briantaurostack7
Reputation: 1273
How to configure two way ssl on client and server on tomcat 7 using openssl for ssl certificate generation?
I have configured th keystore and trustore using the solution provided by pedrofb given in the following link How to configure two way SSL connection in Spring WS without using Spring boot and using separate Apache tomcat server?
I have set the keystore and trustore properties for both client and server in tomcat 7. Yet, when i try to connect to server i get the error below
Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-nio-8443-exec-9, READ: TLSv1 Handshake, length = 185
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
*** ClientHello, TLSv1.2
RandomCookie: GMT: -364265602 bytes = { 151, 161, 117, 135, 49, 179, 239, 50, 221, 113, 108, 85, 152, 173, 82, 244, 120, 98, 133, 94, 72, 13, 209, 43, 60, 89, 124, 77 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=localhost]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
http-nio-8443-exec-1, READ: TLSv1 Handshake, length = 185
*** ClientHello, TLSv1.2
RandomCookie: GMT: 624575245 bytes = { 5, 128, 117, 156, 92, 134, 29, 210, 250, 146, 110, 193, 126, 10, 111%% Initialized: [Session-27, SSL_NULL_WITH_NULL_NULL]
, 45, 132, 231, 235, 77, 110, 238, 35, 93, 37, 164, 168, 251 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=localhost]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized: [Session-28, SSL_NULL_WITH_NULL_NULL]
%% Negotiating: [Session-27, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1465167446 bytes = { 250, 227, 168, 23, 5, 88, 160, 124, 42, 177, 14, 37, 174, 160, 121, 13, 224, 215, 45, 17, 46, 117, 215, 62, 224, 31, 241, 109 }
Session ID: {87, 85, 174, 86, 210, 17, 84, 99, 103, 218, 211, 254, 20, 253, 117, 8, 221, 141, 57, 197, 148, 244, 184, 91, 112, 35, 41, 60, 219, 23, 171, 67}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: [email protected], CN=localhost, OU=localhost, O=ITCOVENANT, L=Coimbatore, ST=Tamil Badu, C=IN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 1024 bits
modulus: 119392845705983053232381066342242552100246759562149136263179036450311601341483905580607024283403956181584600045082844169675168228225812598145033750549880051511514384914836915917053974822328749850134357052060356957993078530363525462150764881452639783264103642429891992181964954455911798298926528546562832494147
public exponent: 65537
Validity: [From: Mon Jun 06 22:09:30 IST 2016,
To: Tue Jun 06 22:09:30 IST 2017]
Issuer: [email protected], CN=localhost, OU=localhost, O=ITCOVENANT, L=Coimbatore, ST=Tamil Badu, C=IN
SerialNumber: [ 9f141eca db1b5892]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 52 80 1C 6C CF 67 1E 54 A8 D7 52 63 63 A6 5C E8 R..l.g.T..Rcc.\.
0010: 06 AB 45 17 D9 EF A5 BA AB 15 63 D0 8B 3E A8 F4 ..E.......c..>..
0020: 16 DD 0A AB 64 7D 16 BD B6 72 61 51 2C CA F3 F0 ....d....raQ,...
0030: 72 42 AF EF 67 0C B8 F4 99 26 34 12 A6 44 67 81 rB..g....&4..Dg.
0040: 78 79 4B 29 CC FB BC 75 32 61 54 1D C4 5F F2 BD xyK)...u2aT.._..
0050: 0E 5C A4 C0 A5 67 44 53 1B 0C 58 01 F0 A2 EC F3 .\...gDS..X.....
0060: 94 F3 D9 FB D3 1A A5 BA D9 7E 9E 49 90 10 84 7F ...........I....
0070: A6 7E 03 80 C0 17 2E F3 89 DE 27 31 C1 54 B5 AC ..........'1.T..
