ssl handshake_failure client certifcate not being sent












0















I have an issue with ssl handshake_failure.
There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



I found that all three certificated being uploaded to the the application once it started



adding as trusted cert:
Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: -----
Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039

adding as trusted cert:
Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: -----
Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018

adding as trusted cert:
Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: ------
Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


then I fount that the system is not sending the client certificate and I don't know why ?



*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<Empty>
[read] MD5 and SHA1 hashes: len = 36

Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange


my questions are:




  • what do you think the issue is ?

  • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

  • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


@@update




  • Do you think the issue from my device(IP) since the certificate CN for another IP ?










share|improve this question





























    0















    I have an issue with ssl handshake_failure.
    There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
    I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



    exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


    so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



    I found that all three certificated being uploaded to the the application once it started



    adding as trusted cert:
    Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
    Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
    Algorithm: RSA; Serial number: -----
    Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039

    adding as trusted cert:
    Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
    Issuer: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
    Algorithm: RSA; Serial number: -----
    Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018

    adding as trusted cert:
    Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
    Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
    Algorithm: RSA; Serial number: ------
    Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


    then I fount that the system is not sending the client certificate and I don't know why ?



    *** CertificateRequest
    Cert Types: RSA, DSS, ECDSA
    Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
    Cert Authorities:
    <Empty>
    [read] MD5 and SHA1 hashes: len = 36

    Warning: no suitable certificate found - continuing without client authentication
    *** Certificate chain
    <Empty>
    ***
    *** ECDHClientKeyExchange


    my questions are:




    • what do you think the issue is ?

    • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

    • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


    @@update




    • Do you think the issue from my device(IP) since the certificate CN for another IP ?










    share|improve this question



























      0












      0








      0








      I have an issue with ssl handshake_failure.
      There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
      I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



      exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


      so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



      I found that all three certificated being uploaded to the the application once it started



      adding as trusted cert:
      Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      Algorithm: RSA; Serial number: -----
      Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039

      adding as trusted cert:
      Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
      Issuer: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      Algorithm: RSA; Serial number: -----
      Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018

      adding as trusted cert:
      Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      Algorithm: RSA; Serial number: ------
      Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


      then I fount that the system is not sending the client certificate and I don't know why ?



      *** CertificateRequest
      Cert Types: RSA, DSS, ECDSA
      Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
      Cert Authorities:
      <Empty>
      [read] MD5 and SHA1 hashes: len = 36

      Warning: no suitable certificate found - continuing without client authentication
      *** Certificate chain
      <Empty>
      ***
      *** ECDHClientKeyExchange


      my questions are:




      • what do you think the issue is ?

      • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

      • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


      @@update




      • Do you think the issue from my device(IP) since the certificate CN for another IP ?










      share|improve this question
















      I have an issue with ssl handshake_failure.
      There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
      I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



      exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


      so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



      I found that all three certificated being uploaded to the the application once it started



      adding as trusted cert:
      Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      Algorithm: RSA; Serial number: -----
      Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039

      adding as trusted cert:
      Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
      Issuer: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      Algorithm: RSA; Serial number: -----
      Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018

      adding as trusted cert:
      Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      Algorithm: RSA; Serial number: ------
      Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


      then I fount that the system is not sending the client certificate and I don't know why ?



      *** CertificateRequest
      Cert Types: RSA, DSS, ECDSA
      Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
      Cert Authorities:
      <Empty>
      [read] MD5 and SHA1 hashes: len = 36

      Warning: no suitable certificate found - continuing without client authentication
      *** Certificate chain
      <Empty>
      ***
      *** ECDHClientKeyExchange


      my questions are:




      • what do you think the issue is ?

      • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

      • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


      @@update




      • Do you think the issue from my device(IP) since the certificate CN for another IP ?







      sslhandshakeexception






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 22 '18 at 6:38







      mzaje18

















      asked Nov 21 '18 at 20:40









      mzaje18mzaje18

      112




      112
























          0






          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420158%2fssl-handshake-failure-client-certifcate-not-being-sent%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420158%2fssl-handshake-failure-client-certifcate-not-being-sent%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          Origin of the phrase “under your belt”?