7 Replies Latest reply: Jun 2, 2013 8:18 PM by EJP RSS

    RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7

    998079
      I have two Java applications. Both were originally running Java 1.6. The applications communicate via an HTTPS call. The client is being converted to Java 1.7 while the server is being left at Java 1.6 for now.

      When the client is run using Java 1.7 it gets an exception, javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure. The client works fine using Java 1.6. The client running on Java 1.7 can communicate with other applications such as https://www.google.com/ without any problem.

      The debug log indicates that the client is accepting the server certificate without any problem. It is the server that is sending the handshake_failure response.

      The only significant difference I can see between the two logs is that using Java 1.6 client, the server selects the SSL_RSA_WITH_RC4_128_MD5 cipher suite while with the Java 1.7 client the server selects the TLS_RSA_WITH_AES_256_CBC_SHA cipher suite.

      I can re-create the problem using a simple program and running it twice, once with Java 1.6 and once with Java 1.7.

      package testhttps;

      import java.io.IOException;
      import java.io.InputStream;
      import java.net.URL;
      import java.net.URLConnection;

      public class Main {
           private static final String JAVA_VERSION = "java.version";
           private static final String JAVAX_NET_DEBUG = "javax.net.debug";
           private static final String JAVAX_NET_SSL_TRUSTSTORE = "javax.net.ssl.trustStore";

           private static final String DEBUG_OPTS = "ssl,handshake";
           private static final String LOCAL_KS = "C:/Users/USER/Desktop/SERVERcert";
           private static final String LOCAL_URL = "https://SERVER/invoke/tools.employees.apps:APPNAME";
           private static final String GOOGLE_URL = "https://www.google.com/";

           public static void main(String[] args) throws IOException {
                System.out.println("Java Version: " + System.getProperty(JAVA_VERSION));
                printSep();
                System.setProperty(JAVAX_NET_DEBUG, DEBUG_OPTS);
                System.setProperty(JAVAX_NET_SSL_TRUSTSTORE, LOCAL_KS);
                runTest(LOCAL_URL);
                printSep();
                runTest(GOOGLE_URL);
           }
           
           private static void printSep() {
                System.out.println("----------------------------------------");
                System.out.println();
           }

           private static void runTest(String urlStr) {
                System.out.println("URL: " + urlStr);
                System.out.println();
                try {
                     URL url = new URL(urlStr);
                     URLConnection connection = url.openConnection();
                     connection.connect();
                     InputStream stream = connection.getInputStream();
                     while (true) {
                          int n = stream.read();
                          if (n == -1)
                               break;
                          System.out.write(n);
                     }
                     stream.close();
                     System.out.println();
                } catch (IOException e) {
                     System.out.println();
                     e.printStackTrace();
                }
           }
      }
        • 1. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
          998079
          Debug log for Java 1.6 client. Everything works.

          Java Version: 1.6.0_27
          ----------------------------------------

          URL: https://SERVER/invoke/tools.employees.apps:APPNAME

          keyStore is :
          keyStore type is : jks
          keyStore provider is :
          init keystore
          init keymanager of type SunX509
          trustStore is: C:\Users\USER\Desktop\SERVERcert
          trustStore type is : jks
          trustStore provider is :
          init truststore
          adding as trusted cert:
          Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
          Issuer: CN=Google Internet Authority, O=Google Inc, C=US
          Algorithm: RSA; Serial number: 0x14850d9e000000007d40
          Valid from Wed Feb 20 06:34:56 MST 2013 until Fri Jun 07 13:43:27 MDT 2013

          adding as trusted cert:
          Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
          Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
          Algorithm: RSA; Serial number: 0x4208795e000000000d7d
          Valid from Fri Mar 15 07:44:35 MDT 2013 until Sun Mar 15 07:44:35 MDT 2015

          trigger seeding of SecureRandom
          done seeding SecureRandom
          Allow unsafe renegotiation: false
          Allow legacy hello messages: true
          Is initial handshake: true
          Is secure renegotiation: false
          %% No cached client session
          *** ClientHello, TLSv1
          RandomCookie: GMT: 1363720139 bytes = { 171, 123, 61, 172, 126, 242, 212, 1, 4, 176, 242, 170, 160, 29, 94, 71, 5, 156, 105, 254, 198, 134, 121, 195, 94, 180, 75, 145 }
          Session ID: {}
          Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
          Compression Methods: { 0 }
          ***
          main, WRITE: TLSv1 Handshake, length = 75
          main, WRITE: SSLv2 client hello message, length = 101
          main, READ: TLSv1 Handshake, length = 3437
          *** ServerHello, TLSv1
          RandomCookie: GMT: 1363720139 bytes = { 166, 182, 216, 213, 79, 208, 74, 130, 188, 139, 43, 173, 181, 142, 122, 50, 139, 104, 114, 149, 210, 38, 128, 131, 197, 54, 184, 60 }
          Session ID: {171, 166, 225, 109, 198, 100, 161, 155, 70, 133, 24, 13, 92, 97, 8, 198}
          Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
          Compression Method: 0
          Extension renegotiation_info, renegotiated_connection: <empty>
          ***
          %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
          ** SSL_RSA_WITH_RC4_128_MD5
          *** Certificate chain
          chain [0] = [
          [
          Version: V3
          Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
          Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

          Key: Sun RSA public key, 2048 bits
          modulus: 31516488916856175993354388556520068293794356693242681182245201286667548063641640358313574888462489933475402864236800262460826430243488030753558168637830135426373840447558297285290406873898984898413863294812616756309132288938801104047345625475355654376426138494767988080314969827787605621823083455352331480850948116669339339048031040543939696472504286395458369701032317090387365961443301475102633799830067724032223647096133387365632477706202020365811242759581209534410179060268963901969481769329740356404722306624236516162225426247695795946763666223293969793336832548340134282004822442343909786198074157323202609655959
          public exponent: 65537
          Validity: [From: Fri Mar 15 07:44:35 MDT 2013,
                         To: Sun Mar 15 07:44:35 MDT 2015]
          Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
          SerialNumber: [    4208795e 00000000 0d7d]

          Certificate Extensions: 8
          [1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
          Extension unknown: DER encoded OCTET string =
          0000: 04 0E 30 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 ..0.0...+.......


          [2]: ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: B5 10 57 84 BB 7F A0 ED BA E5 0C D3 00 06 A3 67 ..W............g
          0010: 97 93 B2 9E ....
          ]
          ]

          [3]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
          Extension unknown: DER encoded OCTET string =
          0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
          0010: D5 D8 7B 86 FA 8D 54 86 85 9F 20 87 92 89 64 CB ......T... ...d.
          0020: D5 69 81 57 84 D5 FB 1A 84 99 9C 1D 02 01 64 02 .i.W..........d.
          0030: 01 09 ..


