Webservice access with client auth: handshake_failure
Question
I try to connect to a web service with a certificate in pkcs 12 format but I receive this error javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure. I read every response present in stackoverflow but i cannot figure where is the problem.
I use this code
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStore", "certificato.p12");
System.setProperty("javax.net.ssl.keyStorePassword", "<pw>");
And the debug log:
.....
keyStore is : certificato.p12
keyStore type is : pkcs12
keyStore provider is :
init keystore
init keymanager of type SunX509
....
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(60000) called
main, the previous server name in SNI (type=host_name (0), value=wstest.agenziadoganemonopoli.gov.it) was replaced with (type=host_name (0), value=wstest.agenziadoganemonopoli.gov.it)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1522402781 bytes = { 230, 149, 170, 160, 96, 3, 20, 194, 35, 95, 51, 144, 240, 242, 1, 185, 116, 210, 225, 214, 208, 170, 253, 30, 253, 205, 77, 198 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_KRB5_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=wstest.agenziadoganemonopoli.gov.it]
***
main, WRITE: TLSv1.2 Handshake, length = 217
main, READ: TLSv1.2 Handshake, length = 89
*** ServerHello, TLSv1.2
RandomCookie: GMT: 843419311 bytes = { 2, 154, 215, 104, 32, 197, 59, 136, 48, 242, 21, 86, 144, 250, 121, 115, 130, 97, 90, 238, 44, 73, 133, 103, 122, 36, 210, 246 }
Session ID: {3, 111, 126, 100, 51, 57, 110, 201, 135, 102, 65, 156, 56, 132, 148, 198, 229, 47, 220, 146, 214, 66, 71, 233, 251, 146, 231, 74, 20, 55, 43, 145}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
main, READ: TLSv1.2 Handshake, length = 3881
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=wstest.adm.gov.it, O=Sogei - Societa' Generale d'Informatica S.p.A., L=Rome, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 25419731442206390593645385783404702655267624607655886886586579033277263788093373992316533519614413768987220348067912658765779900645263321853746972064637161938435805567613643957429752362355933531417681870133823645315121191427143131377937830838050657155922764655579621555942502387731877471464619602709418992558060826542318275546503785686897936728729751825524180287855913433073881874132502422571860488498582431532471712013797553571057054314243072094292449266868965533309794853529204639866789866609617498173211239260574372830187459660967406616094045636157545783011722924489392938382648416564815561090724635178650796195467
public exponent: 65537
Validity: [From: Mon May 21 02:00:00 CEST 2018,
To: Thu May 28 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 08e09466 2094b01d 65a1b95f 3eb92c66]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B 01 69 00 76 00 A4 B9 09 ...o...k.i.v....
0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........
0030: 63 82 03 F4 00 00 00 04 03 00 47 30 45 02 21 00 c.........G0E.!.
0040: 9A A2 E4 E3 3B 1A F2 02 63 E6 9D A6 62 E7 C0 DC ....;...c...b...
0050: 8D 95 70 54 01 D5 07 1B 40 B9 11 FD 4A 2D 1C C4 ..pT....@...J-..
0060: 02 20 2C BC 8B 1A 55 0E 25 8C FC B8 29 55 F5 EE . ,...U.%...)U..
0070: 9C 2A B7 97 34 5C 95 FC A4 F5 9E 6C 38 90 F0 B7 .*..4\.....l8...
0080: DD F4 00 77 00 6F 53 76 AC 31 F0 31 19 D8 99 00 ...w.oSv.1.1....
0090: A4 51 15 FF 77 15 1C 11 D9 02 C1 00 29 06 8D B2 .Q..w.......)...
00A0: 08 9A 37 D9 13 00 00 01 63 82 03 F4 69 00 00 04 ..7.....c...i...
00B0: 03 00 48 30 46 02 21 00 B6 41 FD F7 CE 31 4D 75 ..H0F.!..A...1Mu
00C0: A4 BB D6 2E E7 66 0D 03 2B 6C 97 35 ED 86 DC 25 .....f..+l.5...%
00D0: EF 6C 00 B4 BC 1C B3 FE 02 21 00 D2 C5 BA 46 42 .l.......!....FB
00E0: 38 F2 68 8F 68 A8 14 1F A3 0C 52 CB 0A BE DD E0 8.h.h.....R.....
