Topic
9 replies Latest Post - ‏2012-01-17T10:23:33Z by NicolasB
SystemAdmin
SystemAdmin
2262 Posts
ACCEPTED ANSWER

Pinned topic SSL client auth failing

‏2004-03-31T16:17:28Z |
I'm trying to use the IBM 1.4.1 jre to do client auth with SSL.
(I'm using Debian with a 2.6.4 kernel.)
It is failing with the following exception:
SEVERE: Could not negotiate TLS connection
javax.net.ssl.SSLHandshakeException: handshake failure
at com.ibm.jsse.bg.a(Unknown Source)
at com.ibm.jsse.bg.startHandshake(Unknown Source)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:354)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:218)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:171)

This failure occurs right after the client receives the server cert chain.
It appears that my client is not sending the client certificate, based on server logs.
I've tried my code against both Apache and OpenLdap with the same results, however the Sun jre works correctly.

Has anyone seen this problem before?
I also tried implementing my own KeyManager so that I could force the correct client cert to be choosen.
Again this worked for the Sun jre, but not the IBM.
I can provide a debug trace if that would help.
Thanks.
Updated on 2012-01-17T10:23:33Z at 2012-01-17T10:23:33Z by NicolasB
  • SystemAdmin
    SystemAdmin
    2262 Posts
    ACCEPTED ANSWER

    Re: SSL client auth failing

    ‏2004-04-01T14:42:15Z  in response to SystemAdmin
    Debug trace for the client would help.

    I can't think a reason why your code should work on a Sun JVM acting as the client but not an IBM one.
    • SystemAdmin
      SystemAdmin
      2262 Posts
      ACCEPTED ANSWER

      Re: SSL client auth failing

      ‏2004-04-01T15:27:30Z  in response to SystemAdmin
      Here is the debug trace:
      Testing /apps/local/java/IBMJava2-141/bin/java
      Commandline switches:
      -Djavax.net.debug=true
      -Djavax.net.ssl.trustStore=vt.dev.truststore -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=BKS
      -Djavax.net.ssl.keyStore=edid.dev.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.keyStoreType=BKS
      TrustManagerFactoryImpl: trustStore is : vt.dev.truststore
      TrustManagerFactoryImpl: trustStore type is : BKS
      TrustManagerFactoryImpl: init truststore
      KeyManagerFactoryImpl: keyStore is : edid.dev.keystore
      KeyManagerFactoryImpl: keyStore type is : BKS
      KeyManagerFactoryImpl: init keystore
      KeyManagerFactoryImpl: init keystore
      JSSEContext: handleSession[Sockethttp://addr=ed-dev.middleware.iad.vt.edu/198.82.160.148,port=12389,localport=47678]
      JSSEContext: confirmPeerCertificate[Sockethttp://addr=ed-dev.middleware.iad.vt.edu/198.82.160.148,port=12389,localport=47678]
      X509TrustManagerImpl: checkServerTrusted
      X509TrustManagerImpl: Certificate [
      [
      Version: V3
      Subject: CN=ed-dev.middleware.iad.vt.edu, OU=3, OU=Middleware-Server, O=Virginia Polytechnic Institute and State University, L=Blacksburg, ST=Virginia, C=US, DC=vt, DC=edu
      Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

      Key: IBMJCE RSA Public Key:
      modulus:
      22469277832915165074204926834070988910594713136254971923916861061201328426353487493731618550472806221875396426789402632545957607656775604206168191582062846392471899841975923955008055246965291818567863608310854677625057179288322428624256350342674624588721004903103769687046972756464537129712248403184792674593542438193494373721445699882754648120145124498876731452357332875574979591146016964467766809405381231044277074404534396281612140551352087538629740186032622471405837345693210641335228526552800253061301682237561195758620304038560841749976103820062463942705099007005515147321310957553748256041491774346381941024431
      public exponent:
      65537

      Validity: [From: Fri Mar 26 15:25:49 EST 2004,
      To: Sat Mar 26 15:25:49 EST 2005]
      Issuer: CN=Virginia Tech Middleware CA, O=Virginia Polytechnic Institute and State University, C=US, DC=vt, DC=edu
      SerialNumber: [3]