          [4]: ObjectId: 2.5.29.35 Criticality=false
          AuthorityKeyIdentifier [
          KeyIdentifier [
          0000: 26 0F F4 17 D4 4A 12 51 1A 7F FC 77 A9 FB 4D 9F &....J.Q...w..M.
          0010: 2B 75 DB 71 +u.q
          ]

          ]

          [5]: ObjectId: 2.5.29.31 Criticality=false
          CRLDistributionPoints [
          [DistributionPoint:
          [URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=CASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://grc/CertEnroll/COMPANY%20NAME%20Internal%20Issuing%20CA.crl]
          ]]

          [6]: ObjectId: 2.5.29.37 Criticality=false
          ExtendedKeyUsages [
          serverAuth
          ]

          [7]: ObjectId: 2.5.29.15 Criticality=false
          KeyUsage [
          DigitalSignature
          Key_Encipherment
          ]

          [8]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
          AuthorityInfoAccess [
          [
          accessMethod: 1.3.6.1.5.5.7.48.2
          accessLocation: URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?cACertificate?base?objectClass=certificationAuthority,
          accessMethod: 1.3.6.1.5.5.7.48.2
          accessLocation: URIName: http://grc/CertEnroll/CASERVER.PARENT.local_COMPANY%20NAME%20Internal%20Issuing%20CA.crt]
          ]

          ]
          Algorithm: [SHA1withRSA]
          Signature:
          0000: 0E 24 50 64 FF A6 50 29 B8 AF 61 0F 37 9D 63 2F .$Pd..P)..a.7.c/
          0010: 2A BD 90 7E 50 C2 2A 0C B8 16 09 2E FB 0A 0E A6 *...P.*.........
          0020: 15 82 0F 1E AD DA 64 DD 36 31 6E 3C C7 33 55 7E ......d.61n<.3U.
          0030: 35 0A 4E 49 3B 96 EC C4 4A 01 3F 39 9F 6A E8 11 5.NI;...J.?9.j..
          0040: C9 22 45 16 51 9A 15 D6 C3 B3 50 BA FB 56 D3 62 ."E.Q.....P..V.b
          0050: 42 D4 CF 76 2B 0B 04 1A 80 87 99 0C B7 97 C1 CE B..v+...........
          0060: D5 93 90 E0 1B 84 31 EB 9F 75 A3 2C 52 00 CA 62 ......1..u.,R..b
          0070: FE C8 55 23 45 D5 FE 67 D4 A0 30 61 FC 26 08 0B ..U#E..g..0a.&..
          0080: 77 D1 26 61 60 31 CD 9A 76 5E 8E 66 85 C6 35 9B w.&a`1..v^.f..5.
          0090: 61 41 C5 05 C9 04 42 F2 8D 3D DA F8 80 22 AA AA aA....B..=..."..
          00A0: 92 50 CF 17 31 B6 93 CA 5E 85 5D B0 5F D2 77 07 .P..1...^.]._.w.
          00B0: 32 D7 69 5A 14 DD 12 62 91 BA 4F 75 19 80 F8 C2 2.iZ...b..Ou....
          00C0: 17 19 67 63 4A FF F3 A6 96 35 47 FC 22 2F 76 BA ..gcJ....5G."/v.
          00D0: 37 ED EE B2 90 AC 30 C7 7A F9 E6 2E 59 10 8F 2A 7.....0.z...Y..*
          00E0: 9E 03 54 18 A5 EB AD 48 3A 78 56 4F 22 BF 8D F7 ..T....H:xVO"...
          00F0: 8E C8 21 D4 92 30 A8 FC BE 76 98 15 FB D1 1D C1 ..!..0...v......

          ]
          chain [1] = [
          [
          Version: V3
          Subject: CN=XXXX Issuing CA 1, DC=PARENT, DC=local
          Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

          Key: Sun RSA public key, 4096 bits
          modulus: 710747583573312574266490133477718883175487276449197913367026878246770193366457918874117476848478441807997531601094195095347346667689692353006504772944438996992450206899974172461254170122772439064429800711214524654866811730387219923130077806688460698464420214016926635867290603880408310617196928261244715828938301877231716326135074613866166266159259934139101921704779393181418255236792357734373593843718044094652636084163613474834609513843820562318123712380380149595812702759706362225520298197347612448307537891820678903130283982229075610354246846288916706947063755002331306861708051010714413368970384817146977404909469979632866552303188492277584433342593521141366135313838512466732534501590138191730280137881018224930733224059655122933806684532601188457885427610523069862515778641416852689946070635946964424320750853912644963820761441121054160612741706028476665999908623924083348202525432243752651038591517730169571766303195624990856696540820396758325375089424534352671820926638511083232512074733251774179961972469706146941508467638490252757323558523275340769098076309821000325759423874166279533532418396039620418656504638481199111216522253786699411470101677803106926554982288403832319169109858989451431608015520012872771792487551381
          public exponent: 65537
          Validity: [From: Thu Mar 13 14:05:43 MDT 2008,
                         To: Tue Mar 13 14:15:43 MDT 2018]
          Issuer: CN=XXXX Root CA, DC="PARENT.DC=local"
          SerialNumber: [    19e8d467 00000000 0008]

          Certificate Extensions: 7
          [1]: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
          Extension unknown: DER encoded OCTET string =
          0000: 04 0C 1E 0A 00 53 00 75 00 62 00 43 00 41 .....S.u.b.C.A


          [2]: ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: 73 7B 89 88 B8 20 C4 74 0E E9 15 70 F2 AA B5 93 s.... .t...p....
          0010: 95 4B EF 10 .K..
          ]
          ]

          [3]: ObjectId: 2.5.29.35 Criticality=false
          AuthorityKeyIdentifier [
          KeyIdentifier [
          0000: 37 65 99 AA A5 52 A4 DD F4 97 50 DA B5 6A 46 B1 7e...R....P..jF.
          0010: EC F3 21 30 ..!0
          ]

          ]

          [4]: ObjectId: 1.3.6.1.4.1.311.21.2 Criticality=false
          Extension unknown: DER encoded OCTET string =
          0000: 04 16 04 14 D5 C8 60 1F D4 BC C8 F4 29 18 65 55 ......`.....).eU
          0010: 71 89 08 08 6E C4 1C B1 q...n...


          [5]: ObjectId: 2.5.29.15 Criticality=false
          KeyUsage [
          DigitalSignature
          Key_CertSign
          Crl_Sign
          ]

          [6]: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
          Extension unknown: DER encoded OCTET string =
          0000: 04 05 02 03 01 00 01 .......


          [7]: ObjectId: 2.5.29.19 Criticality=true
          BasicConstraints:[
          CA:true
          PathLen:2147483647
          ]

          Unparseable certificate extensions: 2
          [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
          Unparseable AuthorityInfoAccess extension due to
          java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\tyson_XXXX Root CA.crt

