This discussion is archived
7 Replies Latest reply: Jun 2, 2013 6:18 PM by EJP RSS

RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7

998079 Newbie
Currently Being Moderated
I have two Java applications. Both were originally running Java 1.6. The applications communicate via an HTTPS call. The client is being converted to Java 1.7 while the server is being left at Java 1.6 for now.

When the client is run using Java 1.7 it gets an exception, javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure. The client works fine using Java 1.6. The client running on Java 1.7 can communicate with other applications such as https://www.google.com/ without any problem.

The debug log indicates that the client is accepting the server certificate without any problem. It is the server that is sending the handshake_failure response.

The only significant difference I can see between the two logs is that using Java 1.6 client, the server selects the SSL_RSA_WITH_RC4_128_MD5 cipher suite while with the Java 1.7 client the server selects the TLS_RSA_WITH_AES_256_CBC_SHA cipher suite.

I can re-create the problem using a simple program and running it twice, once with Java 1.6 and once with Java 1.7.

package testhttps;

import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;

public class Main {
     private static final String JAVA_VERSION = "java.version";
     private static final String JAVAX_NET_DEBUG = "javax.net.debug";
     private static final String JAVAX_NET_SSL_TRUSTSTORE = "javax.net.ssl.trustStore";

     private static final String DEBUG_OPTS = "ssl,handshake";
     private static final String LOCAL_KS = "C:/Users/USER/Desktop/SERVERcert";
     private static final String LOCAL_URL = "https://SERVER/invoke/tools.employees.apps:APPNAME";
     private static final String GOOGLE_URL = "https://www.google.com/";

     public static void main(String[] args) throws IOException {
          System.out.println("Java Version: " + System.getProperty(JAVA_VERSION));
          printSep();
          System.setProperty(JAVAX_NET_DEBUG, DEBUG_OPTS);
          System.setProperty(JAVAX_NET_SSL_TRUSTSTORE, LOCAL_KS);
          runTest(LOCAL_URL);
          printSep();
          runTest(GOOGLE_URL);
     }
     
     private static void printSep() {
          System.out.println("----------------------------------------");
          System.out.println();
     }

     private static void runTest(String urlStr) {
          System.out.println("URL: " + urlStr);
          System.out.println();
          try {
               URL url = new URL(urlStr);
               URLConnection connection = url.openConnection();
               connection.connect();
               InputStream stream = connection.getInputStream();
               while (true) {
                    int n = stream.read();
                    if (n == -1)
                         break;
                    System.out.write(n);
               }
               stream.close();
               System.out.println();
          } catch (IOException e) {
               System.out.println();
               e.printStackTrace();
          }
     }
}
  • 1. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
    998079 Newbie
    Currently Being Moderated
    Debug log for Java 1.6 client. Everything works.

    Java Version: 1.6.0_27
    ----------------------------------------

    URL: https://SERVER/invoke/tools.employees.apps:APPNAME

    keyStore is :
    keyStore type is : jks
    keyStore provider is :
    init keystore
    init keymanager of type SunX509
    trustStore is: C:\Users\USER\Desktop\SERVERcert
    trustStore type is : jks
    trustStore provider is :
    init truststore
    adding as trusted cert:
    Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
    Issuer: CN=Google Internet Authority, O=Google Inc, C=US
    Algorithm: RSA; Serial number: 0x14850d9e000000007d40
    Valid from Wed Feb 20 06:34:56 MST 2013 until Fri Jun 07 13:43:27 MDT 2013

    adding as trusted cert:
    Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
    Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
    Algorithm: RSA; Serial number: 0x4208795e000000000d7d
    Valid from Fri Mar 15 07:44:35 MDT 2013 until Sun Mar 15 07:44:35 MDT 2015

    trigger seeding of SecureRandom
    done seeding SecureRandom
    Allow unsafe renegotiation: false
    Allow legacy hello messages: true
    Is initial handshake: true
    Is secure renegotiation: false
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1363720139 bytes = { 171, 123, 61, 172, 126, 242, 212, 1, 4, 176, 242, 170, 160, 29, 94, 71, 5, 156, 105, 254, 198, 134, 121, 195, 94, 180, 75, 145 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
    Compression Methods: { 0 }
    ***
    main, WRITE: TLSv1 Handshake, length = 75
    main, WRITE: SSLv2 client hello message, length = 101
    main, READ: TLSv1 Handshake, length = 3437
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1363720139 bytes = { 166, 182, 216, 213, 79, 208, 74, 130, 188, 139, 43, 173, 181, 142, 122, 50, 139, 104, 114, 149, 210, 38, 128, 131, 197, 54, 184, 60 }
    Session ID: {171, 166, 225, 109, 198, 100, 161, 155, 70, 133, 24, 13, 92, 97, 8, 198}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    Extension renegotiation_info, renegotiated_connection: <empty>
    ***
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    *** Certificate chain
    chain [0] = [
    [
    Version: V3
    Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 2048 bits
    modulus: 31516488916856175993354388556520068293794356693242681182245201286667548063641640358313574888462489933475402864236800262460826430243488030753558168637830135426373840447558297285290406873898984898413863294812616756309132288938801104047345625475355654376426138494767988080314969827787605621823083455352331480850948116669339339048031040543939696472504286395458369701032317090387365961443301475102633799830067724032223647096133387365632477706202020365811242759581209534410179060268963901969481769329740356404722306624236516162225426247695795946763666223293969793336832548340134282004822442343909786198074157323202609655959
    public exponent: 65537
    Validity: [From: Fri Mar 15 07:44:35 MDT 2013,
                   To: Sun Mar 15 07:44:35 MDT 2015]
    Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
    SerialNumber: [    4208795e 00000000 0d7d]

    Certificate Extensions: 8
    [1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 0E 30 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 ..0.0...+.......


    [2]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: B5 10 57 84 BB 7F A0 ED BA E5 0C D3 00 06 A3 67 ..W............g
    0010: 97 93 B2 9E ....
    ]
    ]

    [3]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
    0010: D5 D8 7B 86 FA 8D 54 86 85 9F 20 87 92 89 64 CB ......T... ...d.
    0020: D5 69 81 57 84 D5 FB 1A 84 99 9C 1D 02 01 64 02 .i.W..........d.
    0030: 01 09 ..