00F0: E9 F2 FA E7 E2 9F 22 8E 3B 2B 06 00 76 00 BB D9 ......".;+..v...
0100: DF BC 1F 8A 71 B5 93 94 23 97 AA 92 7B 47 38 57 ....q...#....G8W
0110: 95 0A AB 52 E8 1A 90 96 64 36 8E 1E D1 85 00 00 ...R....d6......
0120: 01 63 82 03 F3 5E 00 00 04 03 00 47 30 45 02 21 .c...^.....G0E.!
0130: 00 9A 67 22 9D CC B4 B6 F0 34 B8 FE 57 6D FA 2C ..g".....4..Wm.,
0140: 47 37 F0 93 D6 18 63 68 C6 C2 F0 99 83 F6 EE D1 G7....ch........
0150: CC 02 20 68 47 59 19 AE 02 D3 E6 30 27 EF 48 76 .. hGY.....0'.Hv
0160: 27 9A F8 5B 60 CD B4 4A 03 08 38 DC 72 AB ED 65 '..[`..J..8.r..e
0170: 94 A7 5E ..^
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: wstest.adm.gov.it
DNSName: wstest.agenziadoganemonopoli.gov.it
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 13 86 1A C9 BF 3A 50 51 77 C2 23 D7 A0 B9 9F 93 .....:PQw.#.....
0010: 15 A5 2E 98 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
.... deleted ....
]
chain [1] = [
[
Version: V3
Subject: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 27858400285679723188777933283712642951289579686400775596360785472462618845441045591174031407467141927949303967273640603370583027943461489694611514307846044788608302737755893035638149922272068624160730850926560034092625156444445564936562297688651849223419070532331233030323585681010618165796464257277453762819678070632408347042070801988771058882131228632546107451893714991242153395658429259537934263208634002792828772169217510656239241005311075681025394047894661420520700962300445533960645787118986590875906485125942483622981513806162241672544997253865343228332025582679476240480384023017494305830194847248717881628827
public exponent: 65537
Validity: [From: Fri Mar 08 13:00:00 CET 2013,
To: Wed Mar 08 13:00:00 CET 2023]
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [ 01fda3eb 6eca75c8 88438b72 4bcfbc91]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/DigiCertGlobalRootCA.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/DigiCertGlobalRootCA.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 23 3E DF 4B D2 31 42 A5 B6 7E 42 5C 1A 44 CC 69 #>.K.1B...B\.D.i
0010: D1 68 B4 5D 4B E0 04 21 6C 4B E2 6D CC B1 E0 97 .h.]K..!lK.m....
0020: 8F A6 53 09 CD AA 2A 65 E5 39 4F 1E 83 A5 6E 5C ..S...*e.9O...n\
0030: 98 A2 24 26 E6 FB A1 ED 93 C7 2E 02 C6 4D 4A BF ..$&.........MJ.
0040: B0 42 DF 78 DA B3 A8 F9 6D FF 21 85 53 36 60 4C .B.x....m.!.S6`L
0050: 76 CE EC 38 DC D6 51 80 F0 C5 D6 E5 D4 4D 27 64 v..8..Q......M'd
0060: AB 9B C7 3E 71 FB 48 97 B8 33 6D C9 13 07 EE 96 ...>q.H..3m.....
0070: A2 1B 18 15 F6 5C 4C 40 ED B3 C2 EC FF 71 C1 E3 .....\L@.....q..
0080: 47 FF D4 B9 00 B4 37 42 DA 20 C9 EA 6E 8A EE 14 G.....7B. ..n...
0090: 06 AE 7D A2 59 98 88 A8 1B 6F 2D F4 F2 C9 14 5F ....Y....o-...._
00A0: 26 CF 2C 8D 7E ED 37 C0 A9 D5 39 B9 82 BF 19 0C &.,...7...9.....
00B0: EA 34 AF 00 21 68 F8 AD 73 E2 C9 32 DA 38 25 0B .4..!h..s..2.8%.
00C0: 55 D3 9A 1D F0 68 86 ED 2E 41 34 EF 7C A5 50 1D U....h...A4...P.
00D0: BF 3A F9 D3 C1 08 0C E6 ED 1E 8A 58 25 E4 B8 77 .:.........X%..w
00E0: AD 2D 6E F5 52 DD B4 74 8F AB 49 2E 9D 3B 93 34 .-n.R..t..I..;.4
00F0: 28 1F 78 CE 94 EA C7 BD D3 C9 6D 1C DE 5C 32 F3 (.x.......m..\2.