          0000: 30 82 01 24 30 81 A3 06 08 2B 06 01 05 05 07 30 0..$0....+.....0
          0010: 02 86 81 96 6C 64 61 70 3A 2F 2F 2F 43 4E 3D XX ....ldap:///CN=X
          0020: XX XX XX 25 32 30 52 6F 6F 74 25 32 30 43 41 2C XXX%20Root%20CA,
          0030: 43 4E 3D 41 49 41 2C 43 4E 3D 50 75 62 6C 69 63 CN=AIA,CN=Public
          0040: 25 32 30 4B 65 79 25 32 30 53 65 72 76 69 63 65 %20Key%20Service
          0050: 73 2C 43 4E 3D 53 65 72 76 69 63 65 73 2C 44 43 s,CN=Services,DC
          0060: 3D 55 6E 61 76 61 69 6C 61 62 6C 65 43 6F 6E 66 =UnavailableConf
          0070: 69 67 44 4E 3F 63 41 43 65 72 74 69 66 69 63 61 igDN?cACertifica
          0080: 74 65 3F 62 61 73 65 3F 6F 62 6A 65 63 74 43 6C te?base?objectCl
          0090: 61 73 73 3D 63 65 72 74 69 66 69 63 61 74 69 6F ass=certificatio
          00A0: 6E 41 75 74 68 6F 72 69 74 79 30 3E 06 08 2B 06 nAuthority0>..+.
          00B0: 01 05 05 07 30 02 86 32 68 74 74 70 3A 2F 2F 74 ....0..2http://t
          00C0: 79 73 6F 6E 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F yson/CertEnroll/
          00D0: 74 79 73 6F 6E 5F XX XX XX XX 25 32 30 52 6F 6F tyson_XXXX%20Roo
          00E0: 74 25 32 30 43 41 2E 63 72 74 30 3C 06 08 2B 06 t%20CA.crt0<..+.
          00F0: 01 05 05 07 30 02 86 30 66 69 6C 65 3A 2F 2F 5C ....0..0file://\
          0100: 5C 74 79 73 6F 6E 5C 43 65 72 74 45 6E 72 6F 6C \tyson\CertEnrol
          0110: 6C 5C 74 79 73 6F 6E 5F XX XX XX XX 20 52 6F 6F l\tyson_XXXX Roo
          0120: 74 20 43 41 2E 63 72 74 t CA.crt

          [2]: ObjectId: 2.5.29.31 Criticality=false
          Unparseable CRLDistributionPoints extension due to
          java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\XXXX Root CA.crl

          0000: 30 60 30 5E A0 5C A0 5A 86 2A 66 69 6C 65 3A 2F 0`0^.\.Z.*file:/
          0010: 2F 5C 5C 74 79 73 6F 6E 5C 43 65 72 74 45 6E 72 /\\tyson\CertEnr
          0020: 6F 6C 6C 5C XX XX XX XX 20 52 6F 6F 74 20 43 41 oll\XXXX Root CA
          0030: 2E 63 72 6C 86 2C 68 74 74 70 3A 2F 2F 74 79 73 .crl.,http://tys
          0040: 6F 6E 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F XX XX on/CertEnroll/XX
          0050: XX XX 25 32 30 52 6F 6F 74 25 32 30 43 41 2E 63 XX%20Root%20CA.c
          0060: 72 6C rl

          ]
          Algorithm: [SHA1withRSA]
          Signature:
          0000: 3A 61 58 BB DE D8 ED 30 97 EF C0 CB 2C 2D 87 E4 :aX....0....,-..
          0010: DE 74 0E F1 74 DC 97 EF BD E4 F7 40 D0 31 F6 D6 .t..t......@.1..
          0020: 9B B6 D5 6A AF E3 E7 14 F7 24 69 48 C4 71 50 63 ...j.....$iH.qPc
          0030: 96 51 62 D6 BD BE AB 36 DB 9C 5E C2 7B 6F ED 0D .Qb....6..^..o..
          0040: 63 FF 26 DE 0A EE 86 5B 43 B0 E4 E1 EE 4D 50 0A c.&....[C....MP.
          0050: FE 58 27 4C 2A 06 94 22 5B 17 A4 99 FE F3 39 FE .X'L*.."[.....9.
          0060: 66 52 E3 00 94 18 F0 CA A0 8D 30 F9 69 34 A2 BB fR........0.i4..
          0070: 7F FC 50 BF 24 25 23 17 68 A1 8E B2 72 A3 C7 B1 ..P.$%#.h...r...
          0080: C0 F7 CE 79 E2 A3 99 AE 4C 2B C4 C3 4B D5 DE 15 ...y....L+..K...
          0090: B8 02 29 C6 8D 7D E6 FD 83 ED 56 E8 37 6A A7 96 ..).......V.7j..
          00A0: 6F D0 B1 9D 39 CC E1 0E BB 59 79 22 01 CF 5C 2E o...9....Yy"..\.
          00B0: D9 A7 11 FD CE 6E 47 0E 68 FE 3F AE CE 02 E4 45 .....nG.h.?....E
          00C0: 64 2F 39 29 DB 30 82 B7 98 B0 D8 7B 81 0A A5 EB d/9).0..........
          00D0: 87 95 12 BC A3 D1 27 3E E7 05 83 A3 BD 42 FC 7B ......'>.....B..
          00E0: BD 9F 69 1A 2B 59 77 1C 90 04 E8 E1 F2 C5 9A 55 ..i.+Yw........U
          00F0: CF B4 11 D0 D9 28 F3 C7 EB 58 7F 6B DE DE 33 5A .....(...X.k..3Z

          ]
          ***
          Found trusted certificate:
          [
          [
          Version: V3
          Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
          Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

          Key: Sun RSA public key, 2048 bits
          modulus: 31516488916856175993354388556520068293794356693242681182245201286667548063641640358313574888462489933475402864236800262460826430243488030753558168637830135426373840447558297285290406873898984898413863294812616756309132288938801104047345625475355654376426138494767988080314969827787605621823083455352331480850948116669339339048031040543939696472504286395458369701032317090387365961443301475102633799830067724032223647096133387365632477706202020365811242759581209534410179060268963901969481769329740356404722306624236516162225426247695795946763666223293969793336832548340134282004822442343909786198074157323202609655959
          public exponent: 65537
          Validity: [From: Fri Mar 15 07:44:35 MDT 2013,
                         To: Sun Mar 15 07:44:35 MDT 2015]
          Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
          SerialNumber: [    4208795e 00000000 0d7d]

          Certificate Extensions: 8
          [1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
          Extension unknown: DER encoded OCTET string =
          0000: 04 0E 30 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 ..0.0...+.......


          [2]: ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: B5 10 57 84 BB 7F A0 ED BA E5 0C D3 00 06 A3 67 ..W............g
          0010: 97 93 B2 9E ....
          ]
          ]

          [3]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
          Extension unknown: DER encoded OCTET string =
          0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
          0010: D5 D8 7B 86 FA 8D 54 86 85 9F 20 87 92 89 64 CB ......T... ...d.
          0020: D5 69 81 57 84 D5 FB 1A 84 99 9C 1D 02 01 64 02 .i.W..........d.
          0030: 01 09 ..