    [4]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 26 0F F4 17 D4 4A 12 51 1A 7F FC 77 A9 FB 4D 9F &....J.Q...w..M.
    0010: 2B 75 DB 71 +u.q
    ]

    ]

    [5]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=CASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://grc/CertEnroll/COMPANY%20NAME%20Internal%20Issuing%20CA.crl]
    ]]

    [6]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    serverAuth
    ]

    [7]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    DigitalSignature
    Key_Encipherment
    ]

    [8]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
    AuthorityInfoAccess [
    [
    accessMethod: 1.3.6.1.5.5.7.48.2
    accessLocation: URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?cACertificate?base?objectClass=certificationAuthority,
    accessMethod: 1.3.6.1.5.5.7.48.2
    accessLocation: URIName: http://grc/CertEnroll/CASERVER.PARENT.local_COMPANY%20NAME%20Internal%20Issuing%20CA.crt]
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 0E 24 50 64 FF A6 50 29 B8 AF 61 0F 37 9D 63 2F .$Pd..P)..a.7.c/
    0010: 2A BD 90 7E 50 C2 2A 0C B8 16 09 2E FB 0A 0E A6 *...P.*.........
    0020: 15 82 0F 1E AD DA 64 DD 36 31 6E 3C C7 33 55 7E ......d.61n<.3U.
    0030: 35 0A 4E 49 3B 96 EC C4 4A 01 3F 39 9F 6A E8 11 5.NI;...J.?9.j..
    0040: C9 22 45 16 51 9A 15 D6 C3 B3 50 BA FB 56 D3 62 ."E.Q.....P..V.b
    0050: 42 D4 CF 76 2B 0B 04 1A 80 87 99 0C B7 97 C1 CE B..v+...........
    0060: D5 93 90 E0 1B 84 31 EB 9F 75 A3 2C 52 00 CA 62 ......1..u.,R..b
    0070: FE C8 55 23 45 D5 FE 67 D4 A0 30 61 FC 26 08 0B ..U#E..g..0a.&..
    0080: 77 D1 26 61 60 31 CD 9A 76 5E 8E 66 85 C6 35 9B w.&a`1..v^.f..5.
    0090: 61 41 C5 05 C9 04 42 F2 8D 3D DA F8 80 22 AA AA aA....B..=..."..
    00A0: 92 50 CF 17 31 B6 93 CA 5E 85 5D B0 5F D2 77 07 .P..1...^.]._.w.
    00B0: 32 D7 69 5A 14 DD 12 62 91 BA 4F 75 19 80 F8 C2 2.iZ...b..Ou....
    00C0: 17 19 67 63 4A FF F3 A6 96 35 47 FC 22 2F 76 BA ..gcJ....5G."/v.
    00D0: 37 ED EE B2 90 AC 30 C7 7A F9 E6 2E 59 10 8F 2A 7.....0.z...Y..*
    00E0: 9E 03 54 18 A5 EB AD 48 3A 78 56 4F 22 BF 8D F7 ..T....H:xVO"...
    00F0: 8E C8 21 D4 92 30 A8 FC BE 76 98 15 FB D1 1D C1 ..!..0...v......

    ]
    chain [1] = [
    [
    Version: V3
    Subject: CN=XXXX Issuing CA 1, DC=PARENT, DC=local
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 4096 bits
    modulus: 710747583573312574266490133477718883175487276449197913367026878246770193366457918874117476848478441807997531601094195095347346667689692353006504772944438996992450206899974172461254170122772439064429800711214524654866811730387219923130077806688460698464420214016926635867290603880408310617196928261244715828938301877231716326135074613866166266159259934139101921704779393181418255236792357734373593843718044094652636084163613474834609513843820562318123712380380149595812702759706362225520298197347612448307537891820678903130283982229075610354246846288916706947063755002331306861708051010714413368970384817146977404909469979632866552303188492277584433342593521141366135313838512466732534501590138191730280137881018224930733224059655122933806684532601188457885427610523069862515778641416852689946070635946964424320750853912644963820761441121054160612741706028476665999908623924083348202525432243752651038591517730169571766303195624990856696540820396758325375089424534352671820926638511083232512074733251774179961972469706146941508467638490252757323558523275340769098076309821000325759423874166279533532418396039620418656504638481199111216522253786699411470101677803106926554982288403832319169109858989451431608015520012872771792487551381
    public exponent: 65537
    Validity: [From: Thu Mar 13 14:05:43 MDT 2008,
                   To: Tue Mar 13 14:15:43 MDT 2018]
    Issuer: CN=XXXX Root CA, DC="PARENT.DC=local"
    SerialNumber: [    19e8d467 00000000 0008]

    Certificate Extensions: 7
    [1]: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 0C 1E 0A 00 53 00 75 00 62 00 43 00 41 .....S.u.b.C.A


    [2]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 73 7B 89 88 B8 20 C4 74 0E E9 15 70 F2 AA B5 93 s.... .t...p....
    0010: 95 4B EF 10 .K..
    ]
    ]

    [3]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 37 65 99 AA A5 52 A4 DD F4 97 50 DA B5 6A 46 B1 7e...R....P..jF.
    0010: EC F3 21 30 ..!0
    ]

    ]

    [4]: ObjectId: 1.3.6.1.4.1.311.21.2 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 16 04 14 D5 C8 60 1F D4 BC C8 F4 29 18 65 55 ......`.....).eU
    0010: 71 89 08 08 6E C4 1C B1 q...n...


    [5]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    DigitalSignature
    Key_CertSign
    Crl_Sign
    ]

    [6]: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 05 02 03 01 00 01 .......


    [7]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    Unparseable certificate extensions: 2
    [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
    Unparseable AuthorityInfoAccess extension due to
    java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\tyson_XXXX Root CA.crt

    0000: 30 82 01 24 30 81 A3 06 08 2B 06 01 05 05 07 30 0..$0....+.....0
    0010: 02 86 81 96 6C 64 61 70 3A 2F 2F 2F 43 4E 3D XX ....ldap:///CN=X
    0020: XX XX XX 25 32 30 52 6F 6F 74 25 32 30 43 41 2C XXX%20Root%20CA,
    0030: 43 4E 3D 41 49 41 2C 43 4E 3D 50 75 62 6C 69 63 CN=AIA,CN=Public
    0040: 25 32 30 4B 65 79 25 32 30 53 65 72 76 69 63 65 %20Key%20Service
    0050: 73 2C 43 4E 3D 53 65 72 76 69 63 65 73 2C 44 43 s,CN=Services,DC
    0060: 3D 55 6E 61 76 61 69 6C 61 62 6C 65 43 6F 6E 66 =UnavailableConf
    0070: 69 67 44 4E 3F 63 41 43 65 72 74 69 66 69 63 61 igDN?cACertifica
    0080: 74 65 3F 62 61 73 65 3F 6F 62 6A 65 63 74 43 6C te?base?objectCl
    0090: 61 73 73 3D 63 65 72 74 69 66 69 63 61 74 69 6F ass=certificatio
    00A0: 6E 41 75 74 68 6F 72 69 74 79 30 3E 06 08 2B 06 nAuthority0>..+.
    00B0: 01 05 05 07 30 02 86 32 68 74 74 70 3A 2F 2F 74 ....0..2http://t
    00C0: 79 73 6F 6E 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F yson/CertEnroll/
    00D0: 74 79 73 6F 6E 5F XX XX XX XX 25 32 30 52 6F 6F tyson_XXXX%20Roo
    00E0: 74 25 32 30 43 41 2E 63 72 74 30 3C 06 08 2B 06 t%20CA.crt0<..+.
    00F0: 01 05 05 07 30 02 86 30 66 69 6C 65 3A 2F 2F 5C ....0..0file://\
    0100: 5C 74 79 73 6F 6E 5C 43 65 72 74 45 6E 72 6F 6C \tyson\CertEnrol
    0110: 6C 5C 74 79 73 6F 6E 5F XX XX XX XX 20 52 6F 6F l\tyson_XXXX Roo
    0120: 74 20 43 41 2E 63 72 74 t CA.crt

    [2]: ObjectId: 2.5.29.31 Criticality=false
    Unparseable CRLDistributionPoints extension due to
    java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\XXXX Root CA.crl

    0000: 30 60 30 5E A0 5C A0 5A 86 2A 66 69 6C 65 3A 2F 0`0^.\.Z.*file:/
    0010: 2F 5C 5C 74 79 73 6F 6E 5C 43 65 72 74 45 6E 72 /\\tyson\CertEnr
    0020: 6F 6C 6C 5C XX XX XX XX 20 52 6F 6F 74 20 43 41 oll\XXXX Root CA
    0030: 2E 63 72 6C 86 2C 68 74 74 70 3A 2F 2F 74 79 73 .crl.,http://tys
    0040: 6F 6E 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F XX XX on/CertEnroll/XX
    0050: XX XX 25 32 30 52 6F 6F 74 25 32 30 43 41 2E 63 XX%20Root%20CA.c
    0060: 72 6C rl

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 3A 61 58 BB DE D8 ED 30 97 EF C0 CB 2C 2D 87 E4 :aX....0....,-..
    0010: DE 74 0E F1 74 DC 97 EF BD E4 F7 40 D0 31 F6 D6 .t..t......@.1..
    0020: 9B B6 D5 6A AF E3 E7 14 F7 24 69 48 C4 71 50 63 ...j.....$iH.qPc
    0030: 96 51 62 D6 BD BE AB 36 DB 9C 5E C2 7B 6F ED 0D .Qb....6..^..o..
    0040: 63 FF 26 DE 0A EE 86 5B 43 B0 E4 E1 EE 4D 50 0A c.&....[C....MP.
    0050: FE 58 27 4C 2A 06 94 22 5B 17 A4 99 FE F3 39 FE .X'L*.."[.....9.
    0060: 66 52 E3 00 94 18 F0 CA A0 8D 30 F9 69 34 A2 BB fR........0.i4..
    0070: 7F FC 50 BF 24 25 23 17 68 A1 8E B2 72 A3 C7 B1 ..P.$%#.h...r...
    0080: C0 F7 CE 79 E2 A3 99 AE 4C 2B C4 C3 4B D5 DE 15 ...y....L+..K...
    0090: B8 02 29 C6 8D 7D E6 FD 83 ED 56 E8 37 6A A7 96 ..).......V.7j..
    00A0: 6F D0 B1 9D 39 CC E1 0E BB 59 79 22 01 CF 5C 2E o...9....Yy"..\.
    00B0: D9 A7 11 FD CE 6E 47 0E 68 FE 3F AE CE 02 E4 45 .....nG.h.?....E
    00C0: 64 2F 39 29 DB 30 82 B7 98 B0 D8 7B 81 0A A5 EB d/9).0..........
    00D0: 87 95 12 BC A3 D1 27 3E E7 05 83 A3 BD 42 FC 7B ......'>.....B..
    00E0: BD 9F 69 1A 2B 59 77 1C 90 04 E8 E1 F2 C5 9A 55 ..i.+Yw........U
    00F0: CF B4 11 D0 D9 28 F3 C7 EB 58 7F 6B DE DE 33 5A .....(...X.k..3Z

    ]
    ***
    Found trusted certificate:
    [
    [
    Version: V3
    Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 2048 bits
    modulus: 31516488916856175993354388556520068293794356693242681182245201286667548063641640358313574888462489933475402864236800262460826430243488030753558168637830135426373840447558297285290406873898984898413863294812616756309132288938801104047345625475355654376426138494767988080314969827787605621823083455352331480850948116669339339048031040543939696472504286395458369701032317090387365961443301475102633799830067724032223647096133387365632477706202020365811242759581209534410179060268963901969481769329740356404722306624236516162225426247695795946763666223293969793336832548340134282004822442343909786198074157323202609655959
    public exponent: 65537
    Validity: [From: Fri Mar 15 07:44:35 MDT 2013,
                   To: Sun Mar 15 07:44:35 MDT 2015]
    Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
    SerialNumber: [    4208795e 00000000 0d7d]

    Certificate Extensions: 8
    [1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 0E 30 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 ..0.0...+.......


    [2]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: B5 10 57 84 BB 7F A0 ED BA E5 0C D3 00 06 A3 67 ..W............g
    0010: 97 93 B2 9E ....
    ]
    ]

    [3]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
    0010: D5 D8 7B 86 FA 8D 54 86 85 9F 20 87 92 89 64 CB ......T... ...d.
    0020: D5 69 81 57 84 D5 FB 1A 84 99 9C 1D 02 01 64 02 .i.W..........d.
    0030: 01 09 ..


    [4]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 26 0F F4 17 D4 4A 12 51 1A 7F FC 77 A9 FB 4D 9F &....J.Q...w..M.
    0010: 2B 75 DB 71 +u.q
    ]

    ]

    [5]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=CASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://grc/CertEnroll/COMPANY%20NAME%20Internal%20Issuing%20CA.crl]
    ]]

    [6]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    serverAuth
    ]

    [7]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    DigitalSignature
    Key_Encipherment
    ]

    [8]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
    AuthorityInfoAccess [
    [
    accessMethod: 1.3.6.1.5.5.7.48.2
    accessLocation: URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?cACertificate?base?objectClass=certificationAuthority,
    accessMethod: 1.3.6.1.5.5.7.48.2
    accessLocation: URIName: http://grc/CertEnroll/CASERVER.PARENT.local_COMPANY%20NAME%20Internal%20Issuing%20CA.crt]
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 0E 24 50 64 FF A6 50 29 B8 AF 61 0F 37 9D 63 2F .$Pd..P)..a.7.c/
    0010: 2A BD 90 7E 50 C2 2A 0C B8 16 09 2E FB 0A 0E A6 *...P.*.........
    0020: 15 82 0F 1E AD DA 64 DD 36 31 6E 3C C7 33 55 7E ......d.61n<.3U.
    0030: 35 0A 4E 49 3B 96 EC C4 4A 01 3F 39 9F 6A E8 11 5.NI;...J.?9.j..
    0040: C9 22 45 16 51 9A 15 D6 C3 B3 50 BA FB 56 D3 62 ."E.Q.....P..V.b
    0050: 42 D4 CF 76 2B 0B 04 1A 80 87 99 0C B7 97 C1 CE B..v+...........
    0060: D5 93 90 E0 1B 84 31 EB 9F 75 A3 2C 52 00 CA 62 ......1..u.,R..b
    0070: FE C8 55 23 45 D5 FE 67 D4 A0 30 61 FC 26 08 0B ..U#E..g..0a.&..
    0080: 77 D1 26 61 60 31 CD 9A 76 5E 8E 66 85 C6 35 9B w.&a`1..v^.f..5.
    0090: 61 41 C5 05 C9 04 42 F2 8D 3D DA F8 80 22 AA AA aA....B..=..."..
    00A0: 92 50 CF 17 31 B6 93 CA 5E 85 5D B0 5F D2 77 07 .P..1...^.]._.w.
    00B0: 32 D7 69 5A 14 DD 12 62 91 BA 4F 75 19 80 F8 C2 2.iZ...b..Ou....
    00C0: 17 19 67 63 4A FF F3 A6 96 35 47 FC 22 2F 76 BA ..gcJ....5G."/v.
    00D0: 37 ED EE B2 90 AC 30 C7 7A F9 E6 2E 59 10 8F 2A 7.....0.z...Y..*
    00E0: 9E 03 54 18 A5 EB AD 48 3A 78 56 4F 22 BF 8D F7 ..T....H:xVO"...
    00F0: 8E C8 21 D4 92 30 A8 FC BE 76 98 15 FB D1 1D C1 ..!..0...v......

    ]
    *** ServerHelloDone
    *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
    main, WRITE: TLSv1 Handshake, length = 262
    SESSION KEYGEN:
    PreMaster Secret:
    0000: 03 01 8E DB 5A 42 FB 92 76 3B C0 3D 24 3A 62 71 ....ZB..v;.=$:bq
    0010: 2D 20 3C 30 51 8E AB 3C 11 30 58 7A 59 68 07 DD - <0Q..<.0XzYh..
    0020: 6F 27 04 D7 F4 36 50 BA 7B 80 74 F8 42 A7 A8 4B o'...6P...t.B..K
    CONNECTION KEYGEN:
    Client Nonce:
    0000: 51 49 B8 CB AB 7B 3D AC 7E F2 D4 01 04 B0 F2 AA QI....=.........
    0010: A0 1D 5E 47 05 9C 69 FE C6 86 79 C3 5E B4 4B 91 ..^G..i...y.^.K.
    Server Nonce:
    0000: 51 49 B8 CB A6 B6 D8 D5 4F D0 4A 82 BC 8B 2B AD QI......O.J...+.
    0010: B5 8E 7A 32 8B 68 72 95 D2 26 80 83 C5 36 B8 3C ..z2.hr..&...6.<
    Master Secret:
    0000: CD 71 83 49 FE 65 1E A9 C7 B7 53 D0 98 AC 2D 2B .q.I.e....S...-+
    0010: C8 9B 8B 43 1D E9 E2 A7 CC B9 A9 BF CA 20 D1 B8 ...C......... ..
    0020: 14 4E F2 2E 97 16 6F 50 48 3A 86 2B C8 EF 84 E8 .N....oPH:.+....
    Client MAC write Secret:
    0000: 94 F6 78 13 0F 15 40 AA 05 21 9B AA 65 A5 1F BC ..x...@..!..e...
    Server MAC write Secret:
    0000: 0F 3D 2B 1A 5C AA 55 FB 3A AC 72 90 F6 AA 9D 98 .=+.\.U.:.r.....
    Client write key:
    0000: 6D 14 7A 92 F9 40 27 3A 29 9F 43 37 BB 8C 04 53 m.z..@':).C7...S
    Server write key:
    0000: 90 71 00 90 FE 06 D6 E9 98 6F 34 C2 D5 6A 40 0C .q.......o4..j@.
    ... no IV used for this cipher
    main, WRITE: TLSv1 Change Cipher Spec, length = 1
    *** Finished
    verify_data: { 251, 198, 237, 121, 161, 170, 156, 152, 69, 108, 68, 188 }
    ***
    main, WRITE: TLSv1 Handshake, length = 32
    main, READ: TLSv1 Change Cipher Spec, length = 1
    main, READ: TLSv1 Handshake, length = 32
    *** Finished
    verify_data: { 226, 240, 104, 1, 79, 28, 146, 177, 168, 18, 109, 107 }
    ***
    %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    main, WRITE: TLSv1 Application Data, length = 203
    main, READ: TLSv1 Application Data, length = 334
    <employeeauth>
    <eaRC>-1</eaRC>
    <eaRM> Userid %userid% is not authenticated. Error type=javax.naming.NamingException</eaRM>
    <eaNum></eaNum>
    </employeeauth>

    Edited by: user3402186 on Mar 20, 2013 7:21 AM
  • 2. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
    998079 Newbie
    Currently Being Moderated
    Debug log for Java 1.7 client. Gets handshake_failure.

    Java Version: 1.7.0_17
    ----------------------------------------

    URL: https://SERVER/invoke/tools.employees.apps:APPNAME

    keyStore is :
    keyStore type is : jks
    keyStore provider is :
    init keystore
    init keymanager of type SunX509
    trustStore is: C:\Users\USER\Desktop\SERVERcert
    trustStore type is : jks
    trustStore provider is :
    init truststore
    adding as trusted cert:
    Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
    Issuer: CN=Google Internet Authority, O=Google Inc, C=US
    Algorithm: RSA; Serial number: 0x14850d9e000000007d40
    Valid from Wed Feb 20 06:34:56 MST 2013 until Fri Jun 07 13:43:27 MDT 2013

    adding as trusted cert:
    Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
    Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
    Algorithm: RSA; Serial number: 0x4208795e000000000d7d
    Valid from Fri Mar 15 07:44:35 MDT 2013 until Sun Mar 15 07:44:35 MDT 2015

    trigger seeding of SecureRandom
    done seeding SecureRandom
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
    Allow unsafe renegotiation: false
    Allow legacy hello messages: true
    Is initial handshake: true
    Is secure renegotiation: false
    main, setSoTimeout(0) called
    %% No cached client session
    *** ClientHello, TLSv1

    RandomCookie: GMT: 1363720456 bytes = { 113, 24, 242, 51, 45, 18, 117, 236, 52, 147, 16, 22, 151, 59, 151, 33, 56, 187, 24, 145, 231, 25, 84, 44, 176, 112, 61, 79 }
    Session ID: {}
    Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
    Compression Methods: { 0 }
    Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
    Extension ec_point_formats, formats: [uncompressed]
    ***
    main, WRITE: TLSv1 Handshake, length = 163

    main, READ: TLSv1 Handshake, length = 3437
    *** ServerHello, TLSv1

    RandomCookie: GMT: 1363720456 bytes = { 115, 135, 78, 234, 92, 217, 33, 197, 14, 143, 108, 244, 200, 229, 61, 239, 136, 174, 40, 109, 70, 165, 24, 112, 160, 149, 80, 196 }
    Session ID: {186, 54, 109, 12, 100, 9, 3, 187, 38, 58, 152, 239, 137, 244, 79, 87}
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
    Compression Method: 0
    Extension renegotiation_info, renegotiated_connection: <empty>
    ***
    %% Initialized: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
    ** TLS_RSA_WITH_AES_256_CBC_SHA
    *** Certificate chain
    chain [0] = [
    [
    Version: V3
    Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 2048 bits
    modulus: 31516488916856175993354388556520068293794356693242681182245201286667548063641640358313574888462489933475402864236800262460826430243488030753558168637830135426373840447558297285290406873898984898413863294812616756309132288938801104047345625475355654376426138494767988080314969827787605621823083455352331480850948116669339339048031040543939696472504286395458369701032317090387365961443301475102633799830067724032223647096133387365632477706202020365811242759581209534410179060268963901969481769329740356404722306624236516162225426247695795946763666223293969793336832548340134282004822442343909786198074157323202609655959
    public exponent: 65537
    Validity: [From: Fri Mar 15 07:44:35 MDT 2013,
                   To: Sun Mar 15 07:44:35 MDT 2015]
    Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
    SerialNumber: [    4208795e 00000000 0d7d]

    Certificate Extensions: 8
    [1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 0E 30 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 ..0.0...+.......










    [2]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
    0010: D5 D8 7B 86 FA 8D 54 86 85 9F 20 87 92 89 64 CB ......T... ...d.
    0020: D5 69 81 57 84 D5 FB 1A 84 99 9C 1D 02 01 64 02 .i.W..........d.
    0030: 01 09 ..


    [3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
    AuthorityInfoAccess [
    [
    accessMethod: caIssuers
    accessLocation: URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?cACertificate?base?objectClass=certificationAuthority
    ,
    accessMethod: caIssuers
    accessLocation: URIName: http://grc/CertEnroll/CASERVER.PARENT.local_COMPANY%20NAME%20Internal%20Issuing%20CA.crt
    ]
    ]

    [4]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 26 0F F4 17 D4 4A 12 51 1A 7F FC 77 A9 FB 4D 9F &....J.Q...w..M.
    0010: 2B 75 DB 71 +u.q
    ]

    ]

    [5]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=CASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://grc/CertEnroll/COMPANY%20NAME%20Internal%20Issuing%20CA.crl]
    ]]

    [6]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    serverAuth
    ]

    [7]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    DigitalSignature
    Key_Encipherment
    ]

    [8]: ObjectId: 2.5.29.14 Criticality=false






    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: B5 10 57 84 BB 7F A0 ED BA E5 0C D3 00 06 A3 67 ..W............g
    0010: 97 93 B2 9E ....
    ]
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 0E 24 50 64 FF A6 50 29 B8 AF 61 0F 37 9D 63 2F .$Pd..P)..a.7.c/
    0010: 2A BD 90 7E 50 C2 2A 0C B8 16 09 2E FB 0A 0E A6 *...P.*.........
    0020: 15 82 0F 1E AD DA 64 DD 36 31 6E 3C C7 33 55 7E ......d.61n<.3U.
    0030: 35 0A 4E 49 3B 96 EC C4 4A 01 3F 39 9F 6A E8 11 5.NI;...J.?9.j..
    0040: C9 22 45 16 51 9A 15 D6 C3 B3 50 BA FB 56 D3 62 ."E.Q.....P..V.b
    0050: 42 D4 CF 76 2B 0B 04 1A 80 87 99 0C B7 97 C1 CE B..v+...........
    0060: D5 93 90 E0 1B 84 31 EB 9F 75 A3 2C 52 00 CA 62 ......1..u.,R..b
    0070: FE C8 55 23 45 D5 FE 67 D4 A0 30 61 FC 26 08 0B ..U#E..g..0a.&..
    0080: 77 D1 26 61 60 31 CD 9A 76 5E 8E 66 85 C6 35 9B w.&a`1..v^.f..5.
    0090: 61 41 C5 05 C9 04 42 F2 8D 3D DA F8 80 22 AA AA aA....B..=..."..
    00A0: 92 50 CF 17 31 B6 93 CA 5E 85 5D B0 5F D2 77 07 .P..1...^.]._.w.
    00B0: 32 D7 69 5A 14 DD 12 62 91 BA 4F 75 19 80 F8 C2 2.iZ...b..Ou....
    00C0: 17 19 67 63 4A FF F3 A6 96 35 47 FC 22 2F 76 BA ..gcJ....5G."/v.
    00D0: 37 ED EE B2 90 AC 30 C7 7A F9 E6 2E 59 10 8F 2A 7.....0.z...Y..*
    00E0: 9E 03 54 18 A5 EB AD 48 3A 78 56 4F 22 BF 8D F7 ..T....H:xVO"...
    00F0: 8E C8 21 D4 92 30 A8 FC BE 76 98 15 FB D1 1D C1 ..!..0...v......

    ]
    chain [1] = [
    [
    Version: V3
    Subject: CN=XXXX Issuing CA 1, DC=PARENT, DC=local
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 4096 bits
    modulus: 710747583573312574266490133477718883175487276449197913367026878246770193366457918874117476848478441807997531601094195095347346667689692353006504772944438996992450206899974172461254170122772439064429800711214524654866811730387219923130077806688460698464420214016926635867290603880408310617196928261244715828938301877231716326135074613866166266159259934139101921704779393181418255236792357734373593843718044094652636084163613474834609513843820562318123712380380149595812702759706362225520298197347612448307537891820678903130283982229075610354246846288916706947063755002331306861708051010714413368970384817146977404909469979632866552303188492277584433342593521141366135313838512466732534501590138191730280137881018224930733224059655122933806684532601188457885427610523069862515778641416852689946070635946964424320750853912644963820761441121054160612741706028476665999908623924083348202525432243752651038591517730169571766303195624990856696540820396758325375089424534352671820926638511083232512074733251774179961972469706146941508467638490252757323558523275340769098076309821000325759423874166279533532418396039620418656504638481199111216522253786699411470101677803106926554982288403832319169109858989451431608015520012872771792487551381
    public exponent: 65537
    Validity: [From: Thu Mar 13 14:05:43 MDT 2008,
                   To: Tue Mar 13 14:15:43 MDT 2018]
    Issuer: CN=XXXX Root CA, DC="PARENT.DC=local"
    SerialNumber: [    19e8d467 00000000 0008]

    Certificate Extensions: 7
    [1]: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 0C 1E 0A 00 53 00 75 00 62 00 43 00 41 .....S.u.b.C.A


    [2]: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false






    Extension unknown: DER encoded OCTET string =
    0000: 04 05 02 03 01 00 01 .......


    [3]: ObjectId: 1.3.6.1.4.1.311.21.2 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 16 04 14 D5 C8 60 1F D4 BC C8 F4 29 18 65 55 ......`.....).eU
    0010: 71 89 08 08 6E C4 1C B1 q...n...


    [4]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 37 65 99 AA A5 52 A4 DD F4 97 50 DA B5 6A 46 B1 7e...R....P..jF.
    0010: EC F3 21 30 ..!0
    ]

    ]






    [5]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    [6]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    DigitalSignature
    Key_CertSign
    Crl_Sign
    ]






    [7]: ObjectId: 2.5.29.14 Criticality=false



    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 73 7B 89 88 B8 20 C4 74 0E E9 15 70 F2 AA B5 93 s.... .t...p....
    0010: 95 4B EF 10 .K..
    ]
    ]

    Unparseable certificate extensions: 2
    [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
    Unparseable AuthorityInfoAccess extension due to
    java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\tyson_XXXX Root CA.crt

    0000: 30 82 01 24 30 81 A3 06 08 2B 06 01 05 05 07 30 0..$0....+.....0
    0010: 02 86 81 96 6C 64 61 70 3A 2F 2F 2F 43 4E 3D XX ....ldap:///CN=X
    0020: XX XX XX 25 32 30 52 6F 6F 74 25 32 30 43 41 2C XXX%20Root%20CA,
    0030: 43 4E 3D 41 49 41 2C 43 4E 3D 50 75 62 6C 69 63 CN=AIA,CN=Public
    0040: 25 32 30 4B 65 79 25 32 30 53 65 72 76 69 63 65 %20Key%20Service
    0050: 73 2C 43 4E 3D 53 65 72 76 69 63 65 73 2C 44 43 s,CN=Services,DC
    0060: 3D 55 6E 61 76 61 69 6C 61 62 6C 65 43 6F 6E 66 =UnavailableConf
    0070: 69 67 44 4E 3F 63 41 43 65 72 74 69 66 69 63 61 igDN?cACertifica
    0080: 74 65 3F 62 61 73 65 3F 6F 62 6A 65 63 74 43 6C te?base?objectCl
    0090: 61 73 73 3D 63 65 72 74 69 66 69 63 61 74 69 6F ass=certificatio
    00A0: 6E 41 75 74 68 6F 72 69 74 79 30 3E 06 08 2B 06 nAuthority0>..+.
    00B0: 01 05 05 07 30 02 86 32 68 74 74 70 3A 2F 2F 74 ....0..2http://t
    00C0: 79 73 6F 6E 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F yson/CertEnroll/
    00D0: 74 79 73 6F 6E 5F XX XX XX XX 25 32 30 52 6F 6F tyson_XXXX%20Roo
    00E0: 74 25 32 30 43 41 2E 63 72 74 30 3C 06 08 2B 06 t%20CA.crt0<..+.
    00F0: 01 05 05 07 30 02 86 30 66 69 6C 65 3A 2F 2F 5C ....0..0file://\
    0100: 5C 74 79 73 6F 6E 5C 43 65 72 74 45 6E 72 6F 6C \tyson\CertEnrol
    0110: 6C 5C 74 79 73 6F 6E 5F XX XX XX XX 20 52 6F 6F l\tyson_XXXX Roo
    0120: 74 20 43 41 2E 63 72 74 t CA.crt

    [2]: ObjectId: 2.5.29.31 Criticality=false
    Unparseable CRLDistributionPoints extension due to
    java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\XXXX Root CA.crl

    0000: 30 60 30 5E A0 5C A0 5A 86 2A 66 69 6C 65 3A 2F 0`0^.\.Z.*file:/
    0010: 2F 5C 5C 74 79 73 6F 6E 5C 43 65 72 74 45 6E 72 /\\tyson\CertEnr
    0020: 6F 6C 6C 5C XX XX XX XX 20 52 6F 6F 74 20 43 41 oll\XXXX Root CA
    0030: 2E 63 72 6C 86 2C 68 74 74 70 3A 2F 2F 74 79 73 .crl.,http://tys
    0040: 6F 6E 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F XX XX on/CertEnroll/XX
    0050: XX XX 25 32 30 52 6F 6F 74 25 32 30 43 41 2E 63 XX%20Root%20CA.c
    0060: 72 6C rl

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 3A 61 58 BB DE D8 ED 30 97 EF C0 CB 2C 2D 87 E4 :aX....0....,-..
    0010: DE 74 0E F1 74 DC 97 EF BD E4 F7 40 D0 31 F6 D6 .t..t......@.1..
    0020: 9B B6 D5 6A AF E3 E7 14 F7 24 69 48 C4 71 50 63 ...j.....$iH.qPc
    0030: 96 51 62 D6 BD BE AB 36 DB 9C 5E C2 7B 6F ED 0D .Qb....6..^..o..
    0040: 63 FF 26 DE 0A EE 86 5B 43 B0 E4 E1 EE 4D 50 0A c.&....[C....MP.
    0050: FE 58 27 4C 2A 06 94 22 5B 17 A4 99 FE F3 39 FE .X'L*.."[.....9.
    0060: 66 52 E3 00 94 18 F0 CA A0 8D 30 F9 69 34 A2 BB fR........0.i4..
    0070: 7F FC 50 BF 24 25 23 17 68 A1 8E B2 72 A3 C7 B1 ..P.$%#.h...r...
    0080: C0 F7 CE 79 E2 A3 99 AE 4C 2B C4 C3 4B D5 DE 15 ...y....L+..K...
    0090: B8 02 29 C6 8D 7D E6 FD 83 ED 56 E8 37 6A A7 96 ..).......V.7j..
    00A0: 6F D0 B1 9D 39 CC E1 0E BB 59 79 22 01 CF 5C 2E o...9....Yy"..\.
    00B0: D9 A7 11 FD CE 6E 47 0E 68 FE 3F AE CE 02 E4 45 .....nG.h.?....E
    00C0: 64 2F 39 29 DB 30 82 B7 98 B0 D8 7B 81 0A A5 EB d/9).0..........
    00D0: 87 95 12 BC A3 D1 27 3E E7 05 83 A3 BD 42 FC 7B ......'>.....B..
    00E0: BD 9F 69 1A 2B 59 77 1C 90 04 E8 E1 F2 C5 9A 55 ..i.+Yw........U
    00F0: CF B4 11 D0 D9 28 F3 C7 EB 58 7F 6B DE DE 33 5A .....(...X.k..3Z

    ]
    ***
    Found trusted certificate:
    [
    [
    Version: V3
    Subject: EMAILADDRESS=jthompson@COMPANY.com, CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 2048 bits
    modulus: 31516488916856175993354388556520068293794356693242681182245201286667548063641640358313574888462489933475402864236800262460826430243488030753558168637830135426373840447558297285290406873898984898413863294812616756309132288938801104047345625475355654376426138494767988080314969827787605621823083455352331480850948116669339339048031040543939696472504286395458369701032317090387365961443301475102633799830067724032223647096133387365632477706202020365811242759581209534410179060268963901969481769329740356404722306624236516162225426247695795946763666223293969793336832548340134282004822442343909786198074157323202609655959
    public exponent: 65537
    Validity: [From: Fri Mar 15 07:44:35 MDT 2013,
                   To: Sun Mar 15 07:44:35 MDT 2015]
    Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
    SerialNumber: [    4208795e 00000000 0d7d]

    Certificate Extensions: 8
    [1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 0E 30 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 ..0.0...+.......










    [2]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
    0010: D5 D8 7B 86 FA 8D 54 86 85 9F 20 87 92 89 64 CB ......T... ...d.
    0020: D5 69 81 57 84 D5 FB 1A 84 99 9C 1D 02 01 64 02 .i.W..........d.
    0030: 01 09 ..


    [3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
    AuthorityInfoAccess [
    [
    accessMethod: caIssuers
    accessLocation: URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?cACertificate?base?objectClass=certificationAuthority
    ,
    accessMethod: caIssuers
    accessLocation: URIName: http://grc/CertEnroll/CASERVER.PARENT.local_COMPANY%20NAME%20Internal%20Issuing%20CA.crt
    ]
    ]

    [4]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 26 0F F4 17 D4 4A 12 51 1A 7F FC 77 A9 FB 4D 9F &....J.Q...w..M.
    0010: 2B 75 DB 71 +u.q
    ]

    ]

    [5]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=CASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://grc/CertEnroll/COMPANY%20NAME%20Internal%20Issuing%20CA.crl]
    ]]

    [6]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    serverAuth
    ]

    [7]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    DigitalSignature
    Key_Encipherment
    ]

    [8]: ObjectId: 2.5.29.14 Criticality=false






    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: B5 10 57 84 BB 7F A0 ED BA E5 0C D3 00 06 A3 67 ..W............g
    0010: 97 93 B2 9E ....
    ]
    ]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 0E 24 50 64 FF A6 50 29 B8 AF 61 0F 37 9D 63 2F .$Pd..P)..a.7.c/
    0010: 2A BD 90 7E 50 C2 2A 0C B8 16 09 2E FB 0A 0E A6 *...P.*.........
    0020: 15 82 0F 1E AD DA 64 DD 36 31 6E 3C C7 33 55 7E ......d.61n<.3U.
    0030: 35 0A 4E 49 3B 96 EC C4 4A 01 3F 39 9F 6A E8 11 5.NI;...J.?9.j..
    0040: C9 22 45 16 51 9A 15 D6 C3 B3 50 BA FB 56 D3 62 ."E.Q.....P..V.b
    0050: 42 D4 CF 76 2B 0B 04 1A 80 87 99 0C B7 97 C1 CE B..v+...........
    0060: D5 93 90 E0 1B 84 31 EB 9F 75 A3 2C 52 00 CA 62 ......1..u.,R..b
    0070: FE C8 55 23 45 D5 FE 67 D4 A0 30 61 FC 26 08 0B ..U#E..g..0a.&..
    0080: 77 D1 26 61 60 31 CD 9A 76 5E 8E 66 85 C6 35 9B w.&a`1..v^.f..5.
    0090: 61 41 C5 05 C9 04 42 F2 8D 3D DA F8 80 22 AA AA aA....B..=..."..
    00A0: 92 50 CF 17 31 B6 93 CA 5E 85 5D B0 5F D2 77 07 .P..1...^.]._.w.
    00B0: 32 D7 69 5A 14 DD 12 62 91 BA 4F 75 19 80 F8 C2 2.iZ...b..Ou....
    00C0: 17 19 67 63 4A FF F3 A6 96 35 47 FC 22 2F 76 BA ..gcJ....5G."/v.
    00D0: 37 ED EE B2 90 AC 30 C7 7A F9 E6 2E 59 10 8F 2A 7.....0.z...Y..*
    00E0: 9E 03 54 18 A5 EB AD 48 3A 78 56 4F 22 BF 8D F7 ..T....H:xVO"...
    00F0: 8E C8 21 D4 92 30 A8 FC BE 76 98 15 FB D1 1D C1 ..!..0...v......

    ]
    *** ServerHelloDone
    *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
    main, WRITE: TLSv1 Handshake, length = 262
    SESSION KEYGEN:
    PreMaster Secret:



    0000: 03 01 E0 87 7E 29 17 FC A3 FC F6 69 75 A2 52 36 .....).....iu.R6
    0010: 3F DB C3 32 C5 86 6F DA 8A 5A BC 65 2F 4E 7B 2D ?..2..o..Z.e/N.-
    0020: E8 BF 3B E2 1E 3D B0 F0 A1 4E F4 A4 5F CD 83 AF ..;..=...N.._...
    CONNECTION KEYGEN:
    Client Nonce:


    0000: 51 49 B9 08 71 18 F2 33 2D 12 75 EC 34 93 10 16 QI..q..3-.u.4...
    0010: 97 3B 97 21 38 BB 18 91 E7 19 54 2C B0 70 3D 4F .;.!8.....T,.p=O
    Server Nonce:


    0000: 51 49 B9 08 73 87 4E EA 5C D9 21 C5 0E 8F 6C F4 QI..s.N.\.!...l.
    0010: C8 E5 3D EF 88 AE 28 6D 46 A5 18 70 A0 95 50 C4 ..=...(mF..p..P.
    Master Secret:



    0000: 21 F1 45 A0 E1 2A 86 A9 44 5A 3F 7E 3D E4 FA 13 !.E..*..DZ?.=...
    0010: 58 BE D3 DE F9 DD 1E E6 2D DF 72 B1 29 11 32 B3 X.......-.r.).2.
    0020: 68 3C 26 B8 1C 7D 04 FC 93 E8 3B 98 FC 1A 2A 24 h<&.......;...*$
    Client MAC write Secret:

    0000: 30 01 3F 51 6A 18 05 A7 DC C4 79 01 FD 70 FE 34 0.?Qj.....y..p.4
    0010: CA F3 2F 8A ../.
    Server MAC write Secret:

    0000: 9F 17 95 16 F6 29 D4 04 C2 13 A2 98 74 E6 95 9A .....)......t...
    0010: E3 AF 3D 97 ..=.
    Client write key:

    0000: 03 59 5D D7 BE D9 B7 25 27 AA 86 79 62 57 15 76 .Y]....%'..ybW.v
    0010: AA D6 71 73 29 2F 95 1A 75 33 E8 D2 62 55 E0 85 ..qs)/..u3..bU..
    Server write key:


    0000: 0E 31 B3 07 D7 F7 B8 02 5B F4 24 BE AD 71 4D 3F .1......[.$..qM?
    0010: 5F F3 A7 55 05 93 06 BA 41 5E E9 A0 E7 A8 49 7C _..U....A^....I.
    Client write IV:
    0000: 71 92 6D AE AB 1B 0D EC 51 D5 2E C4 56 33 18 F3 q.m.....Q...V3..
    Server write IV:
    0000: 5E AA 39 43 C6 8C 6F B0 58 B9 DF 82 77 E2 B1 8A ^.9C..o.X...w...
    main, WRITE: TLSv1 Change Cipher Spec, length = 1
    *** Finished






    verify_data: { 114, 227, 19, 222, 162, 73, 80, 229, 15, 199, 23, 154 }
    ***
    main, WRITE: TLSv1 Handshake, length = 48
    main, READ: TLSv1 Alert, length = 2
    main, RECV TLSv1 ALERT: fatal, handshake_failure
    %% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]








    main, called closeSocket()
    main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
         at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
         at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1961)
         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
         at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
         at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
         at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
         at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
         at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
         at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
         at testhttps.Main.runTest(Main.java:39)
         at testhttps.Main.main(Main.java:23)
  • 3. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
    sabre150 Expert
    Currently Being Moderated
    Have you installed the 'unlimited strength' files in your Java 7?
  • 4. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
    720986 Newbie
    Currently Being Moderated
    Yes, the unlimited strength files are installed on both the server (Java 1.6) and on both Java 1.6 and 1.7 on the client.
  • 5. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
    EJP Guru
    Currently Being Moderated
    java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\tyson_XXXX Root CA.crt
    Are you aware of this problem with one of the certificates? This is complete nonsense. I don't know whether it's causing this problem but it might. Complain to whoever issued that certificate.
  • 6. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
    1012354 Newbie
    Currently Being Moderated
    I think I have the same problem. I'm connecting to an RDP server with Network Level Authentication (TLS) enabled.

    The code only works on 1.6.0_27 and below, also works on all versions of OpenJDK. Here is the log:

    Allow unsafe renegotiation: true
    Allow legacy hello messages: true
    Is initial handshake: true
    Is secure renegotiation: false
    %% No cached client session
    *** ClientHello, TLSv1

    [Raw read]: length = 5
    0000: 15 03 01 00 20 ....
    [Raw read]: length = 32
    0000: 09 2B C0 F4 A1 6F AC 29 1B E1 1E E8 D6 B6 98 F6 .+...o.)........
    0010: 7B D9 D0 11 E4 22 88 B1 6B 6D 59 98 51 A3 A5 40 ....."..kmY.Q..@
    RdpRunner, READ: TLSv1 Alert, length = 32
    Padded plaintext after DECRYPTION: len = 32
    0000: 02 50 C6 D9 DF E5 CC 0E 1F 5C BF FE 3E 4E 69 AA .P.......\..>Ni.
    0010: B8 10 F8 C0 42 2B 09 09 09 09 09 09 09 09 09 09 ....B+..........
    RdpRunner, RECV TLSv1 ALERT: fatal, internal_error
    %% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
    RdpRunner, called closeSocket()
    RdpRunner, handling exception: javax.net.ssl.SSLException: Received fatal alert: internal_error
    javax.net.ssl.SSLException: Received fatal alert: internal_error
         at sun.security.ssl.Alerts.getSSLException(Unknown Source)
         at sun.security.ssl.Alerts.getSSLException(Unknown Source)
         at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
         at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
         at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
         at sun.security.ssl.AppInputStream.read(Unknown Source)
         at java.io.BufferedInputStream.fill(Unknown Source)
         at java.io.BufferedInputStream.read(Unknown Source)
         at java.io.FilterInputStream.read(Unknown Source)
         at org.bouncycastle.asn1.ASN1InputStream.readObject(ASN1InputStream.java:180)
         at net.protocol.credssp.CredSsp.readTsRequest(CredSsp.java:44)
         at net.protocol.credssp.CredSsp.execute(CredSsp.java:186)
         at net.protocol.socket.SocketLayer.executeCredSsp(SocketLayer.java:199)
         at net.protocol.x224.X224Layer.receiveConnectionConfirm(X224Layer.java:225)
         at net.protocol.x224.X224Layer.connect(X224Layer.java:119)
         at net.protocol.mcs.MCSLayer.connect(MCSLayer.java:323)
         at net.protocol.secure.SecureLayer.connect(SecureLayer.java:260)
         at net.protocol.secure.SecureLayer.connect(SecureLayer.java:273)
         at net.protocol.rdp.RdpSlowPathLayer.connect(RdpSlowPathLayer.java:417)
         at com.toremote.websocket.rdp.RdpRunner.run(RdpRunner.java:131)
    net.protocol.rdp.RdpException: Received fatal alert: internal_error

    Edited by: user10270852 on Jun 2, 2013 1:46 PM
  • 7. Re: RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7
    EJP Guru
    Currently Being Moderated
    user10270852 wrote:
    995076 wrote:
    main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    I think I have the same problem. I'm connecting to an RDP server with Network Level Authentication (TLS) enabled.
    ...
    RdpRunner, handling exception: javax.net.ssl.SSLException: Received fatal alert: internal_error
    No you don't. It isn't the same. Start your own thread.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points