]
***
%% Negotiating: [Session-28, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1465167446 bytes = { 103, 27, 241, 116, 15, 29, 188, 76, 143, 250, 43, 244, 203, 202, 45, 229, 174, 22, 232, 84, 101, 180, 15, 46, 1, 2, 102, 153 }
Session ID: {87, 85, 174, 86, 57, 163, 69, 204, 125, 206, 51, 246, 36, 126, 169, 3, 253, 63, 0, 8, 97, 161, 116, 83, 52, 47, 229, 6, 202, 194, 109, 25}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: [email protected], CN=localhost, OU=localhost, O=ITCOVENANT, L=Coimbatore, ST=Tamil Badu, C=IN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 1024 bits
modulus: 119392845705983053232381066342242552100246759562149136263179036450311601341483905580607024283403956181584600045082844169675168228225812598145033750549880051511514384914836915917053974822328749850134357052060356957993078530363525462150764881452639783264103642429891992181964954455911798298926528546562832494147
public exponent: 65537
Validity: [From: Mon Jun 06 22:09:30 IST 2016,
To: Tue Jun 06 22:09:30 IST 2017]
Issuer: [email protected], CN=localhost, OU=localhost, O=ITCOVENANT, L=Coimbatore, ST=Tamil Badu, C=IN
SerialNumber: [ 9f141eca db1b5892]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 52 80 1C 6C CF 67 1E 54 A8 D7 52 63 63 A6 5C E8 R..l.g.T..Rcc.\.
0010: 06 AB 45 17 D9 EF A5 BA AB 15 63 D0 8B 3E A8 F4 ..E.......c..>..
0020: 16 DD 0A AB 64 7D 16 BD B6 72 61 51 2C CA F3 F0 ....d....raQ,...
0030: 72 42 AF EF 67 0C B8 F4 99 26 34 12 A6 44 67 81 rB..g....&4..Dg.
0040: 78 79 4B 29 CC FB BC 75 32 61 54 1D C4 5F F2 BD xyK)...u2aT.._..
0050: 0E 5C A4 C0 A5 67 44 53 1B 0C 58 01 F0 A2 EC F3 .\...gDS..X.....
0060: 94 F3 D9 FB D3 1A A5 BA D9 7E 9E 49 90 10 84 7F ...........I....
0070: A6 7E 03 80 C0 17 2E F3 89 DE 27 31 C1 54 B5 AC ..........'1.T..
]
***
*** ECDH ServerKeyExchange
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 85555666343139018963533967280538968797633662983139641438682557033369225999165
public y coord: 8427840957609862596834523195604231585301724865593291933177525359181625802444
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<[email protected], CN=localhost, OU=localhost, O=ItCovenant, L=Coimbatore, ST=Tamil Nadu, C=IN>
<[email protected], CN=localhost, OU=localroot, O=Root, L=Coimbatore, ST=TamilNadu, C=IN>
*** ServerHelloDone
Signature Algorithm SHA512withRSA
http-nio-8443-exec-1, WRITE: TLSv1.2 Handshake, length = 1336
Server key: Sun EC public key, 256 bits
public x coord: 84402873937186238897029201223811091119078490206065291036407576822220964455837
public y coord: 102495088922183201760899172514801345100289489285600965229707082740951466499978
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<[email protected], CN=localhost, OU=localhost, O=ItCovenant, L=Coimbatore, ST=Tamil Nadu, C=IN>
<[email protected], CN=localhost, OU=localroot, O=Root, L=Coimbatore, ST=TamilNadu, C=IN>
*** ServerHelloDone
http-nio-8443-exec-9, WRITE: TLSv1.2 Handshake, length = 1336
http-nio-8443-exec-9, called closeOutbound()
http-nio-8443-exec-9, closeOutboundInternal()
http-nio-8443-exec-9, SEND TLSv1.2 ALERT: warning, description = close_notify
http-nio-8443-exec-9, WRITE: TLSv1.2 Alert, length = 2
http-nio-8443-exec-9, called closeOutbound()
http-nio-8443-exec-9, closeOutboundInternal()
http-nio-8443-exec-9, SEND TLSv1.2 ALERT: warning, description = close_notify
http-nio-8443-exec-9, WRITE: TLSv1.2 Alert, length = 2
Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
http-nio-8443-exec-4, READ: TLSv1 Handshake, length = 185
*** ClientHello, TLSv1.2
RandomCookie: GMT: -1587396700 bytes = { 168, 137, 156, 195, 17, 132, 253, 181, 204, 114, 165, 228, 86, 231, 233, 158, 148, 15, 75, 153, 17, 24, 212, 36, 209, 134, 90, 182 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=localhost]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized: [Session-29, SSL_NULL_WITH_NULL_NULL]
%% Negotiating: [Session-29, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1465167446 bytes = { 225, 169, 240, 135, 216, 14, 179, 8, 242, 163, 54, 198, 242, 182, 103, 125, 233, 71, 73, 94, 94, 112, 96, 92, 230, 44, 24, 124 }
Session ID: {87, 85, 174, 86, 58, 130, 84, 54, 254, 224, 181, 52, 14, 113, 71, 231, 52, 58, 218, 105, 147, 197, 135, 24, 188, 193, 25, 160, 12, 186, 145, 122}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: [email protected], CN=localhost, OU=localhost, O=ITCOVENANT, L=Coimbatore, ST=Tamil Badu, C=IN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 1024 bits
modulus: 119392845705983053232381066342242552100246759562149136263179036450311601341483905580607024283403956181584600045082844169675168228225812598145033750549880051511514384914836915917053974822328749850134357052060356957993078530363525462150764881452639783264103642429891992181964954455911798298926528546562832494147
public exponent: 65537
Validity: [From: Mon Jun 06 22:09:30 IST 2016,
To: Tue Jun 06 22:09:30 IST 2017]
Issuer: [email protected], CN=localhost, OU=localhost, O=ITCOVENANT, L=Coimbatore, ST=Tamil Badu, C=IN
SerialNumber: [ 9f141eca db1b5892]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 52 80 1C 6C CF 67 1E 54 A8 D7 52 63 63 A6 5C E8 R..l.g.T..Rcc.\.
