid from Tue Oct 12 21:24:30 CEST 1999 until Sat Oct 12 21:54:30 CEST 2019

adding as trusted cert:
  Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
  Issuer:  CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
  Algorithm: RSA; Serial number: 0x389ef6e4
  Valid from Mon Feb 07 17:16:40 CET 2000 until Fri Feb 07 17:46:40 CET 2020

[snip more irrelevant cerificates]    

adding as trusted cert:
  Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Issuer:  OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
  Valid from Mon May 18 02:00:00 CEST 1998 until Wed Aug 02 01:59:59 CEST 2028

init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
http-8080-Processor25, setSoTimeout(90000) called
http-8080-Processor25, setSoTimeout(90000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1295536786 bytes = { 74, 39, 25, 138, 201, 29, 231, 172, 208, 86, 159, 87, 97, 159, 118, 69, 60, 76, 126, 1, 3, 113, 32, 74, 124, 197, 227, 100 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 73
0000: 01 00 00 45 03 01 4D 38   53 92 4A 27 19 8A C9 1D  ...E..M8S.J'....
...
0040: 03 00 08 00 14 00 11 01   00                       .........
http-8080-Processor25, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes:  len = 98
0000: 01 03 01 00 39 00 00 00   20 00 00 04 01 00 80 00  ....9... .......
...
0060: E3 64                                              .d
http-8080-Processor25, WRITE: SSLv2 client hello message, length = 98
[Raw write]: length = 100
0000: 80 62 01 03 01 00 39 00   00 00 20 00 00 04 01 00  .b....9... .....
...
0060: 7C C5 E3 64                                        ...d
[Raw read]: length = 5
0000: 16 03 01 00 4A                                     ....J
[Raw read]: length = 74
0000: 02 00 00 46 03 01 4D 38   53 92 91 2B 9B 04 40 75  ...F..M8S..+..@u
...
0040: CF 80 63 11 83 EF 78 00   04 00                    ..c...x...
http-8080-Processor25, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie:  GMT: 1295536786 bytes = { 145, 43, 155, 4, 64, 117, 29, 20, 155, 104, 148, 67, 38, 191, 176, 32, 226, 210, 15, 208, 38, 62, 186, 93, 161, 102, 98, 43 }
Session ID:  {170, 186, 169, 17, 103, 4, 99, 63, 183, 238, 23, 232, 183, 145, 193, 146, 7, 27, 157, 237, 100, 139, 163, 244, 30, 207, 128, 99, 17, 131, 239, 120}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes:  len = 74
0000: 02 00 00 46 03 01 4D 38   53 92 91 2B 9B 04 40 75  ...F..M8S..+..@u
...
0040: CF 80 63 11 83 EF 78 00   04 00                    ..c...x...
[Raw read]: length = 5
0000: 16 03 01 05 62                                     ....b
[Raw read]: length = 1378
0000: 0B 00 05 5E 00 05 5B 00   02 A4 30 82 02 A0 30 82  ...^..[...0...0.
...
0550: 62 FB DE A4 74 87 D9 2A   2B 2F AF 31 22 97 4A F6  b...t..*+/.1".J.
0560: B8 9F                                              ..
http-8080-Processor25, READ: TLSv1 Handshake, length = 1378
*** Certificate chain
chain [0] = [
[
  Version: V1
  Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 105158323961649143261675059370957210288137897982882368398075567460896421730512351351129218695072925445303830065152794594929017968110838209795249871435238567060656353603426816451022832577131638028495007888967083020723809918589055189033188525472465535607293377867184162059586888049098196531889988723950292830313
  public exponent: 65537
  Validity: [From: Fri Mar 26 11:37:00 CET 2010,
               To: Mon Mar 23 11:37:00 CET 2020]
  Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
  SerialNumber: [    02]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 3A F3 91 84 EA B1 CF 28   7B 52 EC 50 34 56 CB A5  :......(.R.P4V..
...
]
chain [1] = [
[
  Version: V1
  Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 103786554737956184369138386227517475430156404603922533481712260490997247291004352385079204978431207687092828117962473600295977103686791448953158848873575487907656378655168840104433047747570602454550203304683174555325033654946526304210710782190667961616217273402229863778090825217190222869236148684215668636483
  public exponent: 65537
  Validity: [From: Fri Mar 26 13:14:36 CET 2010,
               To: Mon Mar 23 13:14:36 CET 2020]
  Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
  SerialNumber: [    94778886 f4ca92c2]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 86 EE 6C 03 20 76 E5 0C   C7 1D E5 44 60 C0 D0 40  ..l. v.....D`..@
...
]
***
Found trusted certificate:
[
[
  Version: V1
  Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 105158323961649143261675059370957210288137897982882368398075567460896421730512351351129218695072925445303830065152794594929017968110838209795249871435238567060656353603426816451022832577131638028495007888967083020723809918589055189033188525472465535607293377867184162059586888049098196531889988723950292830313
  public exponent: 65537
  Validity: [From: Fri Mar 26 11:37:00 CET 2010,
               To: Mon Mar 23 11:37:00 CET 2020]
  Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