      Certificate Extensions: 7
      [1]: ObjectId: 2.5.29.35 Criticality=false
      AuthorityKeyIdentifier [
      KeyIdentifier [
      0000: 04 84 ff 4b fd 2f 66 96 ed 57 3a 9d ba 61 a4 47 ...K..f..W...a.G
      0010: d2 61 a5 5b .a..
      ]
      SerialNumber: 3]

      [2]: ObjectId: 2.5.29.19 Criticality=false
      BasicConstraints:[
      CA:false
      PathLen: undefined
      ]

      [3]: ObjectId: 2.5.29.32 Criticality=false
      CertificatePolicies [
      [
      PolicyInformation: [
      CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.1.1
      PolicyQualifiers: null]
      ,
      PolicyInformation: [
      CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.2.1
      PolicyQualifiers: null]
      ,
      PolicyInformation: [
      CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.3.1
      PolicyQualifiers: null]
      ,
      PolicyInformation: [
      CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.4.1
      PolicyQualifiers: null]
      ,
      PolicyInformation: [
      CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.5.1
      PolicyQualifiers: [PolicyQualifierInfo: [
      CPSuri: [
      object identifier: 1.3.6.1.5.5.7.2.1
      uri: http://www.pki.vt.edu/vtmw/cps/]
      ]
      ]]
      ]]

      [4]: ObjectId: 2.5.29.31 Criticality=false
      CRLDistributionPoints [
      1 CRL Distribution Points:

      Distribution Point: [
      Distribution Point Name: URIName: https://crashvtmwca.devpki.vt.edu/ca/0917/crashvtmwca/htdocs/pub/crl/cacrl.crl
      Reason Flags: null
      Issuer: null
      ]
      ]

      [5]: ObjectId: 2.5.29.15 Criticality=false
      KeyUsage [
      DigitalSignature
      Non_repudiation
      Key_Encipherment
      Data_Encipherment
      ]

      [6]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: bd d1 bb d3 d5 95 5f b8 40 8e c1 61 a1 f7 19 be ...........a....
      0010: 5c 7c a8 e2 ....
      ]
      ]

      [7]: ObjectId: 2.5.29.37 Criticality=false
      ExtKeyUsage [
      1.3.6.1.5.5.7.3.1]

      ]
      Algorithm: SHA1withRSA
      Signature:
      0000: 0c f6 31 a7 54 4e 9b a6 bc 24 9b 49 c8 37 1f 96 ..1.TN.....I.7..
      0010: 5d d9 6d 5f 75 f8 fa cb 66 32 fe 3c f9 85 bd e7 ..m.u...f2......
      0020: b9 2b fd 5d 65 1b fc 89 a1 91 e3 da 47 de fb eb ....e.......G...
      0030: a3 50 ea ea c6 8b 77 fb bd ee e2 f9 6d 30 aa 14 .P....w.....m0..
      0040: 94 0d 2d c3 9e 94 9a 53 1f b9 47 17 c5 6f 44 1e .......S..G..oD.
      0050: a1 d6 96 30 7e 5a 70 86 8e dd ed 66 68 2f ce 74 ...0.Zp....fh..t
      0060: fd 9d 7c 21 3d d6 57 97 16 53 91 3c ea 66 e5 55 ......W..S...f.U
      0070: d3 6d b1 88 33 56 0f ed 4f 99 9e cd 87 99 b4 21 .m..3V..O.......
      0080: a0 f2 d0 6b 20 87 f4 8c 28 86 6d f9 52 81 0f e1 ...k......m.R...
      0090: 89 a3 c5 b4 9c 44 fa 70 43 b9 8a 62 8f 3f bf 08 .....D.pC..b....
      00a0: 00 ea b6 77 bf 42 5f f9 67 70 a8 d7 42 b6 a0 4b ...w.B..gp..B..K
      00b0: 1d d1 6d c6 db db c3 58 f0 2f 52 54 52 ab 5f be ..m....X..RTR...
      00c0: 11 97 61 f8 60 03 a1 3e 43 5d 32 ac af d6 ec 86 ..a.....C.2.....
      00d0: b2 a1 18 e8 30 4c 38 53 a5 d4 08 82 cd 9e 8a b8 ....0L8S........
      00e0: b1 4e bc 47 d9 59 48 33 83 b4 5d 84 c8 74 ba 10 .N.G.YH3.....t..
      00f0: dc e3 00 7b 2c 8a d7 4e 44 00 41 0a af 37 e3 0a .......ND.A..7..
      0100: 16 8f 61 0b 5c a4 25 a6 6c 91 3b b1 e5 a4 c2 f3 ..a.....l.......
      0110: 59 db df 85 6b 27 72 b0 ce 5e 3b 9c 7c 52 5f 30 Y...k.r......R.0
      0120: 6f 27 2a 49 9c 76 81 c3 49 5d 50 8b d7 45 b3 9b o..I.v..I.P..E..
      0130: fe 9a 90 68 50 5e 54 2a 02 47 40 7b 55 a8 9b 4b ...hP.T..G..U..K
      0140: fe 62 7f f6 a9 24 c4 f3 19 83 dc 0c 29 39 d1 18 .b...........9..
      0150: 7d 4b c7 be f8 c9 3c 95 55 29 5e a8 f5 60 50 1a .K......U.....P.
      0160: 79 05 e1 6b ed 61 c9 54 a6 43 f0 04 08 5f 93 d3 y..k.a.T.C......
      0170: 7a 34 42 a1 78 d3 da 7a 91 cf a7 4f b3 1f 95 e7 z4B.x..z...O....
      0180: 3e cb 74 00 38 50 0f 55 b0 e9 08 60 a1 76 07 76 ..t.8P.U.....v.v
      0190: cd d0 dd f7 86 f2 07 bf e9 25 e3 74 1e bd a0 54 ...........t...T
      01a0: 1e e3 ea 63 a7 87 f3 ca e6 08 34 41 f5 60 49 93 ...c......4A..I.
      01b0: 0f 91 63 c3 76 96 af 4a 5b c6 0d a9 09 e1 1d f5 ..c.v..J........
      01c0: 46 fd 22 fb 79 a7 db a9 f5 d2 28 c1 42 0e 3b a6 F...y.......B...
      01d0: fd 17 ac 5b 12 45 8f 93 fb fd c3 4a f7 bb 98 b9 .....E.....J....
      01e0: 5d a5 52 3f cb a6 07 4f 83 31 0c bf f4 27 78 7b ..R....O.1....x.
      01f0: 34 58 8a 69 8c 62 39 ba dc 34 ca 84 5b d9 5a 59 4X.i.b9..4....ZY

      ]
      X509TrustManagerImpl: Certificate [
      [
      Version: V3
      Subject: CN=Virginia Tech Middleware CA, O=Virginia Polytechnic Institute and State University, C=US, DC=vt, DC=edu
      Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

      Key: IBMJCE RSA Public Key:
      modulus:
      673135293442072612842843676067501850942934666270080174555080075691829521906168514427601915634276058132091096798629967174351601310239824860054109078299098504435708674199920626935383611356675752525766266290837527454937106208626476254549856443083900936784899146773949912013865197197452708642625467286349332600713449609434745194109872227189172671323886443588089301978709989552634159005963628509273604856242344460497125202832997406592095173576036173975928560023951715719396837881307908152661268373958830532217326563616540765509138869782419439789862918025195250486335442407231429779738723065958500772183807311697386771677105749759061274362523624059381482024657439435290726561547290125992143021707780814795703007957211035896583651453162722234745044297177812377631344544382740093424713953869807989449747632916988233192726576270542435963380637531108809053322031641984445161461442572189272818588296763520296044266838865157414979030651232399279813965391546943475301576973882717500776295951847163006357363981376329910808324623518648487840979893218349386125500291375718381469851029321146033839365191868317761793664015274591866420838006273132795742692801628082216368064103527911125475512322532311102540843472208240881124283032892366584733722748457
      public exponent:
      3

      Validity: [From: Fri Mar 26 11:22:00 EST 2004,
      To: Mon Mar 24 11:22:00 EST 2014]
      Issuer: O="Crash Virginia Tech Root CA", L=Blacksburg, ST=Virginia, C=US
      SerialNumber: [3]

      Certificate Extensions: 6
      [1]: ObjectId: 2.5.29.35 Criticality=false
      AuthorityKeyIdentifier [
      KeyIdentifier [
      0000: 1e 1f eb aa fc 21 08 f9 20 11 cf 4a ef 9e 96 bb ...........J....
      0010: 95 36 62 f6 .6b.
      ]
      SerialNumber: 0]

      [2]: ObjectId: 2.5.29.19 Criticality=true
      BasicConstraints:[
      CA:true
      PathLen:2147483647
      ]

      [3]: ObjectId: 2.5.29.32 Criticality=false
      CertificatePolicies [
      [
      PolicyInformation: [
      CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.1
      PolicyQualifiers: [PolicyQualifierInfo: [
      CPSuri: [
      object identifier: 1.3.6.1.5.5.7.2.1
      uri: http://radev.eprov.iad.vt.edu/rootca/cps/]
      ]
      ]]
      ]]

      [4]: ObjectId: 2.5.29.31 Criticality=false
      CRLDistributionPoints [
      1 CRL Distribution Points:

      Distribution Point: [
      Distribution Point Name: URIName: http://balamood2.cc.vt.edu/crl/cacrl.crl
      Reason Flags: null
      Issuer: null
      ]
      ]

      [5]: ObjectId: 2.5.29.15 Criticality=false
      KeyUsage [
      Key_CertSign
      Crl_Sign
      ]

      [6]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 04 84 ff 4b fd 2f 66 96 ed 57 3a 9d ba 61 a4 47 ...K..f..W...a.G
      0010: d2 61 a5 5b .a..
      ]
      ]

      ]
      Algorithm: SHA1withRSA
      Signature:
      0000: 0d f4 67 85 d4 9d ac d6 84 95 08 d1 9b ae 10 54 ..g............T
      0010: 88 14 7a 98 82 0d 01 0c d4 ac b8 87 5d 45 a6 1f ..z..........E..
      0020: 23 35 1d db 2a 1c eb 65 db c0 48 f3 b4 86 ff 26 .5.....e..H.....
      0030: 7f e5 9a 12 60 cb 00 d7 8f 5f f0 3d 71 bb 05 16 ............q...
      0040: 09 88 45 c4 e9 a2 59 b6 1a 8f d0 d3 1c ed 97 0c ..E...Y.........
      0050: 09 a6 95 4c f9 1c 13 03 0e 36 9c 65 d7 d7 ef 6d ...L.....6.e...m
      0060: 02 dc 09 11 8c 83 77 ce cb d0 c1 25 94 a5 e1 28 ......w.........
      0070: 4f a0 1b e7 d8 6f 16 e5 1f 77 9e 21 09 49 4f 45 O....o...w...IOE
      0080: 33 18 2a 06 41 c3 81 b7 4b 28 04 2a 8f ad ff 52 3...A...K......R
      0090: 3e ff e2 ba 2d 68 4c 76 70 b7 a5 b6 1a 83 81 86 .....hLvp.......
      00a0: e9 28 1a b4 25 53 d8 48 aa 1e 10 3a 73 18 e6 4c .....S.H....s..L
      00b0: 7a 02 32 24 6d 9e 63 aa 03 9d c6 82 4c 9f a7 b8 z.2.m.c.....L...
      00c0: aa 51 0d 34 a6 21 bc 12 08 16 9e 65 01 fb 16 4c .Q.4.......e...L
      00d0: 23 cd b8 b3 f2 44 43 c9 dc 1a 34 12 a7 d2 57 d6 .....DC...4...W.
      00e0: 30 fa 31 ac 50 2c 6b 7c c9 22 46 5e c4 21 d2 f6 0.1.P.k...F.....
      00f0: e5 69 d3 a1 de a6 db d5 c9 05 2f 9c d7 6d ae 6c .i...........m.l
      0100: 33 e8 68 98 43 57 9e 0c 52 bd b1 88 77 53 1a d1 3.h.CW..R...wS..
      0110: 88 52 ee b3 cf 64 6b 45 b5 5c fc fb 51 99 71 7a .R...dkE....Q.qz
      0120: 51 9d 1a 22 81 56 08 83 e5 a1 32 82 96 40 4d e8 Q....V....2...M.
      0130: b3 85 a6 65 aa 75 e8 da 4a e7 01 0f a1 78 4a 38 ...e.u..J....xJ8
      0140: 29 e4 ea 53 a1 08 e4 ac b9 1a 7b f5 ae 76 01 17 ...S.........v..
      0150: 74 27 38 d2 95 5c 28 5b 9f af ca 27 17 24 be 61 t.8............a
      0160: 8c be 45 c9 fa 1b 09 66 1a af c6 4d ea 75 93 78 ..E....f...M.u.x
      0170: 85 d6 54 56 a6 7e a3 3e a6 bb 38 7e 02 37 de 3c ..TV......8..7..
      0180: bd 0e 26 6f 6a e6 bf 2e 4d 3e 05 19 51 fa 3c 8f ...oj...M...Q...
      0190: c6 34 84 ea e7 ec 21 ed 2d de b7 a0 24 96 0c 84 .4..............
      01a0: 9a bf 3b f3 e6 e6 45 e8 61 93 c7 76 ee e0 94 0b ......E.a..v....
      01b0: 92 51 6f 10 5b 4a 27 90 3b f6 c7 a9 9e 4d 2e 08 .Qo..J.......M..
      01c0: 4b b5 d6 14 93 5d 65 83 a9 e8 d5 8a ab 58 ec 64 K.....e......X.d
      01d0: e6 4d 78 87 0b af 52 21 7d 11 fc 38 a8 d2 9a cc .Mx...R....8....
      01e0: 35 75 4f 0c 39 1e 33 49 d7 05 f7 9c f5 37 d8 6f 5uO.9.3I.....7.o
      01f0: e5 3d 4c d8 bf 1c 89 da 00 e6 90 d2 58 82 e2 be ..L.........X...

      ]
      X509TrustManagerImpl: Certificate [
      [
      Version: V3
      Subject: O="Crash Virginia Tech Root CA", L=Blacksburg, ST=Virginia, C=US
      Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

      Key: IBMJCE RSA Public Key:
      modulus:
      717251448857761993199895868528613877099088149925094065057788294985455480281029441782033389612735448337264998098719731300078739985635084506991095552677480670128039405383319879639755706132272837224435133089803226276715654437714304001400395971316503659095162804139858704299676765614920051949522186088086161845400837595457063230170207114253246990629792097386722086934627307594924754261507080602658399767789756613128887998147948558940992873803021525120632116590176984818180590504274627027096666279146221224448630680127071978497111723062559556585784295109313538336368311438217918262903190559023396356201446943033630642948206422639778738987506886777456088435536043696807733206646253879132533471083808138276233405672655101805414352454286283090957801391921810111779954023662098927103748219194454095001033584684601133744871744589532735866924154345878119070636848965896493971987699428945516212593044377062187448615972372556723459782008044445724348380230272334294864761966184668600696728978506773855741466022154289671895986014720761030203679761392957745802696320189581954709932047163997558226642326337562450284713463347306861262075403640779307143469687162386683833743477369969300582554631694795415234542044217881252132887569228176472889015088297
      public exponent:
      3

      Validity: [From: Fri Mar 26 10:20:29 EST 2004,
      To: Sun Mar 19 10:20:29 EST 2034]
      Issuer: O="Crash Virginia Tech Root CA", L=Blacksburg, ST=Virginia, C=US
      SerialNumber: [0]

      Certificate Extensions: 5
      [1]: ObjectId: 2.5.29.35 Criticality=false
      AuthorityKeyIdentifier [
      KeyIdentifier [
      0000: 1e 1f eb aa fc 21 08 f9 20 11 cf 4a ef 9e 96 bb ...........J....
      0010: 95 36 62 f6 .6b.
      ]
      SerialNumber: 0]

      [2]: ObjectId: 2.5.29.19 Criticality=true
      BasicConstraints:[
      CA:true
      PathLen:2147483647
      ]

      [3]: ObjectId: 2.5.29.32 Criticality=false
      CertificatePolicies [
      [
      PolicyInformation: [
      CertPolicyId: 1.3.6.1.4.1.6760.5.2.2.1
      PolicyQualifiers: [PolicyQualifierInfo: [
      CPSuri: [
      object identifier: 1.3.6.1.5.5.7.2.1
      uri: http://radev.eprov.iad.vt.edu/rootca/cps/]
      ]
      ]]
      ]]

      [4]: ObjectId: 2.5.29.15 Criticality=false
      KeyUsage [
      Key_CertSign
      Crl_Sign
      ]

      [5]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 1e 1f eb aa fc 21 08 f9 20 11 cf 4a ef 9e 96 bb ...........J....
      0010: 95 36 62 f6 .6b.
      ]
      ]

      ]
      Algorithm: SHA1withRSA
      Signature:
      0000: 72 c3 67 a8 a4 d4 f1 aa 79 9b 8f aa 01 35 8f e2 r.g.....y....5..
      0010: 76 65 58 3c 61 08 4b 36 32 df 78 b0 c9 c0 19 ce veX.a.K62.x.....
      0020: d3 2c c4 4a a9 cd e9 cc 82 24 fd 49 c9 ca 3b 14 ...J.......I....
      0030: 67 15 3e 9a c8 a5 8c ae bb 5d 11 5a 33 02 b4 94 g..........Z3...
      0040: 52 c3 ba 60 e3 e4 7f 64 d8 94 f4 93 29 01 a5 36 R......d.......6
      0050: 17 0a a9 d7 83 33 92 06 d4 03 79 76 10 03 11 76 .....3....yv...v
      0060: 2b bb 20 3e 87 ac ea 7e 3c 45 5b 9e e5 09 f1 14 .........E......
      0070: 11 3f ae de 16 78 4c f5 1a 39 1a 1f 36 00 7e 72 .....xL..9..6..r
      0080: 0e 45 4e f1 cb 97 b3 e6 e3 11 de fa 25 08 cd d0 .EN.............
      0090: 7f 2a b4 e6 79 5a 16 d5 a9 1d b8 bc 6b a7 09 a6 ....yZ......k...
      00a0: 6d c3 15 47 da ef 42 5c e8 62 0f b8 b4 1a a0 bb m..G..B..b......
      00b0: a6 e6 2d 9f db 85 8f 22 65 ef 72 7a 97 7b 10 3d ........e.rz....
      00c0: d8 bb 73 ce da c7 e9 12 63 23 03 ef c7 8a 7a 01 ..s.....c.....z.
      00d0: c0 b9 cd 34 bd 51 ea b4 50 12 74 fe 1b cb 80 25 ...4.Q..P.t.....
      00e0: 32 d3 b1 f6 35 f9 3d c2 3f 94 66 ae 84 be f3 05 2...5.....f.....
      00f0: 2e 2d 3f 41 c6 e0 4d ee d0 2b 8a 24 0d 48 76 17 ...A..M......Hv.
      0100: e3 5d 8f de 92 a3 fe f6 91 28 aa 2c 37 72 8b b9 ............7r..
      0110: cd 2e b9 e1 bf 63 e3 a6 9b 83 48 de c1 54 4e d5 .....c....H..TN.
      0120: 47 d4 30 46 b8 09 3f 39 e1 6e 20 60 86 43 06 2c G.0F...9.n...C..
      0130: ca 70 2e 46 01 4d c6 c4 7f ec bf 95 1c fa 3b c6 .p.F.M..........
      0140: ce 5e 5e 61 b9 76 5e a1 08 85 71 b7 19 1f 43 5a ...a.v....q...CZ
      0150: 63 b2 35 47 87 ae 90 ec 2b 50 87 f9 35 00 4a 70 c.5G.....P..5.Jp
      0160: 06 74 33 01 1e d8 c9 4d 9f ed 65 a5 be 04 6d 04 .t3....M..e...m.
      0170: 5f 12 73 83 cd 23 70 cc 90 24 36 89 c9 35 4b 5c ..s...p...6..5K.
      0180: 38 7d a8 2d 41 88 77 ad 9f cb 07 65 73 12 8b e0 8...A.w....es...
      0190: d5 f7 c4 48 dd a1 d4 82 56 b3 f3 5b a1 03 1f 7f ...H....V.......
      01a0: 74 e6 d0 cc 91 dc 3c da a7 9e a5 9a 3a 64 0e b0 t............d..
      01b0: c5 84 3a 64 e6 5a 8c 07 99 ca e4 75 b2 f0 65 33 ...d.Z.....u..e3
      01c0: d1 3d 67 2e 87 61 f2 fc 78 8b de 3e 1d d0 7e 5a ..g..a..x......Z
      01d0: 07 61 d5 20 fd c1 d6 87 04 ef b7 3b 22 7e f0 e2 .a..............
      01e0: 7a 66 e3 b7 24 a0 b6 75 6b a9 99 23 e8 06 fd 40 zf.....uk.......
      01f0: ec 98 81 61 e3 05 bf 26 b5 e0 69 e2 58 38 d2 db ...a......i.X8..

      ]
      Apr 1, 2004 10:23:36 AM edu.vt.middleware.ldap.Ldap startTls
      SEVERE: Could not negotiate TLS connection
      javax.net.ssl.SSLHandshakeException: handshake failure
      at com.ibm.jsse.bg.a(Unknown Source)
      at com.ibm.jsse.bg.startHandshake(Unknown Source)
      at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:354)
      at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:218)
      at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:171)
      at edu.vt.middleware.ldap.Ldap.startTls(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.bind(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.connect(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.getContext(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.main(Unknown Source)
      Apr 1, 2004 10:23:36 AM edu.vt.middleware.ldap.Ldap connect
      SEVERE: Error connecting to the LDAP
      javax.naming.NamingException: handshake failure
      at edu.vt.middleware.ldap.Ldap.startTls(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.bind(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.connect(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.getContext(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.main(Unknown Source)
      Exception in thread "main" javax.naming.NamingException: Could not connect to the LDAP.
      at edu.vt.middleware.ldap.Ldap.getContext(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.search(Unknown Source)
      at edu.vt.middleware.ldap.Ldap.main(Unknown Source)
    • SystemAdmin
      SystemAdmin
      2262 Posts
      ACCEPTED ANSWER

      Re: SSL client auth failing

      ‏2004-04-01T17:21:36Z  in response to SystemAdmin
      After some more testing I think I have a better idea what the problem is.
      The IBM jre cannot seem to read the Bouncy Castle keystore, which would explain why client auth isn't working.
      Running the IBM keytool to list the contents of the keystore results in this error:

      Keystore type: BKS
      Keystore provider: BC

      Your keystore contains 1 entry

      Alias name: edid-client
      Creation date: Mar 29, 2004
      Entry type: keyEntry
      Certificate chain length: 1
      Certificate[1]:
      keytool error (likely untranslated): java.security.NoSuchAlgorithmException: class configured for MessageDigest(provider: BootstrapProvider version 1.1)cannot be found.
      com/ibm/security/bootstrap/JDKMessageDigest$SHA1

      Have you seen this error before?
      Thanks.
      • SystemAdmin
        SystemAdmin
        2262 Posts
        ACCEPTED ANSWER

        Re: SSL client auth failing

        ‏2004-04-02T07:56:35Z  in response to SystemAdmin
        The error message looks familiar, IBM's security code has a very complex (and problamatic) initialization sequence.
        The IBM jre should be able to read the BKS keystore if there is a provider available which supplied the required algorithms. There have been occations where providers have failed to load, but no indication of a failure is presented to the user, unless the actively switch on debugging, core security debugging not JSSE debugging.

        Try adding the following to the client jre when you invoke it from the command line.

