ssl handshake_failure client certifcate not being sent











up vote
0
down vote

favorite












I have an issue with ssl handshake_failure.
There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



I found that all three certificated being uploaded to the the application once it started



adding as trusted cert:

  Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA

  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA

  Algorithm: RSA; Serial number: -----

  Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039



adding as trusted cert:

  Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA

  Issuer:  CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA

  Algorithm: RSA; Serial number: -----

  Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018



adding as trusted cert:

  Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA

  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA

  Algorithm: RSA; Serial number: ------

  Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


then I fount that the system is not sending the client certificate and I don't know why ? 



*** CertificateRequest

Cert Types: RSA, DSS, ECDSA

Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA

Cert Authorities:

<Empty>

[read] MD5 and SHA1 hashes:  len = 36



Warning: no suitable certificate found - continuing without client authentication

*** Certificate chain

<Empty>

***

*** ECDHClientKeyExchange


my questions are:




  • what do you think the issue is ?

  • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

  • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


@@update




  • Do you think the issue from my device(IP) since the certificate CN for another IP ?






sslhandshakeexception







share|improve this question




























    up vote
    0
    down vote

    favorite












    I have an issue with ssl handshake_failure.
    There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
    I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



    exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


    so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



    I found that all three certificated being uploaded to the the application once it started



    adding as trusted cert:
    
  Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
    
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
    
  Algorithm: RSA; Serial number: -----
    
  Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039
    

    
adding as trusted cert:
    
  Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
    
  Issuer:  CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
    
  Algorithm: RSA; Serial number: -----
    
  Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018
    

    
adding as trusted cert:
    
  Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
    
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
    
  Algorithm: RSA; Serial number: ------
    
  Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


    then I fount that the system is not sending the client certificate and I don't know why ? 



    *** CertificateRequest
    
Cert Types: RSA, DSS, ECDSA
    
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
    
Cert Authorities:
    
<Empty>
    
[read] MD5 and SHA1 hashes:  len = 36
    

    
Warning: no suitable certificate found - continuing without client authentication
    
*** Certificate chain
    
<Empty>
    
***
    
*** ECDHClientKeyExchange


    my questions are:




    • what do you think the issue is ?

    • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

    • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


    @@update




    • Do you think the issue from my device(IP) since the certificate CN for another IP ?






    sslhandshakeexception







    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have an issue with ssl handshake_failure.
      There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
      I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



      exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


      so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



      I found that all three certificated being uploaded to the the application once it started



      adding as trusted cert:
      
  Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: -----
      
  Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039
      

      
adding as trusted cert:
      
  Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: -----
      
  Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018
      

      
adding as trusted cert:
      
  Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: ------
      
  Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


      then I fount that the system is not sending the client certificate and I don't know why ? 



      *** CertificateRequest
      
Cert Types: RSA, DSS, ECDSA
      
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
      
Cert Authorities:
      
<Empty>
      
[read] MD5 and SHA1 hashes:  len = 36
      

      
Warning: no suitable certificate found - continuing without client authentication
      
*** Certificate chain
      
<Empty>
      
***
      
*** ECDHClientKeyExchange


      my questions are:




      • what do you think the issue is ?

      • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

      • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


      @@update




      • Do you think the issue from my device(IP) since the certificate CN for another IP ?






      sslhandshakeexception







      share|improve this question















      I have an issue with ssl handshake_failure.
      There is new integration with external web service that required to communicate over Https, they provide me three certificates (root + shared + client), so
      I have installed all three certificates in my JDK and when I try to call this web service I always got exception:



      exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


      so I traced handshake communication between me and the server by adding this property -Djavax.net.debug=all to my application



      I found that all three certificated being uploaded to the the application once it started



      adding as trusted cert:
      
  Subject: CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: -----
      
  Valid from Wed Oct 15 12:41:37 AST 2014 until Sat Oct 15 13:11:37 AST 2039
      

      
adding as trusted cert:
      
