Topic
  • 9 replies
  • Latest Post - ‏2012-01-17T10:23:33Z by NicolasB
SystemAdmin
SystemAdmin
2262 Posts

Pinned topic SSL client auth failing

‏2004-03-31T16:17:28Z |
I'm trying to use the IBM 1.4.1 jre to do client auth with SSL.
(I'm using Debian with a 2.6.4 kernel.)
It is failing with the following exception:
SEVERE: Could not negotiate TLS connection
javax.net.ssl.SSLHandshakeException: handshake failure
at com.ibm.jsse.bg.a(Unknown Source)
at com.ibm.jsse.bg.startHandshake(Unknown Source)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:354)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:218)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:171)

This failure occurs right after the client receives the server cert chain.
It appears that my client is not sending the client certificate, based on server logs.
I've tried my code against both Apache and OpenLdap with the same results, however the Sun jre works correctly.

Has anyone seen this problem before?
I also tried implementing my own KeyManager so that I could force the correct client cert to be choosen.
Again this worked for the Sun jre, but not the IBM.
I can provide a debug trace if that would help.
Thanks.
Updated on 2012-01-17T10:23:33Z at 2012-01-17T10:23:33Z by NicolasB
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL client auth failing

    ‏2004-04-01T14:42:15Z  
    Debug trace for the client would help.

    I can't think a reason why your code should work on a Sun JVM acting as the client but not an IBM one.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL client auth failing

    ‏2004-04-01T15:27:30Z  
    Debug trace for the client would help.

    I can't think a reason why your code should work on a Sun JVM acting as the client but not an IBM one.
    Here is the debug trace:
    Testing /apps/local/java/IBMJava2-141/bin/java
    Commandline switches:
    -Djavax.net.debug=true
    -Djavax.net.ssl.trustStore=vt.dev.truststore -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=BKS
    -Djavax.net.ssl.keyStore=edid.dev.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.keyStoreType=BKS
    TrustManagerFactoryImpl: trustStore is : vt.dev.truststore
    TrustManagerFactoryImpl: trustStore type is : BKS
    TrustManagerFactoryImpl: init truststore
    KeyManagerFactoryImpl: keyStore is : edid.dev.keystore
    KeyManagerFactoryImpl: keyStore type is : BKS
    KeyManagerFactoryImpl: init keystore
    KeyManagerFactoryImpl: init keystore
    JSSEContext: handleSession[Sockethttp://addr=ed-dev.middleware.iad.vt.edu/198.82.160.148,port=12389,localport=47678]
    JSSEContext: confirmPeerCertificate[Sockethttp://addr=ed-dev.middleware.iad.vt.edu/198.82.160.148,port=12389,localport=47678]
    X509TrustManagerImpl: checkServerTrusted
    X509TrustManagerImpl: Certificate [
    [
    Version: V3
    Subject: CN=ed-dev.middleware.iad.vt.edu, OU=3, OU=Middleware-Server, O=Virginia Polytechnic Institute and State University, L=Blacksburg, ST=Virginia, C=US, DC=vt, DC=edu
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: IBMJCE RSA Public Key:
    modulus:
    22469277832915165074204926834070988910594713136254971923916861061201328426353487493731618550472806221875396426789402632545957607656775604206168191582062846392471899841975923955008055246965291818567863608310854677625057179288322428624256350342674624588721004903103769687046972756464537129712248403184792674593542438193494373721445699882754648120145124498876731452357332875574979591146016964467766809405381231044277074404534396281612140551352087538629740186032622471405837345693210641335228526552800253061301682237561195758620304038560841749976103820062463942705099007005515147321310957553748256041491774346381941024431
    public exponent:
    65537

    Validity: [From: Fri Mar 26 15:25:49 EST 2004,
    To: Sat Mar 26 15:25:49 EST 2005]
    Issuer: CN=Virginia Tech Middleware CA, O=Virginia Polytechnic Institute and State University, C=US, DC=vt, DC=edu
    SerialNumber: [3]

    Certificate Extensions: 7
    [1]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 04 84 ff 4b fd 2f 66 96 ed 57 3a 9d ba 61 a4 47 ...K..f..W...a.G
    0010: d2 61 a5 5b .a..
    ]
    SerialNumber: 3]

