ssl handshake_failure client certifcate not being sent
I have an issue with ssl handshake_failure.
There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
I have installed all three certificates in my JDK and when I try to call this web service I always got exception:
exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application
I found that all three certificated being uploaded to the the application once it started
adding as trusted cert:
Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: -----
Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039
adding as trusted cert:
Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: -----
Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018
adding as trusted cert:
Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: ------
Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024
then I fount that the system is not sending the client certificate and I don't know why ?
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<Empty>
[read] MD5 and SHA1 hashes: len = 36
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
my questions are:
- what do you think the issue is ?
- why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?
- based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it
@@update
- Do you think the issue from my device(IP) since the certificate CN for another IP ?
sslhandshakeexception
add a comment |
I have an issue with ssl handshake_failure.
There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
I have installed all three certificates in my JDK and when I try to call this web service I always got exception:
exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application
I found that all three certificated being uploaded to the the application once it started
adding as trusted cert:
Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: -----
Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039
adding as trusted cert:
Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: -----
Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018
adding as trusted cert:
Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: ------
Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024
then I fount that the system is not sending the client certificate and I don't know why ?
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<Empty>
[read] MD5 and SHA1 hashes: len = 36
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
my questions are:
- what do you think the issue is ?
- why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?
- based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it
@@update
- Do you think the issue from my device(IP) since the certificate CN for another IP ?
sslhandshakeexception
add a comment |
I have an issue with ssl handshake_failure.
There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
I have installed all three certificates in my JDK and when I try to call this web service I always got exception:
exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application
I found that all three certificated being uploaded to the the application once it started
adding as trusted cert:
Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: -----
Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039
adding as trusted cert:
Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: -----
Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018
adding as trusted cert:
Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: ------
Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024
then I fount that the system is not sending the client certificate and I don't know why ?
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<Empty>
[read] MD5 and SHA1 hashes: len = 36
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
my questions are:
- what do you think the issue is ?
- why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?
- based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it
@@update
- Do you think the issue from my device(IP) since the certificate CN for another IP ?
sslhandshakeexception
I have an issue with ssl handshake_failure.
There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
I have installed all three certificates in my JDK and when I try to call this web service I always got exception:
exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application
I found that all three certificated being uploaded to the the application once it started
adding as trusted cert:
Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: -----
Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039
adding as trusted cert:
Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: -----
Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018
adding as trusted cert:
Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
Issuer: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
Algorithm: RSA; Serial number: ------
Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024
then I fount that the system is not sending the client certificate and I don't know why ?
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<Empty>
[read] MD5 and SHA1 hashes: len = 36
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
my questions are:
- what do you think the issue is ?
- why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?
- based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it
@@update
- Do you think the issue from my device(IP) since the certificate CN for another IP ?
sslhandshakeexception
sslhandshakeexception
edited Nov 22 '18 at 6:38
mzaje18
asked Nov 21 '18 at 20:40
mzaje18mzaje18
112
112
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420158%2fssl-handshake-failure-client-certifcate-not-being-sent%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420158%2fssl-handshake-failure-client-certifcate-not-being-sent%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown