The configuration
I'm using the FtpsClient
from apache commons net 3.0.1 to talk to the FtpServer
from apache ftpserver 1.0.6.
Client and server use FTPS with installed certificates on both sides. The failing code is a junit test running client and server in separate threads. The certificates are generated and put in keystores within the junit test.
The Problem
The communication succeeds when running with java 6. But after switching to java 7 I get the error:
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
What I already tried:
I upgraded to apache commons net 3.3 and apache mina 2.0.7 without any change in the behaviour.
I also removed the line
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
from the file
java.security
inside the JDK7.I switched to Java 1.6.20, Java 1.6.45 (both succeeding), Java 1.7.06 and Java 1.7.45 (both failing).
I tried to set the properties
sun.security.ssl.allowUnsafeRenegotiation
andsun.security.ssl.allowLegacyHelloMessages
totrue
Question
Do you have any idea how to make the communication work with java 7?
More info
Here is the full output of the failing communication with java 7:
***
found key for : clientkey
chain [0] = [0] Version: 3
SerialNumber: 4712
IssuerDN: CN=Test Client CA
Start Date: Sat Dec 14 18:42:58 CET 2013
Final Date: Sun Dec 15 18:42:58 CET 2013
SubjectDN: CN=Test Client
Public Key: RSA Public Key
modulus: bc3ba4ad85d762c901a059ef55a82a1b5064a4d0f83de811a561f8ec5abf7dad4c1955434f091b3051eb37916cfbcaa293f547ed93b15e23991019ba500aee05e27d4810d56f216b685ee0f5209f77b1f500468d7e8746ffec3467f7b50004f93bc8e5a09be8871802b22d09a517ae5e543956f8475bad359391571815cb0d2d
public exponent: 3
Signature Algorithm: SHA256WithRSAEncryption
Signature: 1d1e107af090afb3806a81a1252d0714568cec43
3ea38f8600db1fc4409f0646b8b235ecf844b610
ed0c8110838ca8985bbcbe0176533fe051732958
2b834f4292f6503d1634cb3bfdcb5c70ca3da354
a92bbeb2fe02484b2c176b5e830116bdf2098353
35c95a3114c28dc248f85ac841406f400174779e
d194532d922dbc2d
***
***
found key for : serverkey
chain [0] = [0] Version: 3
SerialNumber: 4712
IssuerDN: CN=Test Server CA
Start Date: Sat Dec 14 18:42:57 CET 2013
Final Date: Sun Dec 15 18:42:57 CET 2013
SubjectDN: CN=Test Server
Public Key: RSA Public Key
modulus: bf7993e847452df221d9b018869d635260e3764543db9df97d03a6e99fb4dba4d91a991406c6cfcf2f5ec669e3bd0bb464ccd4691108c03d6d265c66bc2adfc521225ea766137abcdaa38cea6505af0f25155bceb15eceb9dd6c25e2e393c889b5a86b4fce91fafc759ec556c9544b07a58a9335ccd89c8b4320b814bbdc3561
public exponent: 3
Signature Algorithm: SHA256WithRSAEncryption
Signature: 8c75362adb73ed9797e0d11e13c73a24f715a772
76c8c12188a5e50cc7823ba36f4f8c3a0f6ee70d
6c55a1f78791c753d9820ea26bc127d87d5add17
5330a1015b45d5aad881b3f8e34e875622a277b1
4a9267ca8fade00d1dcdbc92fd50e711e59e11c1
e918a807479608f8f3cd475feb90c7bbc82cb15f
1eb119e2b899a3db
***
adding as trusted cert:
Subject: CN=Test Server
Issuer: CN=Test Server CA
Algorithm: RSA; Serial number: 0x1268
Valid from Sat Dec 14 18:42:57 CET 2013 until Sun Dec 15 18:42:57 CET 2013
adding as trusted cert:
Subject: CN=Test Client CA
Issuer: CN=Test Client CA
Algorithm: RSA; Serial number: 0x1267
Valid from Sat Dec 14 18:43:57 CET 2013 until Sun Dec 15 18:43:57 CET 2013
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv3
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv3
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
X509KeyManager passed to SSLContext.init(): need an X509ExtendedKeyManager for SSLEngine use
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1370200030 bytes = { 234, 58, 111, 82, 3, 147, 102, 163, 67, 234, 5, 39, 120, 1, 72, 181, 97, 205, 100, 87, 239, 22, 237, 213, 149, 131, 180, 33 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
[write] MD5 and SHA1 hashes: len = 163
0000: 01 00 00 9F 03 01 52 AC 98 DE EA 3A 6F 52 03 93 ......R....:oR..