          [4]: ObjectId: 2.5.29.35 Criticality=false
          AuthorityKeyIdentifier [
          KeyIdentifier [
          0000: 26 0F F4 17 D4 4A 12 51 1A 7F FC 77 A9 FB 4D 9F &....J.Q...w..M.
          0010: 2B 75 DB 71 +u.q
          ]

          ]

          [5]: ObjectId: 2.5.29.31 Criticality=false
          CRLDistributionPoints [
          [DistributionPoint:
          [URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=CASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://grc/CertEnroll/COMPANY%20NAME%20Internal%20Issuing%20CA.crl]
          ]]

          [6]: ObjectId: 2.5.29.37 Criticality=false
          ExtendedKeyUsages [
          serverAuth
          ]

          [7]: ObjectId: 2.5.29.15 Criticality=false
          KeyUsage [
          DigitalSignature
          Key_Encipherment
          ]

          [8]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
          AuthorityInfoAccess [
          [
          accessMethod: 1.3.6.1.5.5.7.48.2
          accessLocation: URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?cACertificate?base?objectClass=certificationAuthority,
          accessMethod: 1.3.6.1.5.5.7.48.2
          accessLocation: URIName: http://grc/CertEnroll/CASERVER.PARENT.local_COMPANY%20NAME%20Internal%20Issuing%20CA.crt]
          ]

          ]
          Algorithm: [SHA1withRSA]
          Signature:
          0000: 0E 24 50 64 FF A6 50 29 B8 AF 61 0F 37 9D 63 2F .$Pd..P)..a.7.c/
          0010: 2A BD 90 7E 50 C2 2A 0C B8 16 09 2E FB 0A 0E A6 *...P.*.........
          0020: 15 82 0F 1E AD DA 64 DD 36 31 6E 3C C7 33 55 7E ......d.61n<.3U.
          0030: 35 0A 4E 49 3B 96 EC C4 4A 01 3F 39 9F 6A E8 11 5.NI;...J.?9.j..
          0040: C9 22 45 16 51 9A 15 D6 C3 B3 50 BA FB 56 D3 62 ."E.Q.....P..V.b
          0050: 42 D4 CF 76 2B 0B 04 1A 80 87 99 0C B7 97 C1 CE B..v+...........
          0060: D5 93 90 E0 1B 84 31 EB 9F 75 A3 2C 52 00 CA 62 ......1..u.,R..b
          0070: FE C8 55 23 45 D5 FE 67 D4 A0 30 61 FC 26 08 0B ..U#E..g..0a.&..
          0080: 77 D1 26 61 60 31 CD 9A 76 5E 8E 66 85 C6 35 9B w.&a`1..v^.f..5.
          0090: 61 41 C5 05 C9 04 42 F2 8D 3D DA F8 80 22 AA AA aA....B..=..."..
          00A0: 92 50 CF 17 31 B6 93 CA 5E 85 5D B0 5F D2 77 07 .P..1...^.]._.w.
          00B0: 32 D7 69 5A 14 DD 12 62 91 BA 4F 75 19 80 F8 C2 2.iZ...b..Ou....
          00C0: 17 19 67 63 4A FF F3 A6 96 35 47 FC 22 2F 76 BA ..gcJ....5G."/v.
          00D0: 37 ED EE B2 90 AC 30 C7 7A F9 E6 2E 59 10 8F 2A 7.....0.z...Y..*
          00E0: 9E 03 54 18 A5 EB AD 48 3A 78 56 4F 22 BF 8D F7 ..T....H:xVO"...
          00F0: 8E C8 21 D4 92 30 A8 FC BE 76 98 15 FB D1 1D C1 ..!..0...v......

          ]
          *** ServerHelloDone
          *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
          main, WRITE: TLSv1 Handshake, length = 262
          SESSION KEYGEN:
          PreMaster Secret:
          0000: 03 01 8E DB 5A 42 FB 92 76 3B C0 3D 24 3A 62 71 ....ZB..v;.=$:bq
          0010: 2D 20 3C 30 51 8E AB 3C 11 30 58 7A 59 68 07 DD - <0Q..<.0XzYh..
          0020: 6F 27 04 D7 F4 36 50 BA 7B 80 74 F8 42 A7 A8 4B o'...6P...t.B..K
          CONNECTION KEYGEN:
          Client Nonce:
          0000: 51 49 B8 CB AB 7B 3D AC 7E F2 D4 01 04 B0 F2 AA QI....=.........
          0010: A0 1D 5E 47 05 9C 69 FE C6 86 79 C3 5E B4 4B 91 ..^G..i...y.^.K.
          Server Nonce:
          0000: 51 49 B8 CB A6 B6 D8 D5 4F D0 4A 82 BC 8B 2B AD QI......O.J...+.
          0010: B5 8E 7A 32 8B 68 72 95 D2 26 80 83 C5 36 B8 3C ..z2.hr..&...6.<
          Master Secret:
          0000: CD 71 83 49 FE 65 1E A9 C7 B7 53 D0 98 AC 2D 2B .q.I.e....S...-+
          0010: C8 9B 8B 43 1D E9 E2 A7 CC B9 A9 BF CA 20 D1 B8 ...C......... ..
          0020: 14 4E F2 2E 97 16 6F 50 48 3A 86 2B C8 EF 84 E8 .N....oPH:.+....
          Client MAC write Secret:
          0000: 94 F6 78 13 0F 15 40 AA 05 21 9B AA 65 A5 1F BC ..x...@..!..e...
          Server MAC write Secret:
          0000: 0F 3D 2B 1A 5C AA 55 FB 3A AC 72 90 F6 AA 9D 98 .=+.\.U.:.r.....
          Client write key:
          0000: 6D 14 7A 92 F9 40 27 3A 29 9F 43 37 BB 8C 04 53 m.z..@':).C7...S
          Server write key:
          0000: 90 71 00 90 FE 06 D6 E9 98 6F 34 C2 D5 6A 40 0C .q.......o4..j@.
          ... no IV used for this cipher
          main, WRITE: TLSv1 Change Cipher Spec, length = 1
          *** Finished
          verify_data: { 251, 198, 237, 121, 161, 170, 156, 152, 69, 108, 68, 188 }
          ***
          main, WRITE: TLSv1 Handshake, length = 32
          main, READ: TLSv1 Change Cipher Spec, length = 1
          main, READ: TLSv1 Handshake, length = 32
          *** Finished
          verify_data: { 226, 240, 104, 1, 79, 28, 146, 177, 168, 18, 109, 107 }
          ***
          %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
          main, WRITE: TLSv1 Application Data, length = 203
          main, READ: TLSv1 Application Data, length = 334
          <employeeauth>
          <eaRC>-1</eaRC>
          <eaRM> Userid %userid% is not authenticated. Error type=javax.naming.NamingException</eaRM>
          <eaNum></eaNum>
          </employeeauth>

          Edited by: user3402186 on Mar 20, 2013 7:21 AM
          • 2. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
            998079
            Debug log for Java 1.7 client. Gets handshake_failure.

            Java Version: 1.7.0_17
            ----------------------------------------

            URL: https://SERVER/invoke/tools.employees.apps:APPNAME

            keyStore is :
            keyStore type is : jks
            keyStore provider is :
            init keystore
            init keymanager of type SunX509
            trustStore is: C:\Users\USER\Desktop\SERVERcert
            trustStore type is : jks
            trustStore provider is :
            init truststore
            adding as trusted cert:
            Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
            Issuer: CN=Google Internet Authority, O=Google Inc, C=US
            Algorithm: RSA; Serial number: 0x14850d9e000000007d40
            Valid from Wed Feb 20 06:34:56 MST 2013 until Fri Jun 07 13:43:27 MDT 2013

            adding as trusted cert:
            Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
            Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
            Algorithm: RSA; Serial number: 0x4208795e000000000d7d
            Valid from Fri Mar 15 07:44:35 MDT 2013 until Sun Mar 15 07:44:35 MDT 2015

            trigger seeding of SecureRandom
            done seeding SecureRandom
            Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
            Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
            Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
            Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
            Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
            Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
            Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
            Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
            Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
            Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
            Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
            Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
            Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
            Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
            Allow unsafe renegotiation: false
            Allow legacy hello messages: true
            Is initial handshake: true
            Is secure renegotiation: false
            main, setSoTimeout(0) called
            %% No cached client session
            *** ClientHello, TLSv1

            RandomCookie: GMT: 1363720456 bytes = { 113, 24, 242, 51, 45, 18, 117, 236, 52, 147, 16, 22, 151, 59, 151, 33, 56, 187, 24, 145, 231, 25, 84, 44, 176, 112, 61, 79 }
            Session ID: {}
            Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
            Compression Methods: { 0 }
            Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
            Extension ec_point_formats, formats: [uncompressed]
            ***
            main, WRITE: TLSv1 Handshake, length = 163

            main, READ: TLSv1 Handshake, length = 3437
            *** ServerHello, TLSv1

            RandomCookie: GMT: 1363720456 bytes = { 115, 135, 78, 234, 92, 217, 33, 197, 14, 143, 108, 244, 200, 229, 61, 239, 136, 174, 40, 109, 70, 165, 24, 112, 160, 149, 80, 196 }
            Session ID: {186, 54, 109, 12, 100, 9, 3, 187, 38, 58, 152, 239, 137, 244, 79, 87}
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
            Compression Method: 0
            Extension renegotiation_info, renegotiated_connection: <empty>
            ***
            %% Initialized: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
            ** TLS_RSA_WITH_AES_256_CBC_SHA
            *** Certificate chain
            chain [0] = [
            [
            Version: V3
            Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
            Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

            Key: Sun RSA public key, 2048 bits
            modulus: 31516488916856175993354388556520068293794356693242681182245201286667548063641640358313574888462489933475402864236800262460826430243488030753558168637830135426373840447558297285290406873898984898413863294812616756309132288938801104047345625475355654376426138494767988080314969827787605621823083455352331480850948116669339339048031040543939696472504286395458369701032317090387365961443301475102633799830067724032223647096133387365632477706202020365811242759581209534410179060268963901969481769329740356404722306624236516162225426247695795946763666223293969793336832548340134282004822442343909786198074157323202609655959
            public exponent: 65537
            Validity: [From: Fri Mar 15 07:44:35 MDT 2013,
                           To: Sun Mar 15 07:44:35 MDT 2015]
            Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
            SerialNumber: [    4208795e 00000000 0d7d]

            Certificate Extensions: 8
            [1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
            Extension unknown: DER encoded OCTET string =
            0000: 04 0E 30 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 ..0.0...+.......










            [2]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
            Extension unknown: DER encoded OCTET string =
            0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
            0010: D5 D8 7B 86 FA 8D 54 86 85 9F 20 87 92 89 64 CB ......T... ...d.
            0020: D5 69 81 57 84 D5 FB 1A 84 99 9C 1D 02 01 64 02 .i.W..........d.
            0030: 01 09 ..


            [3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
            AuthorityInfoAccess [
            [
            accessMethod: caIssuers
            accessLocation: URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?cACertificate?base?objectClass=certificationAuthority
            ,
            accessMethod: caIssuers
            accessLocation: URIName: http://grc/CertEnroll/CASERVER.PARENT.local_COMPANY%20NAME%20Internal%20Issuing%20CA.crt
            ]
            ]

            [4]: ObjectId: 2.5.29.35 Criticality=false
            AuthorityKeyIdentifier [
            KeyIdentifier [
            0000: 26 0F F4 17 D4 4A 12 51 1A 7F FC 77 A9 FB 4D 9F &....J.Q...w..M.
            0010: 2B 75 DB 71 +u.q
            ]

            ]

            [5]: ObjectId: 2.5.29.31 Criticality=false
            CRLDistributionPoints [
            [DistributionPoint:
            [URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=CASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://grc/CertEnroll/COMPANY%20NAME%20Internal%20Issuing%20CA.crl]
            ]]

            [6]: ObjectId: 2.5.29.37 Criticality=false
            ExtendedKeyUsages [
            serverAuth
            ]

            [7]: ObjectId: 2.5.29.15 Criticality=false
            KeyUsage [
            DigitalSignature
            Key_Encipherment
            ]

            [8]: ObjectId: 2.5.29.14 Criticality=false






            SubjectKeyIdentifier [
            KeyIdentifier [
            0000: B5 10 57 84 BB 7F A0 ED BA E5 0C D3 00 06 A3 67 ..W............g
            0010: 97 93 B2 9E ....
            ]
            ]

            ]
            Algorithm: [SHA1withRSA]
            Signature:
            0000: 0E 24 50 64 FF A6 50 29 B8 AF 61 0F 37 9D 63 2F .$Pd..P)..a.7.c/
            0010: 2A BD 90 7E 50 C2 2A 0C B8 16 09 2E FB 0A 0E A6 *...P.*.........
            0020: 15 82 0F 1E AD DA 64 DD 36 31 6E 3C C7 33 55 7E ......d.61n<.3U.
            0030: 35 0A 4E 49 3B 96 EC C4 4A 01 3F 39 9F 6A E8 11 5.NI;...J.?9.j..
            0040: C9 22 45 16 51 9A 15 D6 C3 B3 50 BA FB 56 D3 62 ."E.Q.....P..V.b
            0050: 42 D4 CF 76 2B 0B 04 1A 80 87 99 0C B7 97 C1 CE B..v+...........
            0060: D5 93 90 E0 1B 84 31 EB 9F 75 A3 2C 52 00 CA 62 ......1..u.,R..b
            0070: FE C8 55 23 45 D5 FE 67 D4 A0 30 61 FC 26 08 0B ..U#E..g..0a.&..
            0080: 77 D1 26 61 60 31 CD 9A 76 5E 8E 66 85 C6 35 9B w.&a`1..v^.f..5.
            0090: 61 41 C5 05 C9 04 42 F2 8D 3D DA F8 80 22 AA AA aA....B..=..."..
            00A0: 92 50 CF 17 31 B6 93 CA 5E 85 5D B0 5F D2 77 07 .P..1...^.]._.w.
            00B0: 32 D7 69 5A 14 DD 12 62 91 BA 4F 75 19 80 F8 C2 2.iZ...b..Ou....
            00C0: 17 19 67 63 4A FF F3 A6 96 35 47 FC 22 2F 76 BA ..gcJ....5G."/v.
            00D0: 37 ED EE B2 90 AC 30 C7 7A F9 E6 2E 59 10 8F 2A 7.....0.z...Y..*
            00E0: 9E 03 54 18 A5 EB AD 48 3A 78 56 4F 22 BF 8D F7 ..T....H:xVO"...
            00F0: 8E C8 21 D4 92 30 A8 FC BE 76 98 15 FB D1 1D C1 ..!..0...v......