        -Djava.security.debug=provider
        • SystemAdmin
          SystemAdmin
          2262 Posts
          ACCEPTED ANSWER

          Re: SSL client auth failing

          ‏2004-04-02T15:42:43Z  in response to SystemAdmin
          I added the switch you suggested and here is the output:
          provider: statically registered providers
          provider: [0] com.ibm.crypto.provider.IBMJCE
          provider: [1] com.ibm.security.jgss.IBMJGSSProvider
          provider: [2] com.ibm.jsse.IBMJSSEProvider
          provider: [3] com.ibm.security.cert.IBMCertPath
          provider: [4] org.bouncycastle.jce.provider.BouncyCastleProvider
          provider:
          provider: loading provider http://com.ibm.crypto.provider.IBMJCE into slot 0 ...
          provider: slot 0 loaded with http://IBMJCE version 1.2
          provider: loading provider http://com.ibm.security.jgss.IBMJGSSProvider into slot 1 ...
          provider: slot 1 loaded with http://IBMJGSSProvider version 1.01
          provider: loading provider http://com.ibm.jsse.IBMJSSEProvider into slot 2 ...
          provider: slot 2 loaded with http://IBMJSSE version 1.41
          provider: loading provider http://com.ibm.security.cert.IBMCertPath into slot 3 ...
          provider: slot 3 loaded with http://IBMCertPath version 1.0
          provider: loading provider http://org.bouncycastle.jce.provider.BouncyCastleProvider into slot 4 ...
          provider: slot 4 loaded with http://BC version 1.21
          Apr 2, 2004 10:25:57 AM edu.vt.middleware.ldap.Ldap startTls
          SEVERE: Could not negotiate TLS connection
          javax.net.ssl.SSLHandshakeException: handshake failure
          at com.ibm.jsse.bg.a(Unknown Source)
          at com.ibm.jsse.bg.startHandshake(Unknown Source)
          at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:354)
          at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:218)
          at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:171)

          Interestingly enough the IBM 1.3.1 jre I have installed does not have this problem.
          • SystemAdmin
            SystemAdmin
            2262 Posts
            ACCEPTED ANSWER

            Re: SSL client auth failing

            ‏2004-04-02T16:11:38Z  in response to SystemAdmin
            Ok well the bouncy castle provider seems to load. Now check that the keystore algorithm is available. Change the debug to "-Djava.security.debug=algorithm" you should see a keystore type of BKS being supplied by BouncyCastleProvider. Look out for failure to access algorithms, there may be a few early on but after that all algorithm requests should succeed. If you wish to see more information about who is trying to use the algortims add ",stack" to the end of "-Djava.security.debug=algorithm".

            As for it working on 1.3.1, well the core classes were rewritten in 1.4. IBM's 1.3.1 SDK was closer to Sun's than 1.4 was it may be this difference which is causing a problem.
            • SystemAdmin
              SystemAdmin
              2262 Posts
              ACCEPTED ANSWER

              Re: SSL client auth failing

              ‏2004-04-02T16:45:14Z  in response to SystemAdmin
              I ran the client with the new debug switch, but I didn't see any errors.
              Here is a snippet of what I did see:
              algorithm: request for KeyStore BKS from null
              algorithm: request for BKS can be met by BC version 1.21
              algorithm: request for SecureRandom IBMSecureRandom from null
              algorithm: request for IBMSecureRandom can be met by IBMJCE version 1.2
              algorithm: request for MessageDigest MD5 from IBMJCE
              algorithm: request for MD5 can be met by IBMJCE version 1.2
              algorithm: MD5 created, class com.ibm.crypto.provider.MD5
              algorithm: IBMSecureRandom created, class com.ibm.crypto.provider.SecureRandom
              algorithm: BKS created, class org.bouncycastle.jce.provider.JDKKeyStore

              Perhaps the jre is just configured wrong somewhere.
              I've tried moving providers around, but nothing has worked.
  • NicolasB
    NicolasB
    4 Posts
    ACCEPTED ANSWER

    Re: SSL client auth failing

    ‏2012-01-06T10:54:49Z  in response to SystemAdmin
    Hello

    I'm still facing this problem.

    Did you found a solution ?
  • NicolasB
    NicolasB
    4 Posts
    ACCEPTED ANSWER

    Re: SSL client auth failing

    ‏2012-01-17T10:23:33Z  in response to SystemAdmin
    See http://www.ibm.com/developerworks/forums/thread.jspa?threadID=48576&tstart=0&messageID=14778991#14778991 for a solution...