    [2]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:false
    PathLen: undefined
    ]

    [3]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [
    PolicyInformation: [
    CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.1.1
    PolicyQualifiers: null]
    ,
    PolicyInformation: [
    CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.2.1
    PolicyQualifiers: null]
    ,
    PolicyInformation: [
    CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.3.1
    PolicyQualifiers: null]
    ,
    PolicyInformation: [
    CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.4.1
    PolicyQualifiers: null]
    ,
    PolicyInformation: [
    CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.5.1
    PolicyQualifiers: [PolicyQualifierInfo: [
    CPSuri: [
    object identifier: 1.3.6.1.5.5.7.2.1
    uri: http://www.pki.vt.edu/vtmw/cps/]
    ]
    ]]
    ]]

    [4]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    1 CRL Distribution Points:

    Distribution Point: [
    Distribution Point Name: URIName: https://crashvtmwca.devpki.vt.edu/ca/0917/crashvtmwca/htdocs/pub/crl/cacrl.crl
    Reason Flags: null
    Issuer: null
    ]
    ]

    [5]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    DigitalSignature
    Non_repudiation
    Key_Encipherment
    Data_Encipherment
    ]

    [6]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: bd d1 bb d3 d5 95 5f b8 40 8e c1 61 a1 f7 19 be ...........a....
    0010: 5c 7c a8 e2 ....
    ]
    ]

    [7]: ObjectId: 2.5.29.37 Criticality=false
    ExtKeyUsage [
    1.3.6.1.5.5.7.3.1]

    ]
    Algorithm: SHA1withRSA
    Signature:
    0000: 0c f6 31 a7 54 4e 9b a6 bc 24 9b 49 c8 37 1f 96 ..1.TN.....I.7..
    0010: 5d d9 6d 5f 75 f8 fa cb 66 32 fe 3c f9 85 bd e7 ..m.u...f2......
    0020: b9 2b fd 5d 65 1b fc 89 a1 91 e3 da 47 de fb eb ....e.......G...
    0030: a3 50 ea ea c6 8b 77 fb bd ee e2 f9 6d 30 aa 14 .P....w.....m0..
    0040: 94 0d 2d c3 9e 94 9a 53 1f b9 47 17 c5 6f 44 1e .......S..G..oD.
    0050: a1 d6 96 30 7e 5a 70 86 8e dd ed 66 68 2f ce 74 ...0.Zp....fh..t
    0060: fd 9d 7c 21 3d d6 57 97 16 53 91 3c ea 66 e5 55 ......W..S...f.U
    0070: d3 6d b1 88 33 56 0f ed 4f 99 9e cd 87 99 b4 21 .m..3V..O.......
    0080: a0 f2 d0 6b 20 87 f4 8c 28 86 6d f9 52 81 0f e1 ...k......m.R...
    0090: 89 a3 c5 b4 9c 44 fa 70 43 b9 8a 62 8f 3f bf 08 .....D.pC..b....
    00a0: 00 ea b6 77 bf 42 5f f9 67 70 a8 d7 42 b6 a0 4b ...w.B..gp..B..K
    00b0: 1d d1 6d c6 db db c3 58 f0 2f 52 54 52 ab 5f be ..m....X..RTR...
    00c0: 11 97 61 f8 60 03 a1 3e 43 5d 32 ac af d6 ec 86 ..a.....C.2.....
    00d0: b2 a1 18 e8 30 4c 38 53 a5 d4 08 82 cd 9e 8a b8 ....0L8S........
    00e0: b1 4e bc 47 d9 59 48 33 83 b4 5d 84 c8 74 ba 10 .N.G.YH3.....t..
    00f0: dc e3 00 7b 2c 8a d7 4e 44 00 41 0a af 37 e3 0a .......ND.A..7..
    0100: 16 8f 61 0b 5c a4 25 a6 6c 91 3b b1 e5 a4 c2 f3 ..a.....l.......
    0110: 59 db df 85 6b 27 72 b0 ce 5e 3b 9c 7c 52 5f 30 Y...k.r......R.0
    0120: 6f 27 2a 49 9c 76 81 c3 49 5d 50 8b d7 45 b3 9b o..I.v..I.P..E..
    0130: fe 9a 90 68 50 5e 54 2a 02 47 40 7b 55 a8 9b 4b ...hP.T..G..U..K
    0140: fe 62 7f f6 a9 24 c4 f3 19 83 dc 0c 29 39 d1 18 .b...........9..
    0150: 7d 4b c7 be f8 c9 3c 95 55 29 5e a8 f5 60 50 1a .K......U.....P.
    0160: 79 05 e1 6b ed 61 c9 54 a6 43 f0 04 08 5f 93 d3 y..k.a.T.C......
    0170: 7a 34 42 a1 78 d3 da 7a 91 cf a7 4f b3 1f 95 e7 z4B.x..z...O....
    0180: 3e cb 74 00 38 50 0f 55 b0 e9 08 60 a1 76 07 76 ..t.8P.U.....v.v
    0190: cd d0 dd f7 86 f2 07 bf e9 25 e3 74 1e bd a0 54 ...........t...T
    01a0: 1e e3 ea 63 a7 87 f3 ca e6 08 34 41 f5 60 49 93 ...c......4A..I.
    01b0: 0f 91 63 c3 76 96 af 4a 5b c6 0d a9 09 e1 1d f5 ..c.v..J........
    01c0: 46 fd 22 fb 79 a7 db a9 f5 d2 28 c1 42 0e 3b a6 F...y.......B...
    01d0: fd 17 ac 5b 12 45 8f 93 fb fd c3 4a f7 bb 98 b9 .....E.....J....
    01e0: 5d a5 52 3f cb a6 07 4f 83 31 0c bf f4 27 78 7b ..R....O.1....x.
    01f0: 34 58 8a 69 8c 62 39 ba dc 34 ca 84 5b d9 5a 59 4X.i.b9..4....ZY

    ]
    X509TrustManagerImpl: Certificate [
    [
    Version: V3
    Subject: CN=Virginia Tech Middleware CA, O=Virginia Polytechnic Institute and State University, C=US, DC=vt, DC=edu
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: IBMJCE RSA Public Key:
    modulus:
    673135293442072612842843676067501850942934666270080174555080075691829521906168514427601915634276058132091096798629967174351601310239824860054109078299098504435708674199920626935383611356675752525766266290837527454937106208626476254549856443083900936784899146773949912013865197197452708642625467286349332600713449609434745194109872227189172671323886443588089301978709989552634159005963628509273604856242344460497125202832997406592095173576036173975928560023951715719396837881307908152661268373958830532217326563616540765509138869782419439789862918025195250486335442407231429779738723065958500772183807311697386771677105749759061274362523624059381482024657439435290726561547290125992143021707780814795703007957211035896583651453162722234745044297177812377631344544382740093424713953869807989449747632916988233192726576270542435963380637531108809053322031641984445161461442572189272818588296763520296044266838865157414979030651232399279813965391546943475301576973882717500776295951847163006357363981376329910808324623518648487840979893218349386125500291375718381469851029321146033839365191868317761793664015274591866420838006273132795742692801628082216368064103527911125475512322532311102540843472208240881124283032892366584733722748457
    public exponent:
    3

    Validity: [From: Fri Mar 26 11:22:00 EST 2004,
    To: Mon Mar 24 11:22:00 EST 2014]
    Issuer: O="Crash Virginia Tech Root CA", L=Blacksburg, ST=Virginia, C=US
    SerialNumber: [3]

    Certificate Extensions: 6
    [1]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 1e 1f eb aa fc 21 08 f9 20 11 cf 4a ef 9e 96 bb ...........J....
    0010: 95 36 62 f6 .6b.
    ]
    SerialNumber: 0]

    [2]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    [3]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [
    PolicyInformation: [
    CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.1
    PolicyQualifiers: [PolicyQualifierInfo: [
    CPSuri: [
    object identifier: 1.3.6.1.5.5.7.2.1
    uri: http://radev.eprov.iad.vt.edu/rootca/cps/]
    ]
    ]]
    ]]

    [4]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    1 CRL Distribution Points:

    Distribution Point: [
    Distribution Point Name: URIName: http://balamood2.cc.vt.edu/crl/cacrl.crl
    Reason Flags: null
    Issuer: null
    ]
    ]

    [5]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    Key_CertSign
    Crl_Sign
    ]

    [6]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 04 84 ff 4b fd 2f 66 96 ed 57 3a 9d ba 61 a4 47 ...K..f..W...a.G
    0010: d2 61 a5 5b .a..
    ]
    ]

    ]
    Algorithm: SHA1withRSA
    Signature:
    0000: 0d f4 67 85 d4 9d ac d6 84 95 08 d1 9b ae 10 54 ..g............T
    0010: 88 14 7a 98 82 0d 01 0c d4 ac b8 87 5d 45 a6 1f ..z..........E..
    0020: 23 35 1d db 2a 1c eb 65 db c0 48 f3 b4 86 ff 26 .5.....e..H.....
    0030: 7f e5 9a 12 60 cb 00 d7 8f 5f f0 3d 71 bb 05 16 ............q...
    0040: 09 88 45 c4 e9 a2 59 b6 1a 8f d0 d3 1c ed 97 0c ..E...Y.........
    0050: 09 a6 95 4c f9 1c 13 03 0e 36 9c 65 d7 d7 ef 6d ...L.....6.e...m
    0060: 02 dc 09 11 8c 83 77 ce cb d0 c1 25 94 a5 e1 28 ......w.........
    0070: 4f a0 1b e7 d8 6f 16 e5 1f 77 9e 21 09 49 4f 45 O....o...w...IOE
    0080: 33 18 2a 06 41 c3 81 b7 4b 28 04 2a 8f ad ff 52 3...A...K......R
    0090: 3e ff e2 ba 2d 68 4c 76 70 b7 a5 b6 1a 83 81 86 .....hLvp.......
    00a0: e9 28 1a b4 25 53 d8 48 aa 1e 10 3a 73 18 e6 4c .....S.H....s..L
    00b0: 7a 02 32 24 6d 9e 63 aa 03 9d c6 82 4c 9f a7 b8 z.2.m.c.....L...
    00c0: aa 51 0d 34 a6 21 bc 12 08 16 9e 65 01 fb 16 4c .Q.4.......e...L
    00d0: 23 cd b8 b3 f2 44 43 c9 dc 1a 34 12 a7 d2 57 d6 .....DC...4...W.
    00e0: 30 fa 31 ac 50 2c 6b 7c c9 22 46 5e c4 21 d2 f6 0.1.P.k...F.....
    00f0: e5 69 d3 a1 de a6 db d5 c9 05 2f 9c d7 6d ae 6c .i...........m.l
    0100: 33 e8 68 98 43 57 9e 0c 52 bd b1 88 77 53 1a d1 3.h.CW..R...wS..
    0110: 88 52 ee b3 cf 64 6b 45 b5 5c fc fb 51 99 71 7a .R...dkE....Q.qz
    0120: 51 9d 1a 22 81 56 08 83 e5 a1 32 82 96 40 4d e8 Q....V....2...M.
    0130: b3 85 a6 65 aa 75 e8 da 4a e7 01 0f a1 78 4a 38 ...e.u..J....xJ8
    0140: 29 e4 ea 53 a1 08 e4 ac b9 1a 7b f5 ae 76 01 17 ...S.........v..
    0150: 74 27 38 d2 95 5c 28 5b 9f af ca 27 17 24 be 61 t.8............a
    0160: 8c be 45 c9 fa 1b 09 66 1a af c6 4d ea 75 93 78 ..E....f...M.u.x
    0170: 85 d6 54 56 a6 7e a3 3e a6 bb 38 7e 02 37 de 3c ..TV......8..7..
    0180: bd 0e 26 6f 6a e6 bf 2e 4d 3e 05 19 51 fa 3c 8f ...oj...M...Q...
    0190: c6 34 84 ea e7 ec 21 ed 2d de b7 a0 24 96 0c 84 .4..............
    01a0: 9a bf 3b f3 e6 e6 45 e8 61 93 c7 76 ee e0 94 0b ......E.a..v....
    01b0: 92 51 6f 10 5b 4a 27 90 3b f6 c7 a9 9e 4d 2e 08 .Qo..J.......M..
    01c0: 4b b5 d6 14 93 5d 65 83 a9 e8 d5 8a ab 58 ec 64 K.....e......X.d
    01d0: e6 4d 78 87 0b af 52 21 7d 11 fc 38 a8 d2 9a cc .Mx...R....8....
    01e0: 35 75 4f 0c 39 1e 33 49 d7 05 f7 9c f5 37 d8 6f 5uO.9.3I.....7.o
    01f0: e5 3d 4c d8 bf 1c 89 da 00 e6 90 d2 58 82 e2 be ..L.........X...

    ]
    X509TrustManagerImpl: Certificate [
    [
    Version: V3
    Subject: O="Crash Virginia Tech Root CA", L=Blacksburg, ST=Virginia, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: IBMJCE RSA Public Key:
    modulus:
    717251448857761993199895868528613877099088149925094065057788294985455480281029441782033389612735448337264998098719731300078739985635084506991095552677480670128039405383319879639755706132272837224435133089803226276715654437714304001400395971316503659095162804139858704299676765614920051949522186088086161845400837595457063230170207114253246990629792097386722086934627307594924754261507080602658399767789756613128887998147948558940992873803021525120632116590176984818180590504274627027096666279146221224448630680127071978497111723062559556585784295109313538336368311438217918262903190559023396356201446943033630642948206422639778738987506886777456088435536043696807733206646253879132533471083808138276233405672655101805414352454286283090957801391921810111779954023662098927103748219194454095001033584684601133744871744589532735866924154345878119070636848965896493971987699428945516212593044377062187448615972372556723459782008044445724348380230272334294864761966184668600696728978506773855741466022154289671895986014720761030203679761392957745802696320189581954709932047163997558226642326337562450284713463347306861262075403640779307143469687162386683833743477369969300582554631694795415234542044217881252132887569228176472889015088297
    public exponent:
    3

    Validity: [From: Fri Mar 26 10:20:29 EST 2004,
    To: Sun Mar 19 10:20:29 EST 2034]
    Issuer: O="Crash Virginia Tech Root CA", L=Blacksburg, ST=Virginia, C=US
    SerialNumber: [0]

    Certificate Extensions: 5
    [1]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 1e 1f eb aa fc 21 08 f9 20 11 cf 4a ef 9e 96 bb ...........J....
    0010: 95 36 62 f6 .6b.
    ]
    SerialNumber: 0]

    [2]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    [3]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [
    PolicyInformation: [
    CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.1
    PolicyQualifiers: [PolicyQualifierInfo: [
    CPSuri: [
    object identifier: 1.3.6.1.5.5.7.2.1
    uri: http://radev.eprov.iad.vt.edu/rootca/cps/]
    ]
    ]]
    ]]

    [4]: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    Key_CertSign
    Crl_Sign
    ]

    [5]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 1e 1f eb aa fc 21 08 f9 20 11 cf 4a ef 9e 96 bb ...........J....
    0010: 95 36 62 f6 .6b.
    ]
    ]