            ]
            chain [1] = [
            [
            Version: V3
            Subject: CN=XXXX Issuing CA 1, DC=PARENT, DC=local
            Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

            Key: Sun RSA public key, 4096 bits
            modulus: 710747583573312574266490133477718883175487276449197913367026878246770193366457918874117476848478441807997531601094195095347346667689692353006504772944438996992450206899974172461254170122772439064429800711214524654866811730387219923130077806688460698464420214016926635867290603880408310617196928261244715828938301877231716326135074613866166266159259934139101921704779393181418255236792357734373593843718044094652636084163613474834609513843820562318123712380380149595812702759706362225520298197347612448307537891820678903130283982229075610354246846288916706947063755002331306861708051010714413368970384817146977404909469979632866552303188492277584433342593521141366135313838512466732534501590138191730280137881018224930733224059655122933806684532601188457885427610523069862515778641416852689946070635946964424320750853912644963820761441121054160612741706028476665999908623924083348202525432243752651038591517730169571766303195624990856696540820396758325375089424534352671820926638511083232512074733251774179961972469706146941508467638490252757323558523275340769098076309821000325759423874166279533532418396039620418656504638481199111216522253786699411470101677803106926554982288403832319169109858989451431608015520012872771792487551381
            public exponent: 65537
            Validity: [From: Thu Mar 13 14:05:43 MDT 2008,
                           To: Tue Mar 13 14:15:43 MDT 2018]
            Issuer: CN=XXXX Root CA, DC="PARENT.DC=local"
            SerialNumber: [    19e8d467 00000000 0008]

            Certificate Extensions: 7
            [1]: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
            Extension unknown: DER encoded OCTET string =
            0000: 04 0C 1E 0A 00 53 00 75 00 62 00 43 00 41 .....S.u.b.C.A


            [2]: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false






            Extension unknown: DER encoded OCTET string =
            0000: 04 05 02 03 01 00 01 .......


            [3]: ObjectId: 1.3.6.1.4.1.311.21.2 Criticality=false
            Extension unknown: DER encoded OCTET string =
            0000: 04 16 04 14 D5 C8 60 1F D4 BC C8 F4 29 18 65 55 ......`.....).eU
            0010: 71 89 08 08 6E C4 1C B1 q...n...


            [4]: ObjectId: 2.5.29.35 Criticality=false
            AuthorityKeyIdentifier [
            KeyIdentifier [
            0000: 37 65 99 AA A5 52 A4 DD F4 97 50 DA B5 6A 46 B1 7e...R....P..jF.
            0010: EC F3 21 30 ..!0
            ]

            ]






            [5]: ObjectId: 2.5.29.19 Criticality=true
            BasicConstraints:[
            CA:true
            PathLen:2147483647
            ]

            [6]: ObjectId: 2.5.29.15 Criticality=false
            KeyUsage [
            DigitalSignature
            Key_CertSign
            Crl_Sign
            ]






            [7]: ObjectId: 2.5.29.14 Criticality=false



            SubjectKeyIdentifier [
            KeyIdentifier [
            0000: 73 7B 89 88 B8 20 C4 74 0E E9 15 70 F2 AA B5 93 s.... .t...p....
            0010: 95 4B EF 10 .K..
            ]
            ]

            Unparseable certificate extensions: 2
            [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
            Unparseable AuthorityInfoAccess extension due to
            java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\tyson_XXXX Root CA.crt

            0000: 30 82 01 24 30 81 A3 06 08 2B 06 01 05 05 07 30 0..$0....+.....0
            0010: 02 86 81 96 6C 64 61 70 3A 2F 2F 2F 43 4E 3D XX ....ldap:///CN=X
            0020: XX XX XX 25 32 30 52 6F 6F 74 25 32 30 43 41 2C XXX%20Root%20CA,
            0030: 43 4E 3D 41 49 41 2C 43 4E 3D 50 75 62 6C 69 63 CN=AIA,CN=Public
            0040: 25 32 30 4B 65 79 25 32 30 53 65 72 76 69 63 65 %20Key%20Service
            0050: 73 2C 43 4E 3D 53 65 72 76 69 63 65 73 2C 44 43 s,CN=Services,DC
            0060: 3D 55 6E 61 76 61 69 6C 61 62 6C 65 43 6F 6E 66 =UnavailableConf
            0070: 69 67 44 4E 3F 63 41 43 65 72 74 69 66 69 63 61 igDN?cACertifica
            0080: 74 65 3F 62 61 73 65 3F 6F 62 6A 65 63 74 43 6C te?base?objectCl
            0090: 61 73 73 3D 63 65 72 74 69 66 69 63 61 74 69 6F ass=certificatio
            00A0: 6E 41 75 74 68 6F 72 69 74 79 30 3E 06 08 2B 06 nAuthority0>..+.
            00B0: 01 05 05 07 30 02 86 32 68 74 74 70 3A 2F 2F 74 ....0..2http://t
            00C0: 79 73 6F 6E 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F yson/CertEnroll/
            00D0: 74 79 73 6F 6E 5F XX XX XX XX 25 32 30 52 6F 6F tyson_XXXX%20Roo
            00E0: 74 25 32 30 43 41 2E 63 72 74 30 3C 06 08 2B 06 t%20CA.crt0<..+.
            00F0: 01 05 05 07 30 02 86 30 66 69 6C 65 3A 2F 2F 5C ....0..0file://\
            0100: 5C 74 79 73 6F 6E 5C 43 65 72 74 45 6E 72 6F 6C \tyson\CertEnrol
            0110: 6C 5C 74 79 73 6F 6E 5F XX XX XX XX 20 52 6F 6F l\tyson_XXXX Roo
            0120: 74 20 43 41 2E 63 72 74 t CA.crt

            [2]: ObjectId: 2.5.29.31 Criticality=false
            Unparseable CRLDistributionPoints extension due to
            java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\XXXX Root CA.crl

            0000: 30 60 30 5E A0 5C A0 5A 86 2A 66 69 6C 65 3A 2F 0`0^.\.Z.*file:/
            0010: 2F 5C 5C 74 79 73 6F 6E 5C 43 65 72 74 45 6E 72 /\\tyson\CertEnr
            0020: 6F 6C 6C 5C XX XX XX XX 20 52 6F 6F 74 20 43 41 oll\XXXX Root CA
            0030: 2E 63 72 6C 86 2C 68 74 74 70 3A 2F 2F 74 79 73 .crl.,http://tys
            0040: 6F 6E 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F XX XX on/CertEnroll/XX
            0050: XX XX 25 32 30 52 6F 6F 74 25 32 30 43 41 2E 63 XX%20Root%20CA.c
            0060: 72 6C rl