0010: 66 A3 43 EA 05 27 78 01 48 B5 61 CD 64 57 EF 16 f.C..'x.H.a.dW..
0020: ED D5 95 83 B4 21 00 00 38 C0 0A C0 14 00 35 C0 .....!..8.....5.
0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ....9.8...../...
0040: 0E 00 33 00 32 C0 07 C0 11 00 05 C0 02 C0 0C C0 ..3.2...........
0050: 08 C0 12 00 0A C0 03 C0 0D 00 16 00 13 00 04 00 ................
0060: FF 01 00 00 3E 00 0A 00 34 00 32 00 17 00 01 00 ....>...4.2.....
0070: 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 18 00 ................
0080: 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 11 00 ................
0090: 02 00 12 00 04 00 05 00 14 00 08 00 16 00 0B 00 ................
00A0: 02 01 00 ...
main, WRITE: TLSv1 Handshake, length = 163
[Raw write]: length = 168
0000: 16 03 01 00 A3 01 00 00 9F 03 01 52 AC 98 DE EA ...........R...[Raw read]: length = 5
.
00100000: : 163A 0 6F3 52 01 03 0 930 66 A3 A3 43 EA 0 5 27 78 01 48 B 5 6.1. . .:oR..
.f.C[Raw read]: length = 163
..0'0x00.H: 01. 00a
002000: 9FCD 03 64 01 57 52 EF AC 16 ED 98 D5 DE 95 EA 3 83A B4 6F 21 5 002 00 03 38 93 C0 0A . ..d.W.....R........:oR.!....8
0010.: 66. A3
0030 43: C0 EA 14 05 00 27 35 78 C0 01 05 C 480 B5 0F 61 CD00 64 5739 EF 00 16 3 8 f .CC0. 09.'x C0. 13H .a ..d.W.5....
0020.: ED. D5.9 95.8 83. B4. 21. 00. 0
00400: 00 38 C02F 0A C C00 14 04 00 C0 35 0E C0 00 33 . .0.0..! 32. C0.8 07. C0. .1.1.5 .0
00300: 05 05 C0 0./F. .00. .3.39.2 .00. .3.8. .C0
0 050 09: C C00 13 02 00 C0 2F 0C C0 C0 04 08 C0 C0 12 . .0.0.9 .80A. .C.0. 03. C0/ .0D. .0
00400: 0 16E 00 .3.3. 00. 32. C0. 0.7. .C0. . 1.1. .0.0.
006005: C000 02 13 C0 00 0C 04 C0 00 F F. .301.2 .0.0. . .0.0. 3E. 00. 0A. 00.
005034: 0008 32 C0 1 2. .00. 0A. C.0. .0.3.> .C.0.4 .2
00700D: 0000 16 17 00 00 13 01 0000 03 0004 13 0 000 15 00 .0.6. 00. 07. 00. 09. . ................
.0060.: .FF.. 0.1. 00. 00
0080 : 003E 0A 00 00 0A 18 0 000 0B 00 34 0C 00 3 002 19 00 00 1 0D7 00 00 0E 01 00 00 0F .......>......4..2...........
.0070.: 03. 00
009 130 00: 00 15 10 00 00 06 11 00 0 0 07 02 00 0900 00 12 0A 0000 04 18 00 00 05 00 1.4. .00. .0.8. . ................
.0.0.8.0.: 0B.. 00. 0C
00 00A 190 00: 00 0D 16 00 00 0E0B 00 00 0F 02 00 01 10 00 00 11 00 . . . . . .................
..
0090: 02 00 12 00 04 00 05 00 14 00 08 00 16 00 0B 00 ................
00A0: 02 01 00 ...