]
chain [2] = [
[
Version: V3
Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 28559384442792876273280274398620578979733786817784174960112400169719065906301471912340204391164075730987771255281479191858503912379974443363319206013285922932969143082114108995903507302607372164107846395526169928849546930352778612946811335349917424469188917500996253619438384218721744278787164274625243781917237444202229339672234113350935948264576180342492691117960376023738627349150441152487120197333042448834154779966801277094070528166918968412433078879939664053044797116916260095055641583506170045241549105022323819314163625798834513544420165235412105694681616578431019525684868803389424296613694298865514217451303
public exponent: 65537
Validity: [From: Fri Nov 10 01:00:00 CET 2006,
To: Mon Nov 10 01:00:00 CET 2031]
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [ 083be056 904246b1 a1756ac9 5991c74a]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: CB 9C 37 AA 48 13 12 0A FA DD 44 9C 4F 52 B0 F4 ..7.H.....D.OR..
0010: DF AE 04 F5 79 79 08 A3 24 18 FC 4B 2B 84 C0 2D ....yy..$..K+..-
0020: B9 D5 C7 FE F4 C1 1F 58 CB B8 6D 9C 7A 74 E7 98 .......X..m.zt..
0030: 29 AB 11 B5 E3 70 A0 A1 CD 4C 88 99 93 8C 91 70 )....p...L.....p
0040: E2 AB 0F 1C BE 93 A9 FF 63 D5 E4 07 60 D3 A3 BF ........c...`...
0050: 9D 5B 09 F1 D5 8E E3 53 F4 8E 63 FA 3F A7 DB B4 .[.....S..c.?...
0060: 66 DF 62 66 D6 D1 6E 41 8D F2 2D B5 EA 77 4A 9F f.bf..nA..-..wJ.
0070: 9D 58 E2 2B 59 C0 40 23 ED 2D 28 82 45 3E 79 54 .X.+Y.@#.-(.E>yT
0080: 92 26 98 E0 80 48 A8 37 EF F0 D6 79 60 16 DE AC .&...H.7...y`...
0090: E8 0E CD 6E AC 44 17 38 2F 49 DA E1 45 3E 2A B9 ...n.D.8/I..E>*.
00A0: 36 53 CF 3A 50 06 F7 2E E8 C4 57 49 6C 61 21 18 6S.:P.....WIla!.
00B0: D5 04 AD 78 3C 2C 3A 80 6B A7 EB AF 15 14 E9 D8 ...x<,:.k.......
00C0: 89 C1 B9 38 6C E2 91 6C 8A FF 64 B9 77 25 57 30 ...8l..l..d.w%W0
00D0: C0 1B 24 A3 E1 DC E9 DF 47 7C B5 B4 24 08 05 30 ..$.....G...$..0
00E0: EC 2D BD 0B BF 45 BF 50 B9 A9 F3 EB 98 01 12 AD .-...E.P........
00F0: C8 88 C6 98 34 5F 8D 0A 3C C6 E9 D5 95 95 6D DE ....4_..<.....m.
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=wstest.adm.gov.it, O=Sogei - Societa' Generale d'Informatica S.p.A., L=Rome, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 25419731442206390593645385783404702655267624607655886886586579033277263788093373992316533519614413768987220348067912658765779900645263321853746972064637161938435805567613643957429752362355933531417681870133823645315121191427143131377937830838050657155922764655579621555942502387731877471464619602709418992558060826542318275546503785686897936728729751825524180287855913433073881874132502422571860488498582431532471712013797553571057054314243072094292449266868965533309794853529204639866789866609617498173211239260574372830187459660967406616094045636157545783011722924489392938382648416564815561090724635178650796195467
public exponent: 65537
Validity: [From: Mon May 21 02:00:00 CEST 2018,
To: Thu May 28 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 08e09466 2094b01d 65a1b95f 3eb92c66]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B 01 69 00 76 00 A4 B9 09 ...o...k.i.v....
0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........
0030: 63 82 03 F4 00 00 00 04 03 00 47 30 45 02 21 00 c.........G0E.!.
0040: 9A A2 E4 E3 3B 1A F2 02 63 E6 9D A6 62 E7 C0 DC ....;...c...b...