  SerialNumber: [    02]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 3A F3 91 84 EA B1 CF 28   7B 52 EC 50 34 56 CB A5  :......(.R.P4V..
...
]
[read] MD5 and SHA1 hashes:  len = 1378
0000: 0B 00 05 5E 00 05 5B 00   02 A4 30 82 02 A0 30 82  ...^..[...0...0.
...
[Raw read]: length = 5
0000: 16 03 01 00 0E                                     .....
[Raw read]: length = 14
0000: 0D 00 00 06 03 01 02 40   00 00 0E 00 00 00        .......@......
http-8080-Processor25, READ: TLSv1 Handshake, length = 14
*** CertificateRequest
Cert Types: RSA, DSS, Type-64, 
Cert Authorities:
[read] MD5 and SHA1 hashes:  len = 10
0000: 0D 00 00 06 03 01 02 40   00 00                    .......@..
*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret:  { 3, 1, 171, 173, 40, 115, 135, 189, 1, 133, 123, 112, 14, 101, 81, 12, 110, 67, 184, 222, 191, 39, 146, 61, 195, 70, 149, 67, 178, 129, 141, 29, 160, 92, 198, 213, 71, 6, 35, 92, 141, 155, 111, 161, 88, 150, 14, 217 }
[write] MD5 and SHA1 hashes:  len = 141
0000: 0B 00 00 03 00 00 00 10   00 00 82 00 80 2F 50 23  ............./P#
...
0080: 32 A0 09 CB 0E AE 42 4F   25 7A AE 41 DF           2.....BO%z.A.
http-8080-Processor25, WRITE: TLSv1 Handshake, length = 141
[Raw write]: length = 146
0000: 16 03 01 00 8D 0B 00 00   03 00 00 00 10 00 00 82  ................
...
0090: 41 DF                                              A.
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 AB AD 28 73 87 BD   01 85 7B 70 0E 65 51 0C  ....(s.....p.eQ.
0010: 6E 43 B8 DE BF 27 92 3D   C3 46 95 43 B2 81 8D 1D  nC...'.=.F.C....
0020: A0 5C C6 D5 47 06 23 5C   8D 9B 6F A1 58 96 0E D9  .\..G.#\..o.X...
CONNECTION KEYGEN:
Client Nonce:
0000: 4D 38 53 92 4A 27 19 8A   C9 1D E7 AC D0 56 9F 57  M8S.J'.......V.W
0010: 61 9F 76 45 3C 4C 7E 01   03 71 20 4A 7C C5 E3 64  a.vE<L...q J...d
Server Nonce:
0000: 4D 38 53 92 91 2B 9B 04   40 75 1D 14 9B 68 94 43  M8S..+..@u...h.C
0010: 26 BF B0 20 E2 D2 0F D0   26 3E BA 5D A1 66 62 2B  &.. ....&>.].fb+
Master Secret:
0000: 13 9A 7A E6 A0 60 FA 39   20 54 B1 5B 11 C0 1C 8E  ..z..`.9 T.[....
0010: 0C 1E DD 6D 81 F3 87 BB   55 C5 04 5E EF 92 9D 56  ...m....U..^...V
0020: F8 A5 BE 3C 63 41 49 5D   28 C6 CB 39 2B AC 2B 01  ...<cAI](..9+.+.
Client MAC write Secret:
0000: C6 9B B2 39 8A B2 0D 8E   D2 4F ED 8B 41 2A 5E 24  ...9.....O..A*^$
Server MAC write Secret:
0000: 0F EC E3 F0 A0 23 B0 06   3A E1 27 17 51 D5 63 D4  .....#..:.'.Q.c.
Client write key:
0000: 84 00 3C F3 A6 64 8B FC   EC 24 34 E5 98 37 2D 4B  ..<..d...$4..7-K
Server write key:
0000: 15 71 17 98 7F BF 96 CF   B5 84 0D 27 53 92 FA D6  .q.........'S...
... no IV for cipher
http-8080-Processor25, WRITE: TLSv1 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 01 00 01 01                                  ......
*** Finished
verify_data:  { 242, 229, 163, 78, 24, 68, 97, 187, 238, 159, 79, 121 }
***
[write] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C F2 E5 A3 4E   18 44 61 BB EE 9F 4F 79  .......N.Da...Oy
Padded plaintext before ENCRYPTION:  len = 32
0000: 14 00 00 0C F2 E5 A3 4E   18 44 61 BB EE 9F 4F 79  .......N.Da...Oy
0010: 7D 95 FF FE 93 4D C5 18   4B C0 DD 31 EB 12 39 DF  .....M..K..1..9.
http-8080-Processor25, WRITE: TLSv1 Handshake, length = 32
[Raw write]: length = 37
0000: 16 03 01 00 20 43 6D 0D   E1 CD D5 D7 7A 9C 25 61  .... Cm.....z.%a
0010: 1A 58 2C E4 3E 18 EB B1   C9 80 9C C5 E7 30 E5 23  .X,.>........0.#
0020: 6E 10 C9 2A AE                                     n..*.
[Raw read]: length = 5
0000: 15 03 01 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
http-8080-Processor25, READ: TLSv1 Alert, length = 2
http-8080-Processor25, RECV TLSv1 ALERT:  fatal, handshake_failure
http-8080-Processor25, called closeSocket()
http-8080-Processor25, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
http-8080-Processor25, called close()
http-8080-Processor25, called closeInternal(true)
http-8080-Processor25, called close()
http-8080-Processor25, called closeInternal(true)
http-8080-Processor25, called close()
http-8080-Processor25, called closeInternal(true)

What does this mean? What is the meaning of the message "no IV for cipher"?

EDIT: After a bit of investigating, I found a stupid error - keystore wasn't getting loaded at all since javax.net.ssl.keyStore property wasn't set correctly. However, now I get connection reset exception and I still get "no IV for cipher"... so I'm asking basically the same question again here.


回答1:


no IV for cipher indicates that the cipher in use does not require an IV (RC4 is one such cipher, and likely the one chosen here).

Edit Per GregS's comment, this a handshake_failure could be caused by the server requesting client authentication, and the client failing to provide a certificate.



来源:https://stackoverflow.com/questions/4738397/java-server-self-signed-certificate-client-certificate-and-ssl-handshake-failu

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!