ssl handshake_failure client certifcate not being sent












0















I have an issue with ssl handshake_failure.
There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



I found that all three certificated being uploaded to the the application once it started



adding as trusted cert:

  Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA

  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA

  Algorithm: RSA; Serial number: -----

  Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039



adding as trusted cert:

  Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA

  Issuer:  CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA

  Algorithm: RSA; Serial number: -----

  Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018



adding as trusted cert:

  Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA

  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA

  Algorithm: RSA; Serial number: ------

  Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


then I fount that the system is not sending the client certificate and I don't know why ? 



*** CertificateRequest

Cert Types: RSA, DSS, ECDSA

Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA

Cert Authorities:

<Empty>

[read] MD5 and SHA1 hashes:  len = 36



Warning: no suitable certificate found - continuing without client authentication

*** Certificate chain

<Empty>

***

*** ECDHClientKeyExchange


my questions are:




  • what do you think the issue is ?

  • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

  • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


@@update




  • Do you think the issue from my device(IP) since the certificate CN for another IP ?






sslhandshakeexception







share|improve this question





























    0















    I have an issue with ssl handshake_failure.
    There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
    I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



    exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


    so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



    I found that all three certificated being uploaded to the the application once it started



    adding as trusted cert:
    
  Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
    
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
    
  Algorithm: RSA; Serial number: -----
    
  Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039
    

    
adding as trusted cert:
    
  Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
    
  Issuer:  CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
    
  Algorithm: RSA; Serial number: -----
    
  Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018
    

    
adding as trusted cert:
    
  Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
    
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
    
  Algorithm: RSA; Serial number: ------
    
  Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


    then I fount that the system is not sending the client certificate and I don't know why ? 



    *** CertificateRequest
    
Cert Types: RSA, DSS, ECDSA
    
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
    
Cert Authorities:
    
<Empty>
    
[read] MD5 and SHA1 hashes:  len = 36
    

    
Warning: no suitable certificate found - continuing without client authentication
    
*** Certificate chain
    
<Empty>
    
***
    
*** ECDHClientKeyExchange


    my questions are:




    • what do you think the issue is ?

    • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

    • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


    @@update




    • Do you think the issue from my device(IP) since the certificate CN for another IP ?






    sslhandshakeexception







    share|improve this question



























      0












      0








      0








      I have an issue with ssl handshake_failure.
      There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
      I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



      exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


      so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



      I found that all three certificated being uploaded to the the application once it started



      adding as trusted cert:
      
  Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: -----
      
  Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039
      

      
adding as trusted cert:
      
  Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: -----
      
  Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018
      

      
adding as trusted cert:
      
  Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: ------
      
  Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


      then I fount that the system is not sending the client certificate and I don't know why ? 



      *** CertificateRequest
      
Cert Types: RSA, DSS, ECDSA
      
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
      
Cert Authorities:
      
<Empty>
      
[read] MD5 and SHA1 hashes:  len = 36
      

      
Warning: no suitable certificate found - continuing without client authentication
      
*** Certificate chain
      
<Empty>
      
***
      
*** ECDHClientKeyExchange


      my questions are:




      • what do you think the issue is ?

      • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

      • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


      @@update




      • Do you think the issue from my device(IP) since the certificate CN for another IP ?






      sslhandshakeexception







      share|improve this question
















      I have an issue with ssl handshake_failure.
      There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
      I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



      exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


      so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



      I found that all three certificated being uploaded to the the application once it started



      adding as trusted cert:
      
  Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: -----
      
  Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039
      

      
adding as trusted cert:
      
  Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: -----
      
  Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018
      

      
adding as trusted cert:
      
  Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: ------
      
  Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


      then I fount that the system is not sending the client certificate and I don't know why ? 



      *** CertificateRequest
      
Cert Types: RSA, DSS, ECDSA
      
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
      
Cert Authorities:
      
<Empty>
      
[read] MD5 and SHA1 hashes:  len = 36
      

      
Warning: no suitable certificate found - continuing without client authentication
      
*** Certificate chain
      
<Empty>
      
***
      
*** ECDHClientKeyExchange


      my questions are:




      • what do you think the issue is ?

      • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

      • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


      @@update




      • Do you think the issue from my device(IP) since the certificate CN for another IP ?






      sslhandshakeexception




      sslhandshakeexception






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 22 '18 at 6:38







      mzaje18

















      asked Nov 21 '18 at 20:40









      mzaje18mzaje18

      112




      112
























          0






          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420158%2fssl-handshake-failure-client-certifcate-not-being-sent%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420158%2fssl-handshake-failure-client-certifcate-not-being-sent%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          If I really need a card on my start hand, how many mulligans make sense? [duplicate]

          Image
          5 This question already has an answer here: How do you calculate the likelihood of drawing certain cards in your opening hand? 3 answers There is a funny modern deck where you play Treasure Hunt, but you really need to have it on the starting hand. How many mulligans should I take, if my deck contains 60 cards and contains 4 copies of Treasure Hunt? magic-the-gathering probability share | improve this question asked Nov 23 '18 at 12:12 dan dan 152 4
          Read more

          Alcedinidae

          Image
          Alcedinidae Martin-pêcheur à dos bleu ( Alcedo azurea ) Classification (COI) Règne Animalia Embranchement Chordata Sous-embr. Vertebrata Classe Aves Ordre Coraciiformes Famille Alcedinidae Rafinesque, 1815 Les Alcédinidés ou Alcedinidae forment une famille d'oiseaux plus connus sous les noms de martins-pêcheurs et martins-chasseurs. Sommaire 1 Description 2 Répartition et habitat 3 Systématique 3.1 Liste alphabétique des genres 3.2 Liste des espèces 4 Chez les Anciens : l'alcyon 4.1 Étymologie (Littré) 4.2 Oiseau « fabuleux » ? 5 Notes 6 Articles connexes 7 Liens externes 7.1 Bibliographie Description | Ce sont des oiseaux compacts de taille petite à moyenne (10 à 46 cm), au bec droit et long, en forme de poignard. Leurs pattes sont courtes, et ils portent un plumage aux couleurs vives. Répartition et habitat | Cosmopolites, ils fréquentent surtout
          Read more

          Can an atomic nucleus contain both particles and antiparticles? [duplicate]

          Image
          9 $begingroup$ This question already has an answer here: What happens if we put together a proton and an antineutron? 2 answers Is it theoretically possible to make a "deuterium" atom containing a proton and an antineutron in its nucleus? Would the strong nuclear force cause attraction between a proton and an antineutron? Would such a nucleus be stable, or would the proton somehow annihilate the antineutron when close enough? nuclear-physics antimatter share | cite | improve this question asked yesterday
          Read more