0050: 8D 95 70 54 01 D5 07 1B 40 B9 11 FD 4A 2D 1C C4 ..pT....@...J-..
0060: 02 20 2C BC 8B 1A 55 0E 25 8C FC B8 29 55 F5 EE . ,...U.%...)U..
0070: 9C 2A B7 97 34 5C 95 FC A4 F5 9E 6C 38 90 F0 B7 .*..4\.....l8...
0080: DD F4 00 77 00 6F 53 76 AC 31 F0 31 19 D8 99 00 ...w.oSv.1.1....
0090: A4 51 15 FF 77 15 1C 11 D9 02 C1 00 29 06 8D B2 .Q..w.......)...
00A0: 08 9A 37 D9 13 00 00 01 63 82 03 F4 69 00 00 04 ..7.....c...i...
00B0: 03 00 48 30 46 02 21 00 B6 41 FD F7 CE 31 4D 75 ..H0F.!..A...1Mu
00C0: A4 BB D6 2E E7 66 0D 03 2B 6C 97 35 ED 86 DC 25 .....f..+l.5...%
00D0: EF 6C 00 B4 BC 1C B3 FE 02 21 00 D2 C5 BA 46 42 .l.......!....FB
00E0: 38 F2 68 8F 68 A8 14 1F A3 0C 52 CB 0A BE DD E0 8.h.h.....R.....
00F0: E9 F2 FA E7 E2 9F 22 8E 3B 2B 06 00 76 00 BB D9 ......".;+..v...
0100: DF BC 1F 8A 71 B5 93 94 23 97 AA 92 7B 47 38 57 ....q...#....G8W
0110: 95 0A AB 52 E8 1A 90 96 64 36 8E 1E D1 85 00 00 ...R....d6......
0120: 01 63 82 03 F3 5E 00 00 04 03 00 47 30 45 02 21 .c...^.....G0E.!
0130: 00 9A 67 22 9D CC B4 B6 F0 34 B8 FE 57 6D FA 2C ..g".....4..Wm.,
0140: 47 37 F0 93 D6 18 63 68 C6 C2 F0 99 83 F6 EE D1 G7....ch........
0150: CC 02 20 68 47 59 19 AE 02 D3 E6 30 27 EF 48 76 .. hGY.....0'.Hv
0160: 27 9A F8 5B 60 CD B4 4A 03 08 38 DC 72 AB ED 65 '..[`..J..8.r..e
0170: 94 A7 5E ..^
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: wstest.adm.gov.it
DNSName: wstest.agenziadoganemonopoli.gov.it
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 13 86 1A C9 BF 3A 50 51 77 C2 23 D7 A0 B9 9F 93 .....:PQw.#.....
0010: 15 A5 2E 98 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: AE 8B FD 52 1E 1C 80 F8 84 5C 81 D9 FE D2 CB 7E ...R.....\......
0010: F4 7F 53 56 AD 0E D8 DF DC A0 3F 64 BE 66 DF C1 ..SV......?d.f..
0020: 4C 7D 03 A1 E3 A6 D5 E7 2C 5C 69 02 83 6E D6 4F L.......,\i..n.O
0030: 81 6B 05 6F 98 04 20 94 B1 A3 EF 5A BB 2D A9 78 .k.o.. ....Z.-.x
0040: 8F 8F E0 78 AD 22 B8 5F F4 30 4B BD 63 94 E3 FA ...x."._.0K.c...
0050: C0 3A 7C 76 B7 8D 11 FC 7E 55 F4 A9 CF 7A DA 67 .:.v.....U...z.g
0060: 2B B7 2D A9 F0 93 57 B8 DD E2 91 03 9D 90 03 B6 +.-...W.........
0070: 75 94 3F DA 75 16 3D 2A 54 92 02 1D 10 7F C6 A9 u.?.u.=*T.......
0080: EB C8 67 B4 E9 05 84 1F FF B8 C6 AB 8B A8 F2 E4 ..g.............
0090: EA F2 D2 E8 03 80 FF 1D 4E 2A EA 10 54 34 38 C4 ........N*..T48.
00A0: 79 89 06 10 73 04 6C CF 1B 8A DF E8 BE BF 67 96 y...s.l.......g.
