Reputation: 2556
How to tell if server or client auth failed in two way SSL handshake
Below is a snippet from the debug output of a failing SSL handshake with client authentication. I'm nearly certain I have all relevant certificates in my keystore. I've also attempted to trust all servers like this -Dcom.sun.net.ssl.checkRevocation=false and based Medhi's answer to this Is there a java setting for disabling certificate validation?. I always get the same unknown_ca exception.
Is it possible this exception is coming from the server not liking the credentials i'm supplying as a client instead? How can one tell which side this error is from?
0000: A6 B5 D1 75 74 B2 73 97 E1 B2 BA 5B 56 75 6E 09 ...ut.s....[Vun.
Server write key:
0000: E3 DF 3B CC 9A 6C DF A4 47 A0 69 51 D9 80 0F F2 ..;..l..G.iQ....
... no IV derived for this protocol
*** CertificateVerify
Signature Algorithm SHA512withRSA
MyMain, WRITE: TLSv1.2 Handshake, length = 264
MyMain, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 69, 68, 30, 177, 182, 137, 211, 81, 29, 49, 195, 244 }
***
MyMain, WRITE: TLSv1.2 Handshake, length = 80
MyMain, READ: TLSv1.2 Alert, length = 2
MyMain, RECV TLSv1.2 ALERT: fatal, unknown_ca
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
MyMain, called closeSocket()
Upvotes: 0
Views: 1601
Answers (1)
Reputation: 123461
MyMain, RECV TLSv1.2 ALERT: fatal, unknown_ca
The client received a TLS alert from the server because the server does not know (unknown) and therefore does not trust the issuer (ca) of the certificate sent by the client.
This means that either your client does not send the certificate expected by the server, that the client failed to include necessary intermediate certificates so that the certificate verification failed or it might be misconfiguration on the server side.
... I've also attempted to trust all servers ...
This does not help here. The problem is not the client failing to validate the server certificate but the server failing to validate the client certificate. Disabling certificate validation on the client site has no effect on the certificate validation on the server side which is the problem here.
Upvotes: 2
Related Questions
- how to verify if java sends the client certificate in a mutual auth scenario
- SSL Handshake_failure in Java test client while connecting to server with two-way authentication
- How can I confirm a handshake was completed with SSL Sockets in Java?
- java REST client return handshake_failure when call https
- SSL client (Java) is not sending a certificate back to the server in two-way SSL handshake
- SSL handshake_failure during ClientHello
- handshake failure in ssl connection bewteen client/server java
- Custom Error when SSL handshake fails
- Any Way To Check For Client Peer Certificate Without Throwing Exception?
- HttpServlet - How to know if SSL Client Authentication is used