    ]
    Algorithm: SHA1withRSA
    Signature:
    0000: 72 c3 67 a8 a4 d4 f1 aa 79 9b 8f aa 01 35 8f e2 r.g.....y....5..
    0010: 76 65 58 3c 61 08 4b 36 32 df 78 b0 c9 c0 19 ce veX.a.K62.x.....
    0020: d3 2c c4 4a a9 cd e9 cc 82 24 fd 49 c9 ca 3b 14 ...J.......I....
    0030: 67 15 3e 9a c8 a5 8c ae bb 5d 11 5a 33 02 b4 94 g..........Z3...
    0040: 52 c3 ba 60 e3 e4 7f 64 d8 94 f4 93 29 01 a5 36 R......d.......6
    0050: 17 0a a9 d7 83 33 92 06 d4 03 79 76 10 03 11 76 .....3....yv...v
    0060: 2b bb 20 3e 87 ac ea 7e 3c 45 5b 9e e5 09 f1 14 .........E......
    0070: 11 3f ae de 16 78 4c f5 1a 39 1a 1f 36 00 7e 72 .....xL..9..6..r
    0080: 0e 45 4e f1 cb 97 b3 e6 e3 11 de fa 25 08 cd d0 .EN.............
    0090: 7f 2a b4 e6 79 5a 16 d5 a9 1d b8 bc 6b a7 09 a6 ....yZ......k...
    00a0: 6d c3 15 47 da ef 42 5c e8 62 0f b8 b4 1a a0 bb m..G..B..b......
    00b0: a6 e6 2d 9f db 85 8f 22 65 ef 72 7a 97 7b 10 3d ........e.rz....
    00c0: d8 bb 73 ce da c7 e9 12 63 23 03 ef c7 8a 7a 01 ..s.....c.....z.
    00d0: c0 b9 cd 34 bd 51 ea b4 50 12 74 fe 1b cb 80 25 ...4.Q..P.t.....
    00e0: 32 d3 b1 f6 35 f9 3d c2 3f 94 66 ae 84 be f3 05 2...5.....f.....
    00f0: 2e 2d 3f 41 c6 e0 4d ee d0 2b 8a 24 0d 48 76 17 ...A..M......Hv.
    0100: e3 5d 8f de 92 a3 fe f6 91 28 aa 2c 37 72 8b b9 ............7r..
    0110: cd 2e b9 e1 bf 63 e3 a6 9b 83 48 de c1 54 4e d5 .....c....H..TN.
    0120: 47 d4 30 46 b8 09 3f 39 e1 6e 20 60 86 43 06 2c G.0F...9.n...C..
    0130: ca 70 2e 46 01 4d c6 c4 7f ec bf 95 1c fa 3b c6 .p.F.M..........
    0140: ce 5e 5e 61 b9 76 5e a1 08 85 71 b7 19 1f 43 5a ...a.v....q...CZ
    0150: 63 b2 35 47 87 ae 90 ec 2b 50 87 f9 35 00 4a 70 c.5G.....P..5.Jp
    0160: 06 74 33 01 1e d8 c9 4d 9f ed 65 a5 be 04 6d 04 .t3....M..e...m.
    0170: 5f 12 73 83 cd 23 70 cc 90 24 36 89 c9 35 4b 5c ..s...p...6..5K.
    0180: 38 7d a8 2d 41 88 77 ad 9f cb 07 65 73 12 8b e0 8...A.w....es...
    0190: d5 f7 c4 48 dd a1 d4 82 56 b3 f3 5b a1 03 1f 7f ...H....V.......
    01a0: 74 e6 d0 cc 91 dc 3c da a7 9e a5 9a 3a 64 0e b0 t............d..
    01b0: c5 84 3a 64 e6 5a 8c 07 99 ca e4 75 b2 f0 65 33 ...d.Z.....u..e3
    01c0: d1 3d 67 2e 87 61 f2 fc 78 8b de 3e 1d d0 7e 5a ..g..a..x......Z
    01d0: 07 61 d5 20 fd c1 d6 87 04 ef b7 3b 22 7e f0 e2 .a..............
    01e0: 7a 66 e3 b7 24 a0 b6 75 6b a9 99 23 e8 06 fd 40 zf.....uk.......
    01f0: ec 98 81 61 e3 05 bf 26 b5 e0 69 e2 58 38 d2 db ...a......i.X8..

    ]
    Apr 1, 2004 10:23:36 AM edu.vt.middleware.ldap.Ldap startTls
    SEVERE: Could not negotiate TLS connection
    javax.net.ssl.SSLHandshakeException: handshake failure
    at com.ibm.jsse.bg.a(Unknown Source)
    at com.ibm.jsse.bg.startHandshake(Unknown Source)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:354)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:218)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:171)
    at edu.vt.middleware.ldap.Ldap.startTls(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.bind(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.connect(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.getContext(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.main(Unknown Source)
    Apr 1, 2004 10:23:36 AM edu.vt.middleware.ldap.Ldap connect
    SEVERE: Error connecting to the LDAP
    javax.naming.NamingException: handshake failure
    at edu.vt.middleware.ldap.Ldap.startTls(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.bind(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.connect(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.getContext(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.main(Unknown Source)
    Exception in thread "main" javax.naming.NamingException: Could not connect to the LDAP.
    at edu.vt.middleware.ldap.Ldap.getContext(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
    at edu.vt.middleware.ldap.Ldap.main(Unknown Source)
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL client auth failing

    ‏2004-04-01T17:21:36Z  
    Debug trace for the client would help.