            ]
            Algorithm: [SHA1withRSA]
            Signature:
            0000: 3A 61 58 BB DE D8 ED 30 97 EF C0 CB 2C 2D 87 E4 :aX....0....,-..
            0010: DE 74 0E F1 74 DC 97 EF BD E4 F7 40 D0 31 F6 D6 .t..t......@.1..
            0020: 9B B6 D5 6A AF E3 E7 14 F7 24 69 48 C4 71 50 63 ...j.....$iH.qPc
            0030: 96 51 62 D6 BD BE AB 36 DB 9C 5E C2 7B 6F ED 0D .Qb....6..^..o..
            0040: 63 FF 26 DE 0A EE 86 5B 43 B0 E4 E1 EE 4D 50 0A c.&....[C....MP.
            0050: FE 58 27 4C 2A 06 94 22 5B 17 A4 99 FE F3 39 FE .X'L*.."[.....9.
            0060: 66 52 E3 00 94 18 F0 CA A0 8D 30 F9 69 34 A2 BB fR........0.i4..
            0070: 7F FC 50 BF 24 25 23 17 68 A1 8E B2 72 A3 C7 B1 ..P.$%#.h...r...
            0080: C0 F7 CE 79 E2 A3 99 AE 4C 2B C4 C3 4B D5 DE 15 ...y....L+..K...
            0090: B8 02 29 C6 8D 7D E6 FD 83 ED 56 E8 37 6A A7 96 ..).......V.7j..
            00A0: 6F D0 B1 9D 39 CC E1 0E BB 59 79 22 01 CF 5C 2E o...9....Yy"..\.
            00B0: D9 A7 11 FD CE 6E 47 0E 68 FE 3F AE CE 02 E4 45 .....nG.h.?....E
            00C0: 64 2F 39 29 DB 30 82 B7 98 B0 D8 7B 81 0A A5 EB d/9).0..........
            00D0: 87 95 12 BC A3 D1 27 3E E7 05 83 A3 BD 42 FC 7B ......'>.....B..
            00E0: BD 9F 69 1A 2B 59 77 1C 90 04 E8 E1 F2 C5 9A 55 ..i.+Yw........U
            00F0: CF B4 11 D0 D9 28 F3 C7 EB 58 7F 6B DE DE 33 5A .....(...X.k..3Z

            ]
            ***
            Found trusted certificate:
            [
            [
            Version: V3
            Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
            Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

            Key: Sun RSA public key, 2048 bits
            modulus: 31516488916856175993354388556520068293794356693242681182245201286667548063641640358313574888462489933475402864236800262460826430243488030753558168637830135426373840447558297285290406873898984898413863294812616756309132288938801104047345625475355654376426138494767988080314969827787605621823083455352331480850948116669339339048031040543939696472504286395458369701032317090387365961443301475102633799830067724032223647096133387365632477706202020365811242759581209534410179060268963901969481769329740356404722306624236516162225426247695795946763666223293969793336832548340134282004822442343909786198074157323202609655959
            public exponent: 65537
            Validity: [From: Fri Mar 15 07:44:35 MDT 2013,
                           To: Sun Mar 15 07:44:35 MDT 2015]
            Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
            SerialNumber: [    4208795e 00000000 0d7d]

            Certificate Extensions: 8
            [1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
            Extension unknown: DER encoded OCTET string =
            0000: 04 0E 30 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 ..0.0...+.......










            [2]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
            Extension unknown: DER encoded OCTET string =
            0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
            0010: D5 D8 7B 86 FA 8D 54 86 85 9F 20 87 92 89 64 CB ......T... ...d.
            0020: D5 69 81 57 84 D5 FB 1A 84 99 9C 1D 02 01 64 02 .i.W..........d.
            0030: 01 09 ..


            [3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
            AuthorityInfoAccess [
            [
            accessMethod: caIssuers
            accessLocation: URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?cACertificate?base?objectClass=certificationAuthority
            ,
            accessMethod: caIssuers
            accessLocation: URIName: http://grc/CertEnroll/CASERVER.PARENT.local_COMPANY%20NAME%20Internal%20Issuing%20CA.crt
            ]
            ]

            [4]: ObjectId: 2.5.29.35 Criticality=false
            AuthorityKeyIdentifier [
            KeyIdentifier [
            0000: 26 0F F4 17 D4 4A 12 51 1A 7F FC 77 A9 FB 4D 9F &....J.Q...w..M.
            0010: 2B 75 DB 71 +u.q
            ]

            ]

            [5]: ObjectId: 2.5.29.31 Criticality=false
            CRLDistributionPoints [
            [DistributionPoint:
            [URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=CASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://grc/CertEnroll/COMPANY%20NAME%20Internal%20Issuing%20CA.crl]
            ]]

            [6]: ObjectId: 2.5.29.37 Criticality=false
            ExtendedKeyUsages [
            serverAuth
            ]

            [7]: ObjectId: 2.5.29.15 Criticality=false
            KeyUsage [
            DigitalSignature
            Key_Encipherment
            ]

            [8]: ObjectId: 2.5.29.14 Criticality=false






            SubjectKeyIdentifier [
            KeyIdentifier [
            0000: B5 10 57 84 BB 7F A0 ED BA E5 0C D3 00 06 A3 67 ..W............g
            0010: 97 93 B2 9E ....
            ]
            ]

            ]
            Algorithm: [SHA1withRSA]
            Signature:
            0000: 0E 24 50 64 FF A6 50 29 B8 AF 61 0F 37 9D 63 2F .$Pd..P)..a.7.c/
            0010: 2A BD 90 7E 50 C2 2A 0C B8 16 09 2E FB 0A 0E A6 *...P.*.........
            0020: 15 82 0F 1E AD DA 64 DD 36 31 6E 3C C7 33 55 7E ......d.61n<.3U.
            0030: 35 0A 4E 49 3B 96 EC C4 4A 01 3F 39 9F 6A E8 11 5.NI;...J.?9.j..
            0040: C9 22 45 16 51 9A 15 D6 C3 B3 50 BA FB 56 D3 62 ."E.Q.....P..V.b
            0050: 42 D4 CF 76 2B 0B 04 1A 80 87 99 0C B7 97 C1 CE B..v+...........
            0060: D5 93 90 E0 1B 84 31 EB 9F 75 A3 2C 52 00 CA 62 ......1..u.,R..b
            0070: FE C8 55 23 45 D5 FE 67 D4 A0 30 61 FC 26 08 0B ..U#E..g..0a.&..
            0080: 77 D1 26 61 60 31 CD 9A 76 5E 8E 66 85 C6 35 9B w.&a`1..v^.f..5.
            0090: 61 41 C5 05 C9 04 42 F2 8D 3D DA F8 80 22 AA AA aA....B..=..."..
            00A0: 92 50 CF 17 31 B6 93 CA 5E 85 5D B0 5F D2 77 07 .P..1...^.]._.w.
            00B0: 32 D7 69 5A 14 DD 12 62 91 BA 4F 75 19 80 F8 C2 2.iZ...b..Ou....
            00C0: 17 19 67 63 4A FF F3 A6 96 35 47 FC 22 2F 76 BA ..gcJ....5G."/v.
            00D0: 37 ED EE B2 90 AC 30 C7 7A F9 E6 2E 59 10 8F 2A 7.....0.z...Y..*
            00E0: 9E 03 54 18 A5 EB AD 48 3A 78 56 4F 22 BF 8D F7 ..T....H:xVO"...
            00F0: 8E C8 21 D4 92 30 A8 FC BE 76 98 15 FB D1 1D C1 ..!..0...v......