  Subject: CN=10.10.10.10, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: -----
      
  Valid from Thu Nov 11 12:33:30 AST 2015 until Mon Nov 26 13:03:30 AST 2018
      

      
adding as trusted cert:
      
  Subject: CN=EXA Shared CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Issuer:  CN=EXA Root CA, OU=EXA eTrust Center, O=EXA, C=SA
      
  Algorithm: RSA; Serial number: ------
      
  Valid from Thu Oct 25 07:56:05 AST 2014 until Wed Oct 16 08:26:05 AST 2024


      then I fount that the system is not sending the client certificate and I don't know why ? 



      *** CertificateRequest
      
Cert Types: RSA, DSS, ECDSA
      
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
      
Cert Authorities:
      
<Empty>
      
[read] MD5 and SHA1 hashes:  len = 36
      

      
Warning: no suitable certificate found - continuing without client authentication
      
*** Certificate chain
      
<Empty>
      
***
      
*** ECDHClientKeyExchange


      my questions are:




      • what do you think the issue is ?

      • why jdk didn't find the suitable certificate where it exist and loaded in the trusted cert ?

      • based on what the JDK will looking for suitable client certificate ? so I can determine why the JDK didn't find it


      @@update




      • Do you think the issue from my device(IP) since the certificate CN for another IP ?






      sslhandshakeexception




      sslhandshakeexception






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 22 at 6:38

























      asked Nov 21 at 20:40









      mzaje18

      12




      12





























          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420158%2fssl-handshake-failure-client-certifcate-not-being-sent%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420158%2fssl-handshake-failure-client-certifcate-not-being-sent%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Berounka

          Image
          Berounka.mw-parser-output .entete.map{background-image:url("//upload.wikimedia.org/wikipedia/commons/7/7a/Picto_infobox_map.png")} Caractéristiques Longueur 139  km Bassin 8 861  km 2 Bassin collecteur Elbe Débit moyen ? Cours Source Confluence de la Mže et de la Radbuza · Localisation Pilsen · Altitude 305  m · Coordonnées 49° 45′ 13″ N, 13° 23′ 24″ E Confluence Vltava · Localisation Prague · Altitude 187  m · Coordonnées 49° 59′ 43″ N, 14° 24′ 04″ E Géographie Pays traversés   République tchèque modifier   La Berounka est une rivière de la République tchèque. Elle porte le nom de Mže depuis sa source en Allemagne près de la frontière jusqu'à sa confluence avec la Radbuza à Plzeň. Elle continue ensuite sous le nom de Berounka jusqu'à sa confluence avec la Vltava, près de Prague. La rivière est une destination prisée pour les amateurs de canoë, qui appréc
          Read more

          Fiat S.p.A.

          Image
          Cet article court présente un sujet plus développé dans : Fiat et Fiat Chrysler Automobiles. Fiat S.p.A. Fiat S.p.A. ( Fabbrica Italiana Automobili Torino , acronyme FIAT) est un groupe, notamment connu comme société-mère du constructeur automobile italien, Fiat. Portail des entreprises Portail de Turin Portail de l’automobile This page is only for reference, If you need detailed information, please check here
          Read more

          Type 'String' is not a subtype of type 'int' of 'index'

          Image
          up vote 0 down vote favorite My App can authenticate successfully when debugging against the Android emulator, but if I try to authenticate using debugging against the physical device (with same OS version), an error message appears after more than one minute waiting: Exception has occurred. _TypeError (type 'String' is not a subtype of type 'int' of 'index') The error message points to the following code: if (responseJson[AuthUtils.authTokenKey] != null) { AuthUtils.insertDetails( userNameController.text, passwordController.text, responseJson); ... } else { ... }; And in the DEBUG CONSOLE I get the following: I/flutter ( 9531): Auth: SocketException: OS Error: Connection timed out, errno = 110, address = example.com, port = 3897
          Read more