00B0: B6 92 77 A9 AD 73 2B D8 A8 FC BD 50 39 83 4D 75 ..w..s+....P9.Mu
00C0: 59 78 00 48 AC EF AA 1C 92 A6 34 34 C5 9E 5D 1C Yx.H......44..].
00D0: B1 25 A5 0E BF 90 D0 8F 87 7F 10 5D C0 F4 5D 03 .%.........]..].
00E0: 18 42 C8 62 32 94 D0 2F 34 43 93 28 F3 60 91 CF .B.b2../4C.(.`..
00F0: 5D 27 D1 E5 00 3B 09 B4 EB 9F 63 AE E2 AA 9B F0 ]'...;....c.....
]
main, READ: TLSv1.2 Handshake, length = 401
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 521 bits
public x coord: 6045100197973385201207771559448860684258102659082760208907503122802851644235164834387633913906709736246059687127225117512119492050557728511283217428042196683
public y coord: 2360883751657537086387545659332980524396108773124766916635460732420511834927919909730280023858128820419409002491789355667533178954193764726472471819590561957
parameters: secp521r1 [NIST P-521] (1.3.132.0.35)
main, READ: TLSv1.2 Handshake, length = 392
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=CA Agenzia delle Dogane Test, OU=Servizio Telematico, O=Agenzia delle Dogane, C=it>
<CN=CA Agenzia delle Dogane, OU=Servizio Telematico, O=Agenzia delle Dogane, C=IT>
<CN=CA Agenzia delle Dogane e dei Monopoli Test, O=Agenzia delle Dogane e dei Monopoli, C=IT>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
ECDH Public value: { 4, 1, 127, 118, 238, 87, 20, 170, 152, 173, 222, 199, 191, 190, 60, 225, 192, 50, 182, 3, 172, 253, 250, 146, 185, 9, 185, 210, 101, 70, 124, 133, 100, 77, 38, 192, 17, 178, 136, 108, 118, 233, 121, 52, 237, 63, 87, 98, 224, 194, 163, 186, 33, 98, 72, 227, 168, 9, 124, 44, 179, 136, 216, 32, 182, 21, 230, 1, 206, 141, 86, 19, 84, 36, 3, 141, 180, 185, 45, 5, 110, 24, 249, 220, 164, 87, 222, 48, 115, 134, 145, 66, 151, 62, 93, 18, 97, 109, 20, 239, 168, 45, 208, 19, 253, 122, 6, 128, 58, 49, 80, 16, 205, 203, 68, 200, 221, 203, 91, 73, 99, 76, 195, 83, 157, 197, 209, 91, 98, 173, 80, 123, 120 }
main, WRITE: TLSv1.2 Handshake, length = 145
SESSION KEYGEN:
PreMaster Secret:
0000: 00 76 B0 FC E9 4A 80 89 B2 88 A4 21 CE A3 FF 3C .v...J.....!...<
0010: D0 1F 48 3B B2 D8 84 24 14 EB 77 9E 3C 20 64 CE ..H;...$..w.< d.
0020: EF 2F 7A 90 50 6F 2D 75 4C 9B 9F 48 0B 04 01 A6 ./z.Po-uL..H....
0030: 2D C3 8B 2D 10 B6 FD AC AE 66 85 F8 1E 5E 8A 62 -..-.....f...^.b
0040: 46 CE F.
CONNECTION KEYGEN:
Client Nonce:
0000: 5B BE 06 DD E6 95 AA A0 60 03 14 C2 23 5F 33 90 [.......`...#_3.
0010: F0 F2 01 B9 74 D2 E1 D6 D0 AA FD 1E FD CD 4D C6 ....t.........M.
Server Nonce:
0000: 32 46 8F AF 02 9A D7 68 20 C5 3B 88 30 F2 15 56 2F.....h .;.0..V
0010: 90 FA 79 73 82 61 5A EE 2C 49 85 67 7A 24 D2 F6 ..ys.aZ.,I.gz$..
Master Secret:
0000: 4D 96 F1 24 13 EA 84 96 D3 D6 6D DD 64 92 05 F9 M..$......m.d...
0010: D2 BA BF 04 80 79 71 66 9C A6 EA 9B AC 3A 4D 37 .....yqf.....:M7
0020: 90 BE A6 C4 37 B8 70 63 1D B2 74 5A DA 8C 98 34 ....7.pc..tZ...4
... no MAC keys used for this cipher
Client write key:
0000: C3 1C 66 54 84 5A F7 B6 D9 9B 04 80 11 E4 9F E4 ..fT.Z..........