            ]
            *** ServerHelloDone
            *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
            main, WRITE: TLSv1 Handshake, length = 262
            SESSION KEYGEN:
            PreMaster Secret:



            0000: 03 01 E0 87 7E 29 17 FC A3 FC F6 69 75 A2 52 36 .....).....iu.R6
            0010: 3F DB C3 32 C5 86 6F DA 8A 5A BC 65 2F 4E 7B 2D ?..2..o..Z.e/N.-
            0020: E8 BF 3B E2 1E 3D B0 F0 A1 4E F4 A4 5F CD 83 AF ..;..=...N.._...
            CONNECTION KEYGEN:
            Client Nonce:


            0000: 51 49 B9 08 71 18 F2 33 2D 12 75 EC 34 93 10 16 QI..q..3-.u.4...
            0010: 97 3B 97 21 38 BB 18 91 E7 19 54 2C B0 70 3D 4F .;.!8.....T,.p=O
            Server Nonce:


            0000: 51 49 B9 08 73 87 4E EA 5C D9 21 C5 0E 8F 6C F4 QI..s.N.\.!...l.
            0010: C8 E5 3D EF 88 AE 28 6D 46 A5 18 70 A0 95 50 C4 ..=...(mF..p..P.
            Master Secret:



            0000: 21 F1 45 A0 E1 2A 86 A9 44 5A 3F 7E 3D E4 FA 13 !.E..*..DZ?.=...
            0010: 58 BE D3 DE F9 DD 1E E6 2D DF 72 B1 29 11 32 B3 X.......-.r.).2.
            0020: 68 3C 26 B8 1C 7D 04 FC 93 E8 3B 98 FC 1A 2A 24 h<&.......;...*$
            Client MAC write Secret:

            0000: 30 01 3F 51 6A 18 05 A7 DC C4 79 01 FD 70 FE 34 0.?Qj.....y..p.4
            0010: CA F3 2F 8A ../.
            Server MAC write Secret:

            0000: 9F 17 95 16 F6 29 D4 04 C2 13 A2 98 74 E6 95 9A .....)......t...
            0010: E3 AF 3D 97 ..=.
            Client write key:

            0000: 03 59 5D D7 BE D9 B7 25 27 AA 86 79 62 57 15 76 .Y]....%'..ybW.v
            0010: AA D6 71 73 29 2F 95 1A 75 33 E8 D2 62 55 E0 85 ..qs)/..u3..bU..
            Server write key:


            0000: 0E 31 B3 07 D7 F7 B8 02 5B F4 24 BE AD 71 4D 3F .1......[.$..qM?
            0010: 5F F3 A7 55 05 93 06 BA 41 5E E9 A0 E7 A8 49 7C _..U....A^....I.
            Client write IV:
            0000: 71 92 6D AE AB 1B 0D EC 51 D5 2E C4 56 33 18 F3 q.m.....Q...V3..
            Server write IV:
            0000: 5E AA 39 43 C6 8C 6F B0 58 B9 DF 82 77 E2 B1 8A ^.9C..o.X...w...
            main, WRITE: TLSv1 Change Cipher Spec, length = 1
            *** Finished






            verify_data: { 114, 227, 19, 222, 162, 73, 80, 229, 15, 199, 23, 154 }
            ***
            main, WRITE: TLSv1 Handshake, length = 48
            main, READ: TLSv1 Alert, length = 2
            main, RECV TLSv1 ALERT: fatal, handshake_failure
            %% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]








            main, called closeSocket()
            main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

            javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
                 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
                 at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
                 at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1961)
                 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
                 at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
                 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
                 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
                 at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
                 at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
                 at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
                 at testhttps.Main.runTest(Main.java:39)
                 at testhttps.Main.main(Main.java:23)
            • 3. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
              sabre150
              Have you installed the 'unlimited strength' files in your Java 7?
              • 4. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
                720986
                Yes, the unlimited strength files are installed on both the server (Java 1.6) and on both Java 1.6 and 1.7 on the client.
                • 5. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
                  EJP
                  java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\tyson_XXXX Root CA.crt
                  Are you aware of this problem with one of the certificates? This is complete nonsense. I don't know whether it's causing this problem but it might. Complain to whoever issued that certificate.
                  • 6. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
                    1012354
                    I think I have the same problem. I'm connecting to an RDP server with Network Level Authentication (TLS) enabled.

                    The code only works on 1.6.0_27 and below, also works on all versions of OpenJDK. Here is the log:

                    Allow unsafe renegotiation: true
                    Allow legacy hello messages: true
                    Is initial handshake: true
                    Is secure renegotiation: false
                    %% No cached client session
                    *** ClientHello, TLSv1

                    [Raw read]: length = 5
                    0000: 15 03 01 00 20 ....
                    [Raw read]: length = 32
                    0000: 09 2B C0 F4 A1 6F AC 29 1B E1 1E E8 D6 B6 98 F6 .+...o.)........
                    0010: 7B D9 D0 11 E4 22 88 B1 6B 6D 59 98 51 A3 A5 40 ....."..kmY.Q..@
                    RdpRunner, READ: TLSv1 Alert, length = 32
                    Padded plaintext after DECRYPTION: len = 32
                    0000: 02 50 C6 D9 DF E5 CC 0E 1F 5C BF FE 3E 4E 69 AA .P.......\..>Ni.
                    0010: B8 10 F8 C0 42 2B 09 09 09 09 09 09 09 09 09 09 ....B+..........
                    RdpRunner, RECV TLSv1 ALERT: fatal, internal_error
                    %% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
                    RdpRunner, called closeSocket()
                    RdpRunner, handling exception: javax.net.ssl.SSLException: Received fatal alert: internal_error
                    javax.net.ssl.SSLException: Received fatal alert: internal_error
                         at sun.security.ssl.Alerts.getSSLException(Unknown Source)
                         at sun.security.ssl.Alerts.getSSLException(Unknown Source)
                         at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
                         at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
                         at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
                         at sun.security.ssl.AppInputStream.read(Unknown Source)
                         at java.io.BufferedInputStream.fill(Unknown Source)
                         at java.io.BufferedInputStream.read(Unknown Source)
                         at java.io.FilterInputStream.read(Unknown Source)
                         at org.bouncycastle.asn1.ASN1InputStream.readObject(ASN1InputStream.java:180)
                         at net.protocol.credssp.CredSsp.readTsRequest(CredSsp.java:44)
                         at net.protocol.credssp.CredSsp.execute(CredSsp.java:186)
                         at net.protocol.socket.SocketLayer.executeCredSsp(SocketLayer.java:199)
                         at net.protocol.x224.X224Layer.receiveConnectionConfirm(X224Layer.java:225)
                         at net.protocol.x224.X224Layer.connect(X224Layer.java:119)
                         at net.protocol.mcs.MCSLayer.connect(MCSLayer.java:323)
                         at net.protocol.secure.SecureLayer.connect(SecureLayer.java:260)
                         at net.protocol.secure.SecureLayer.connect(SecureLayer.java:273)
                         at net.protocol.rdp.RdpSlowPathLayer.connect(RdpSlowPathLayer.java:417)
                         at com.toremote.websocket.rdp.RdpRunner.run(RdpRunner.java:131)
                    net.protocol.rdp.RdpException: Received fatal alert: internal_error

                    Edited by: user10270852 on Jun 2, 2013 1:46 PM
                    • 7. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
                      EJP
                      user10270852 wrote:
                      995076 wrote:
                      main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
                      I think I have the same problem. I'm connecting to an RDP server with Network Level Authentication (TLS) enabled.
                      ...
                      RdpRunner, handling exception: javax.net.ssl.SSLException: Received fatal alert: internal_error
                      No you don't. It isn't the same. Start your own thread.