NioProcessor-3, READ: TLSv1 Handshake, length = 163
*** ClientHello, TLSv1
RandomCookie: GMT: 1370200030 bytes = { 234, 58, 111, 82, 3, 147, 102, 163, 67, 234, 5, 39, 120, 1, 72, 181, 97, 205, 100, 87, 239, 22, 237, 213, 149, 131, 180, 33 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
[read] MD5 and SHA1 hashes: len = 163
0000: 01 00 00 9F 03 01 52 AC 98 DE EA 3A 6F 52 03 93 ......R....:oR..
0010: 66 A3 43 EA 05 27 78 01 48 B5 61 CD 64 57 EF 16 f.C..'x.H.a.dW..
0020: ED D5 95 83 B4 21 00 00 38 C0 0A C0 14 00 35 C0 .....!..8.....5.
0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ....9.8...../...
0040: 0E 00 33 00 32 C0 07 C0 11 00 05 C0 02 C0 0C C0 ..3.2...........
0050: 08 C0 12 00 0A C0 03 C0 0D 00 16 00 13 00 04 00 ................
0060: FF 01 00 00 3E 00 0A 00 34 00 32 00 17 00 01 00 ....>...4.2.....
0070: 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 18 00 ................
0080: 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 11 00 ................
0090: 02 00 12 00 04 00 05 00 14 00 08 00 16 00 0B 00 ................
00A0: 02 01 00 ...
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
matching alias: serverkey
%% Negotiating: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie: GMT: 1370200030 bytes = { 235, 19, 174, 10, 126, 94, 2, 53, 13, 203, 115, 119, 217, 226, 248, 251, 141, 255, 72, 117, 214, 8, 178, 182, 69, 65, 74, 111 }
Session ID: {82, 172, 152, 222, 202, 68, 136, 188, 163, 83, 250, 80, 9, 33, 99, 223, 176, 113, 255, 245, 119, 35, 136, 114, 29, 204, 36, 7, 135, 58, 46, 58}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*** Certificate chain
chain [0] = [0] Version: 3
SerialNumber: 4712
IssuerDN: CN=Test Server CA
Start Date: Sat Dec 14 18:42:57 CET 2013
Final Date: Sun Dec 15 18:42:57 CET 2013
SubjectDN: CN=Test Server
Public Key: RSA Public Key
modulus: bf7993e847452df221d9b018869d635260e3764543db9df97d03a6e99fb4dba4d91a991406c6cfcf2f5ec669e3bd0bb464ccd4691108c03d6d265c66bc2adfc521225ea766137abcdaa38cea6505af0f25155bceb15eceb9dd6c25e2e393c889b5a86b4fce91fafc759ec556c9544b07a58a9335ccd89c8b4320b814bbdc3561
public exponent: 3
Signature Algorithm: SHA256WithRSAEncryption
Signature: 8c75362adb73ed9797e0d11e13c73a24f715a772
76c8c12188a5e50cc7823ba36f4f8c3a0f6ee70d
6c55a1f78791c753d9820ea26bc127d87d5add17
5330a1015b45d5aad881b3f8e34e875622a277b1
4a9267ca8fade00d1dcdbc92fd50e711e59e11c1
e918a807479608f8f3cd475feb90c7bbc82cb15f
1eb119e2b899a3db
***
*** ECDH ServerKeyExchange
Server key: Sun EC public key, 256 bits
public x coord: 104116730850349228150645500726559419876454110473705724347998613959037720473709
public y coord: 26531088832836488156715632939801149563569358316815609029138071362300859258679
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<CN=Test Server>
<CN=Test Client CA>
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 785
0000: 02 00 00 4D 03 01 52 AC 98 DE EB 13 AE 0A 7E 5E ...M..R........^
...
0300: 65 73 74 20 43 6C 69 65 6E 74 20 43 41 0E 00 00 est Client CA...
0310: 00 .
NioProcessor-3, WRITE: TLSv1 Handshake, length = 785
[Raw write]: length = 790
0000: 16 03 01 03 11 02 00 00 4D 03 01 52 AC 98 DE EB ........M..R....
...
0310: 43 41 0E 00 00 00 CA....
[Raw read]: length = 5
0000: 16 03 01 03 11 .....
[Raw read]: length = 785
0000: 02 00 00 4D 03 01 52 AC 98 DE EB 13 AE 0A 7E 5E ...M..R........^
...
0300: 65 73 74 20 43 6C 69 65 6E 74 20 43 41 0E 00 00 est Client CA...