0010: 06 AB 45 17 D9 EF A5 BA AB 15 63 D0 8B 3E A8 F4 ..E.......c..>..
0020: 16 DD 0A AB 64 7D 16 BD B6 72 61 51 2C CA F3 F0 ....d....raQ,...
0030: 72 42 AF EF 67 0C B8 F4 99 26 34 12 A6 44 67 81 rB..g....&4..Dg.
0040: 78 79 4B 29 CC FB BC 75 32 61 54 1D C4 5F F2 BD xyK)...u2aT.._..
0050: 0E 5C A4 C0 A5 67 44 53 1B 0C 58 01 F0 A2 EC F3 .\...gDS..X.....
0060: 94 F3 D9 FB D3 1A A5 BA D9 7E 9E 49 90 10 84 7F ...........I....
0070: A6 7E 03 80 C0 17 2E F3 89 DE 27 31 C1 54 B5 AC ..........'1.T..
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 81903135861506604845195203015394003955799288815680914864504286597024832297135
public y coord: 106714826192296131282741266053860770585192831249415196199432006232074628631588
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<[email protected], CN=localhost, OU=localhost, O=ItCovenant, L=Coimbatore, ST=Tamil Nadu, C=IN>
<[email protected], CN=localhost, OU=localroot, O=Root, L=Coimbatore, ST=TamilNadu, C=IN>
*** ServerHelloDone
http-nio-8443-exec-4, WRITE: TLSv1.2 Handshake, length = 1336
http-nio-8443-exec-6, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
http-nio-8443-exec-6, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-29, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
http-nio-8443-exec-6, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
http-nio-8443-exec-6, WRITE: TLSv1.2 Alert, length = 2
http-nio-8443-exec-6, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
http-nio-8443-exec-6, called closeOutbound()
http-nio-8443-exec-6, closeOutboundInternal()
On the client side I have the following error in browser
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT
The client does not send its certificate when server requests it.
Do i have to keep clientauth=true, both in client and server?
My Server keystore contains server.pfx
My Server trustore contains client.crt and ca.crt
My Client keystore contains client.p12 client.crt ca.crt
My Client trustore contains server.crt
Thanks
Upvotes: 0
Views: 1226
Answers (2)
briantaurostack7
Reputation: 1273
I finally found the solution I just did not install client.p12 in the browser and hence my client was not sending its certificate to the server.Once I installed client.p12 in the browser It started working .
Upvotes: -1
user207421
Reputation: 310840
The server is requesting a certificate and providing a list of trusted signers. This comes from the server's truststore. The client doesn't have a certificate signed by one of those signers in its keystore, so it cannot send a certificate.
Solution: either have the client certificate signed by one of the trusted signers, or enhance the trusted signers to include the signer of the client certificate.
Upvotes: 2
Related Questions
- handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
- Tomcat [9.0.26] - SSLHandshake Exception
- SSL Handshake failure with Java version "1.7.0_79"
- Java8, JBoss AS5, SSLException: "Received fatal alert: handshake_failure"
- NoHostAvailable when trying to connect to SSL enabled Cassandra
- SSLHandshakeException : jetty server does not pick any of cipher to initiate SSL handshake
- Thread-6, RECV TLSv1 ALERT: fatal, handshake_failure