1

Can anyone tell me, what the problem in this ssl handshake is? I'm not able to interpret this message to know what's going wrong.

I use Java 1.8u171 and custom key- and truststores.

since the ssl debug trace is to big to post here, I've added just the ending of it. Let me know if I need to add more lines.

*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 22370889587224987359608899225847605413175776292485254209693360141628593926267
  public y coord: 46421316867312726832394508124945403534455242739986432133408176290773445555000
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 1296
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, Unknown (hash:0x3, signature:0x1), Unknown (hash:0x3, signature:0x2), Unknown (hash:0x3, signature:0x3), SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=Admin-Root-CA, OU=Certification Authorities, OU=Services, O=admin, C=ch>
<CN=SwissDefence-CA1, OU=Certification Authorities, OU=Verteidigung, O=Admin, C=CH>
<CN=SwissDefence-RootCA, OU=Certification Authorities, OU=Verteidigung, O=Admin, C=CH>
<CN=Swiss Government Regular CA 01, OU=Certification Authorities, OU=Services, O=Admin, C=CH>
<CN=Swiss Government Enhanced CA 01, OU=Certification Authorities, OU=Services, O=Admin, C=CH>
<CN=Swiss Government Enhanced CA 02, OU=Certification Authorities, OU=Services, O=Admin, C=CH>
<CN=Swiss Government SSL CA 01, OU=Certification Authorities, OU=Services, O=Swiss Government PKI, C=CH>
<CN=Swiss Government Root CA I, OU=Certification Authorities, OU=Services, O=The Federal Authorities of the Swiss Confederation, C=CH>
<CN=Swiss Government Root CA II, OU=Certification Authorities, OU=Services, O=The Federal Authorities of the Swiss Confederation, C=CH>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 151, 224, 196, 1, 182, 164, 65, 41, 7, 83, 83, 219, 245, 182, 17, 252, 77, 121, 12, 239, 156, 93, 141, 201, 209, 209, 105, 133, 211, 170, 214, 7, 186, 20, 184, 229, 154, 102, 83, 241, 182, 65, 201, 230, 178, 162, 155, 233, 13, 238, 236, 66, 132, 154, 131, 234, 253, 232, 127, 96, 123, 113, 254, 173 }
main, WRITE: TLSv1.2 Handshake, length = 101
SESSION KEYGEN:
PreMaster Secret:
0000: 5B 6B 22 F4 DA 84 39 7D   6D BC 0D 78 BF 12 8D 9E  [k"...9.m..x....
0010: A8 AE 84 1D 77 FC F1 9D   1B 4D 2C E3 15 65 D2 FC  ....w....M,..e..
CONNECTION KEYGEN:
Client Nonce:
0000: 5B 60 8F D8 9A F6 63 29   DB AE 52 4A 85 C5 7D 92  [`....c)..RJ....
0010: 5F 24 BE 3D 42 30 C0 F1   18 60 AD 6B C9 CA 77 12  _$.=B0...`.k..w.
Server Nonce:
0000: 8B 00 1C 8A 53 D6 F0 0E   0E 1C 11 6C 36 56 21 E5  ....S......l6V!.
0010: 85 E6 C6 F9 6F F7 26 D9   1B 8C 58 A8 B5 48 A5 9E  ....o.&...X..H..
Master Secret:
0000: 46 48 BA 0A 40 0F CD 0F   93 C0 60 35 07 08 EA 3E  FH..@.....`5...>
0010: E3 44 EC 4A 65 58 E3 38   32 56 47 17 5E DB B7 AB  .D.JeX.82VG.^...
0020: 13 15 00 A7 25 3B 89 DE   2D B7 89 F4 D1 2C EC 92  ....%;..-....,..
... no MAC keys used for this cipher
Client write key:
0000: 85 A7 0F CF F3 26 14 49   C3 9F F9 7D FF 92 88 75  .....&.I.......u
0010: 44 0E 1B 3E BE B2 B0 A9   27 CB FD 02 3D E3 07 4F  D..>....'...=..O
Server write key:
0000: 01 A7 47 C1 BB F1 FE C0   BC 62 DF 6D BD 06 74 63  ..G......b.m..tc
0010: AB 98 3A 12 D2 99 C3 1A   9E D4 7D 27 F7 21 45 C0  ..:........'.!E.
Client write IV:
0000: 6D D5 5C 6E                                        m.\n
Server write IV:
0000: 53 C2 4A F9                                        S.J.
main, WRITE: TLSv1.2 Change Cipher Spec, length = 25
*** Finished
verify_data:  { 232, 49, 11, 141, 224, 91, 146, 66, 124, 158, 201, 90 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Alert, length = 26
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
%% Invalidated:  [Session-4, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)

And here a part of the stacktrace:

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_172]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[?:1.8.0_172]
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038) ~[?:1.8.0_172]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135) ~[?:1.8.0_172]
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:940) ~[?:1.8.0_172]
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[?:1.8.0_172]
    at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) ~[?:1.8.0_172]
    at java.io.BufferedInputStream.read1(BufferedInputStream.java:286) ~[?:1.8.0_172]
    at java.io.BufferedInputStream.read(BufferedInputStream.java:345) ~[?:1.8.0_172]
    at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:735) ~[?:1.8.0_172]
    at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:678) ~[?:1.8.0_172]
    at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:706) ~[?:1.8.0_172]
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587) ~[?:1.8.0_172]
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) ~[?:1.8.0_172]
    at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) ~[?:1.8.0_172]
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:347) ~[?:1.8.0_172]
Improve this question
7
  • Have you tried using the generated Truststore and Client Certificate using tools to test. One of the recommended one is SmartBear's SOAPUI. The problem lingers around a TLS(you're using v1.2) version, invalid client cert or invalid truststore cert. Commented Aug 2, 2018 at 9:07
  • stackoverflow.com/questions/51348108/… check out my answer Commented Aug 2, 2018 at 9:10
  • @Han: Thanks for your response. I've tested it using SoapUI before I did some coding. The key store is working there as expected. But in SoapUI I don't need to define a trust store to get a valid response from web service. If I do set the trust store I get also a valid response. But I don't know why I do not need to set the trust store. If I do not use the trusstore in my own application, I get the error that no valid certification path will be found. Commented Aug 2, 2018 at 10:23
  • 3
    "Warning: no suitable certificate found - continuing without client authentication" - your certificate does not match the target host, check the certificate. Commented Aug 2, 2018 at 12:57
  • Adrian Osterwalder - then it's some response connected to @Wow. In java the cacert file stores the Truststore. In soapui, it's basically using your java/home. What I experience before is that I run in a Webserver and the Webster either sometimes they have their own Truststore/or pointing to different java home. You can actually print all your Truststore listed on the cacert with keytools to verify its there. Commented Aug 3, 2018 at 4:57

1 Answer 1

Reset to default
1

"Warning: no suitable certificate found - continuing without client authentication" - your certificate does not match the target host, check the certificate.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

but karma goes around ;)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.