0310: 00 .
main, READ: TLSv1 Handshake, length = 785
*** ServerHello, TLSv1
RandomCookie: GMT: 1370200030 bytes = { 235, 19, 174, 10, 126, 94, 2, 53, 13, 203, 115, 119, 217, 226, 248, 251, 141, 255, 72, 117, 214, 8, 178, 182, 69, 65, 74, 111 }
Session ID: {82, 172, 152, 222, 202, 68, 136, 188, 163, 83, 250, 80, 9, 33, 99, 223, 176, 113, 255, 245, 119, 35, 136, 114, 29, 204, 36, 7, 135, 58, 46, 58}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-2, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[read] MD5 and SHA1 hashes: len = 81
0000: 02 00 00 4D 03 01 52 AC 98 DE EB 13 AE 0A 7E 5E ...M..R........^
0010: 02 35 0D CB 73 77 D9 E2 F8 FB 8D FF 48 75 D6 08 .5..sw......Hu..
0020: B2 B6 45 41 4A 6F 20 52 AC 98 DE CA 44 88 BC A3 ..EAJo R....D...
0030: 53 FA 50 09 21 63 DF B0 71 FF F5 77 23 88 72 1D S.P.!c..q..w#.r.
0040: CC 24 07 87 3A 2E 3A C0 14 00 00 05 FF 01 00 01 .$..:.:.........
0050: 00 .
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=Test Server
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 1024 bits
modulus: 134458256579882064220947016566567368624577136695715707428147091640608842041866510673093630777095713870085907129388401306119592396574283986066972630278941051105347425734712257624841831029349568388389668729188279474954100040403593251094972500714160890077269266835643135286378058696831905023827534267451981968737
public exponent: 3
Validity: [From: Sat Dec 14 18:42:57 CET 2013,
To: Sun Dec 15 18:42:57 CET 2013]
Issuer: CN=Test Server CA
SerialNumber: [ 1268]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 8C 75 36 2A DB 73 ED 97 97 E0 D1 1E 13 C7 3A 24 .u6*.s........:$
0010: F7 15 A7 72 76 C8 C1 21 88 A5 E5 0C C7 82 3B A3 ...rv..!......;.
0020: 6F 4F 8C 3A 0F 6E E7 0D 6C 55 A1 F7 87 91 C7 53 oO.:.n..lU.....S
0030: D9 82 0E A2 6B C1 27 D8 7D 5A DD 17 53 30 A1 01 ....k.'..Z..S0..
0040: 5B 45 D5 AA D8 81 B3 F8 E3 4E 87 56 22 A2 77 B1 [E.......N.V".w.
0050: 4A 92 67 CA 8F AD E0 0D 1D CD BC 92 FD 50 E7 11 J.g..........P..
0060: E5 9E 11 C1 E9 18 A8 07 47 96 08 F8 F3 CD 47 5F ........G.....G_
0070: EB 90 C7 BB C8 2C B1 5F 1E B1 19 E2 B8 99 A3 DB .....,._........
]
***
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2E [Raw read]: length = 5
000 0 : 15 03 01 00 02.......
main, called closeSocket()
...main, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: auth type not accepted
..
[Raw read]: length = 2
0000: 02 2E ..
NioProcessor-3, READ: TLSv1 Alert, length = 2
NioProcessor-3, RECV TLSv1 ALERT: fatal, certificate_unknown
NioProcessor-3, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
NioProcessor-3, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
NioProcessor-3, called closeInbound()
NioProcessor-3, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
NioProcessor-3, called closeOutbound()
NioProcessor-3, closeOutboundInternal()
NioProcessor-3, SEND TLSv1 ALERT: warning, description = close_notify
NioProcessor-3, WRITE: TLSv1 Alert, length = 2
[2013-12-14 18:43:58,286 (pool-3-thread-1) org.apache.mina.filter.logging.LoggingFilter.log(LoggingFilter.java:130) WARN] EXCEPTION :
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487)
...
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1587)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1756)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1060)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:884)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.mina.filter.ssl.SslHandler.unwrap(SslHandler.java:728)
at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:666)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:552)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468)
... 15 more
The problem was home-made.
Internally I used a TrustManager that rejected the authType "ECDHE_RSA", which is used by default with Java 7.
After adding "ECDHE_RSA" to the list of accepted authTypes the communication succeeded again.