    I can't think a reason why your code should work on a Sun JVM acting as the client but not an IBM one.
    After some more testing I think I have a better idea what the problem is.
    The IBM jre cannot seem to read the Bouncy Castle keystore, which would explain why client auth isn't working.
    Running the IBM keytool to list the contents of the keystore results in this error:

    Keystore type: BKS
    Keystore provider: BC

    Your keystore contains 1 entry

    Alias name: edid-client
    Creation date: Mar 29, 2004
    Entry type: keyEntry
    Certificate chain length: 1
    Certificate[1]:
    keytool error (likely untranslated): java.security.NoSuchAlgorithmException: class configured for MessageDigest(provider: BootstrapProvider version 1.1)cannot be found.
    com/ibm/security/bootstrap/JDKMessageDigest$SHA1

    Have you seen this error before?
    Thanks.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL client auth failing

    ‏2004-04-02T07:56:35Z  
    After some more testing I think I have a better idea what the problem is.
    The IBM jre cannot seem to read the Bouncy Castle keystore, which would explain why client auth isn't working.
    Running the IBM keytool to list the contents of the keystore results in this error:

    Keystore type: BKS
    Keystore provider: BC

    Your keystore contains 1 entry

    Alias name: edid-client
    Creation date: Mar 29, 2004
    Entry type: keyEntry
    Certificate chain length: 1
    Certificate[1]:
    keytool error (likely untranslated): java.security.NoSuchAlgorithmException: class configured for MessageDigest(provider: BootstrapProvider version 1.1)cannot be found.
    com/ibm/security/bootstrap/JDKMessageDigest$SHA1

    Have you seen this error before?
    Thanks.
    The error message looks familiar, IBM's security code has a very complex (and problamatic) initialization sequence.
    The IBM jre should be able to read the BKS keystore if there is a provider available which supplied the required algorithms. There have been occations where providers have failed to load, but no indication of a failure is presented to the user, unless the actively switch on debugging, core security debugging not JSSE debugging.

    Try adding the following to the client jre when you invoke it from the command line.

    -Djava.security.debug=provider
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL client auth failing

    ‏2004-04-02T15:42:43Z  
    The error message looks familiar, IBM's security code has a very complex (and problamatic) initialization sequence.
    The IBM jre should be able to read the BKS keystore if there is a provider available which supplied the required algorithms. There have been occations where providers have failed to load, but no indication of a failure is presented to the user, unless the actively switch on debugging, core security debugging not JSSE debugging.

    Try adding the following to the client jre when you invoke it from the command line.

    -Djava.security.debug=provider
    I added the switch you suggested and here is the output:
    provider: statically registered providers
    provider: [0] com.ibm.crypto.provider.IBMJCE
    provider: [1] com.ibm.security.jgss.IBMJGSSProvider
    provider: [2] com.ibm.jsse.IBMJSSEProvider
    provider: [3] com.ibm.security.cert.IBMCertPath
    provider: [4] org.bouncycastle.jce.provider.BouncyCastleProvider
    provider:
    provider: loading provider http://com.ibm.crypto.provider.IBMJCE into slot 0 ...
    provider: slot 0 loaded with http://IBMJCE version 1.2
    provider: loading provider http://com.ibm.security.jgss.IBMJGSSProvider into slot 1 ...
    provider: slot 1 loaded with http://IBMJGSSProvider version 1.01
    provider: loading provider http://com.ibm.jsse.IBMJSSEProvider into slot 2 ...
    provider: slot 2 loaded with http://IBMJSSE version 1.41
    provider: loading provider http://com.ibm.security.cert.IBMCertPath into slot 3 ...
    provider: slot 3 loaded with http://IBMCertPath version 1.0
    provider: loading provider http://org.bouncycastle.jce.provider.BouncyCastleProvider into slot 4 ...
    provider: slot 4 loaded with http://BC version 1.21
    Apr 2, 2004 10:25:57 AM edu.vt.middleware.ldap.Ldap startTls
    SEVERE: Could not negotiate TLS connection
    javax.net.ssl.SSLHandshakeException: handshake failure
    at com.ibm.jsse.bg.a(Unknown Source)
    at com.ibm.jsse.bg.startHandshake(Unknown Source)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:354)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:218)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:171)

    Interestingly enough the IBM 1.3.1 jre I have installed does not have this problem.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL client auth failing