0010: 83 67 52 95 B5 E9 36 CE 0C A2 BF AA AE A2 E1 7C .gR...6.........
Server write key:
0000: B9 44 4A 92 B6 95 DE CA 89 D0 8E A0 88 50 11 6B .DJ..........P.k
0010: EC 34 65 52 FD BB 45 C3 57 26 BF A0 A4 B2 90 2F .4eR..E.W&...../
Client write IV:
0000: F8 A3 11 9A ....
Server write IV:
0000: 47 B6 75 08 G.u.
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 21, 80, 48, 53, 249, 154, 28, 96, 252, 49, 18, 72 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
Its seems that the certificate is correctly loaded so I cannot figure where is the problem. Anyone can help to understand?
If I use the certificate with chrome or firefox I can access to the webservice so the certificate is correct.
2 answers
solution1
0 2018-10-10 20:19:20
The error seems to be related to the trust between the client and server:
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
If no suitable certificate was found, and the certificate chain is empty there is a chance that the Root CA certificate of the peer you're connecting to is not trusted by your program.
Check the trust store to see if at least the Root CA certificate of the peer is imported.
solution2
0 ACCPTED 2018-10-10 23:32:51
Here's the important part of your log:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=CA Agenzia delle Dogane Test, OU=Servizio Telematico, O=Agenzia delle Dogane, C=it>
<CN=CA Agenzia delle Dogane, OU=Servizio Telematico, O=Agenzia delle Dogane, C=IT>
<CN=CA Agenzia delle Dogane e dei Monopoli Test, O=Agenzia delle Dogane e dei Monopoli, C=IT>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
This means the keymanager did not find a cert&key entry in your keystore issued by any of the Certificate Authorities (CAs) specified by the server. You elided (with dots) the part of your log where the keymanager initialization should have logged the cert chain(s) found in the keystore -- did it do so? If not, look at it with eg keytool -list -v -keystore certifcado.p12 -storetype pkcs12 [-alias your_alias_name] . Is one of the certs in that chain in fact issued by one of the CAs specified by the server, or not? (Note the name must match exactly : each RDN the same type and value, in order. It is even possible, though nowadays rare, for the issuer name in your cert and the name requested by the CA to look the same but actually be different because of different ASN.1 encodings. If they do look the same I'll go into detail on this more arcane point.)
EDIT: okay, that full log confirms the keymanager is loading a key-and-cert with Issuer: CN=CA Agenzia delle Dogane e dei Monopoli Test, O=Agenzia delle Dogane e dei Monopoli, C=IT which certainly appears to match the third CA requested by the server. And Chrome and Firefox working (sorry I missed that before) pretty well confirms it does really match. So why isn't Java (JSSE+keymanager) matching it? I don't know, and this may not be easy to debug. I don't think running under maven, or using cxf, should have any effect, but they might. I suggest starting from the simplest possible case: compile and run a program like this (with the javax.net.ssl.keyStore* and javax.net.debug sysprops) and see what result it gets for this connection:
public class sometest {
public static void main (String[] args) throws Exception {
Socket s = SSLSocketFactory.getDefault().createSocket("wstest.agenziadoganemonopoli.gov.it",443);
// per comment, type fixed (for anyone else who might have a similar issue)
((SSLSocket)s).startHandshake(); // actually completes not just starts
}
}
If that shows the failure we have a much simpler case to investigate. If that works try:
public class sometest {
public static void main (String[] args) throws Exception {
URLConnection c = new URL("https://wstest.agenziadoganemonopoli.gov.it/").openConnection();
((HttpsURLConnection)c).connect();
}
}
// for TLS-level test it doesn't matter what 'resource' (path and/or query) we request
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Received fatal alert: handshake_failure webservice
Java webservice checking for SSL handshake alert: handshake_failure
SSL handshake_failure in Client Hello
Java Microservice not able to communicate with AWS Athena Client: Handshake_Failure
SSL handshake_failure using jersey-apache-client-1.18
HANDSHAKE_FAILURE alert received
handshake_failure in Jmeter4
Java SSL handshake_failure
Java 1.6 TLS 1.2 handshake_failure
Android TLSv1.2 handshake_failure
Related Tags