    ‏2004-04-02T16:11:38Z  
    I added the switch you suggested and here is the output:
    provider: statically registered providers
    provider: [0] com.ibm.crypto.provider.IBMJCE
    provider: [1] com.ibm.security.jgss.IBMJGSSProvider
    provider: [2] com.ibm.jsse.IBMJSSEProvider
    provider: [3] com.ibm.security.cert.IBMCertPath
    provider: [4] org.bouncycastle.jce.provider.BouncyCastleProvider
    provider:
    provider: loading provider http://com.ibm.crypto.provider.IBMJCE into slot 0 ...
    provider: slot 0 loaded with http://IBMJCE version 1.2
    provider: loading provider http://com.ibm.security.jgss.IBMJGSSProvider into slot 1 ...
    provider: slot 1 loaded with http://IBMJGSSProvider version 1.01
    provider: loading provider http://com.ibm.jsse.IBMJSSEProvider into slot 2 ...
    provider: slot 2 loaded with http://IBMJSSE version 1.41
    provider: loading provider http://com.ibm.security.cert.IBMCertPath into slot 3 ...
    provider: slot 3 loaded with http://IBMCertPath version 1.0
    provider: loading provider http://org.bouncycastle.jce.provider.BouncyCastleProvider into slot 4 ...
    provider: slot 4 loaded with http://BC version 1.21
    Apr 2, 2004 10:25:57 AM edu.vt.middleware.ldap.Ldap startTls
    SEVERE: Could not negotiate TLS connection
    javax.net.ssl.SSLHandshakeException: handshake failure
    at com.ibm.jsse.bg.a(Unknown Source)
    at com.ibm.jsse.bg.startHandshake(Unknown Source)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:354)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:218)
    at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:171)

    Interestingly enough the IBM 1.3.1 jre I have installed does not have this problem.
    Ok well the bouncy castle provider seems to load. Now check that the keystore algorithm is available. Change the debug to "-Djava.security.debug=algorithm" you should see a keystore type of BKS being supplied by BouncyCastleProvider. Look out for failure to access algorithms, there may be a few early on but after that all algorithm requests should succeed. If you wish to see more information about who is trying to use the algortims add ",stack" to the end of "-Djava.security.debug=algorithm".

    As for it working on 1.3.1, well the core classes were rewritten in 1.4. IBM's 1.3.1 SDK was closer to Sun's than 1.4 was it may be this difference which is causing a problem.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: SSL client auth failing

    ‏2004-04-02T16:45:14Z  
    Ok well the bouncy castle provider seems to load. Now check that the keystore algorithm is available. Change the debug to "-Djava.security.debug=algorithm" you should see a keystore type of BKS being supplied by BouncyCastleProvider. Look out for failure to access algorithms, there may be a few early on but after that all algorithm requests should succeed. If you wish to see more information about who is trying to use the algortims add ",stack" to the end of "-Djava.security.debug=algorithm".

    As for it working on 1.3.1, well the core classes were rewritten in 1.4. IBM's 1.3.1 SDK was closer to Sun's than 1.4 was it may be this difference which is causing a problem.
    I ran the client with the new debug switch, but I didn't see any errors.
    Here is a snippet of what I did see:
    algorithm: request for KeyStore BKS from null
    algorithm: request for BKS can be met by BC version 1.21
    algorithm: request for SecureRandom IBMSecureRandom from null
    algorithm: request for IBMSecureRandom can be met by IBMJCE version 1.2
    algorithm: request for MessageDigest MD5 from IBMJCE
    algorithm: request for MD5 can be met by IBMJCE version 1.2
    algorithm: MD5 created, class com.ibm.crypto.provider.MD5
    algorithm: IBMSecureRandom created, class com.ibm.crypto.provider.SecureRandom
    algorithm: BKS created, class org.bouncycastle.jce.provider.JDKKeyStore

    Perhaps the jre is just configured wrong somewhere.
    I've tried moving providers around, but nothing has worked.
  • NicolasB
    NicolasB
    4 Posts

    Re: SSL client auth failing

    ‏2012-01-06T10:54:49Z  
    Hello

    I'm still facing this problem.

    Did you found a solution ?
  • NicolasB
    NicolasB
    4 Posts

    Re: SSL client auth failing

    ‏2012-01-17T10:23:33Z  
    See http://www.ibm.com/developerworks/forums/thread.jspa?threadID=48576&tstart=0&messageID=14778991#14778991 for a solution...