Java ssl handshake failure (SSLPoke)

大憨熊 提交于 2019-12-31 02:44:13

问题


I have the cert already imported to the truststore, but still cannot connect successfully to this url. I have tried all the ways, can anyone see the output and help out what is going on?

java -Djavax.net.debug=all SSLPoke services.americanexpress.com 443

keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /usr/java/jdk1.8.0_60/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
......
adding as trusted cert:
  Subject: CN=services.americanexpress.com, OU=Web Hosting, O=American Express Company, L=Phoenix, ST=Arizona, C=US
  Issuer:  CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x35f39c9233cdc61333b1d58614e578b2
  Valid from Wed Jun 26 00:00:00 UTC 2013 until Fri Sep 01 23:59:59 UTC 2017
....

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1464494977 bytes = { 253, 148, 218, 101, 153, 160, 57, 246, 36, 129, 111, 62, 106, 226, 141, 140, 102, 47, 123, 244, 108, 192, 12, 140, 187, 249, 208, 106 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 28_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=services.americanexpress.com]
***
[write] MD5 and SHA1 hashes:  len = 232

00B0: 03 05 01 04 03 04 01 03   03 03 01 02 03 02 01 02  ................
00C0: 02 01 01 00 00 00 21 00   1F 00 00 1C 73 65 72 76  ......!.....serv
00D0: 69 63 65 73 2E 61 6D 65   72 69 63 61 6E 65 78 70  ices.americanexp
00E0: 72 65 73 73 2E 63 6F 6D                            ress.com
main, WRITE: TLSv1.2 Handshake, length = 232
[Raw write]: length = 237
0000: 16 03 03 00 E8 01 00 00   E4 03 03 57 4A 6C 81 FD  ...........WJl..
0010: 94 DA 65 99 A0 39 F6 24   81 6F 3E 6A E2 8D 8C 66  ..e..9.$.o>j...f
0020: 2F 7B F4 6C C0 0C 8C BB   F9 D0 6A 00 00 3A C0 23  /..l......j..:.#
0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 2B C0 2F 00 9C  ./.....3.2.+./..

00D0: 1C 73 65 72 76 69 63 65   73 2E 61 6D 65 72 69 63  .services.americ
00E0: 61 6E 65 78 70 72 65 73   73 2E 63 6F 6D           anexpress.com
[Raw read]: length = 5
0000: 16 03 03 00 51                                     ....Q
[Raw read]: length = 81
0000: 02 00 00 4D 03 03 90 E6   BB 39 B7 B1 8E 67 DA 71  ...M.....9...g.q
0010: 65 74 25 D1 B7 CF ED D4   1A 6C 2B 0B 06 8C 0E 5E  et%......l+....^
0020: 25 07 3F 8D E3 6F 20 49   AD 22 CA E7 8B 8A E5 41  %.?..o I.".....A
0030: BE 9A B5 25 E0 70 D8 F9   73 A0 E0 5D 2F F3 3C AD  ...%.p..s..]/.<.
0040: DE 1E 88 98 3B 65 B1 00   3C 00 00 05 FF 01 00 01  ....;e..<.......
0050: 00                                                 .
main, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -1880769735 bytes = { 183, 177, 142, 103, 218, 113, 101, 116, 37, 209, 183, 207, 237, 212, 26, 108, 43, 11, 6, 140, 14, 94, 37, 7, 63, 141, 227, 111 }
Session ID:  {73, 173, 34, 202, 231, 139, 138, 229, 65, 190, 154, 181, 37, 224, 112, 216, 249, 115, 160, 224, 93, 47, 243, 60, 173, 222, 30, 136, 152, 59, 101, 177}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
** TLS_RSA_WITH_AES_128_CBC_SHA256
[read] MD5 and SHA1 hashes:  len = 81
0000: 02 00 00 4D 03 03 90 E6   BB 39 B7 B1 8E 67 DA 71  ...M.....9...g.q
0010: 65 74 25 D1 B7 CF ED D4   1A 6C 2B 0B 06 8C 0E 5E  et%......l+....^
0020: 25 07 3F 8D E3 6F 20 49   AD 22 CA E7 8B 8A E5 41  %.?..o I.".....A
0030: BE 9A B5 25 E0 70 D8 F9   73 A0 E0 5D 2F F3 3C AD  ...%.p..s..]/.<.
0040: DE 1E 88 98 3B 65 B1 00   3C 00 00 05 FF 01 00 01  ....;e..<.......
0050: 00                                                 .
[Raw read]: length = 5
0000: 16 03 03 10 8E                                     .....
[Raw read]: length = 4238

0310: 03 55 1D 0F 01 01 FF 04   04 03 02 05 A0 30 34 06  .U...........04.
0320: 03 55 1D 25 04 2D 30 2B   06 08 2B 06 01 05 05 07  .U.%.-0+..+.....


0450: 33 2D 61 69 61 2E 76 65   72 69 73 69 67 6E 2E 63  3-aia.verisign.c
0460: 6F 6D 2F 53 56 52 49 6E   74 6C 47 33 2E 63 65 72  om/SVRIntlG3.cer

main, READ: TLSv1.2 Handshake, length = 4238
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=services.americanexpress.com, OU=Web Hosting, O=American Express Company, L=Phoenix, ST=Arizona, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 30229676159696194917135440681975777728948709702479449945212097279930911021756291412408692828743836980749310830284879195994844527811837445892117218165863252223136982773
  public exponent: 65537
  Validity: [From: Wed Jun 26 00:00:00 UTC 2013,
               To: Fri Sep 01 23:59:59 UTC 2017]
  Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  SerialNumber: [    35f39c92 33cdc613 33b1d586 14e578b2]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.verisign.com
,
   accessMethod: caIssuers
   accessLocation: URIName: http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D7 9B 7C D8 22 A0 15 F7   DD AD 5F CE 29 9B 58 C3  ...."....._.).X.
0010: BC 46 00 B5                                        .F..
]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 63 70 73        risign.com/cps

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
  2.16.840.1.113730.4.1
  1.3.6.1.4.1.311.10.3.3
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: services.americanexpress.com
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 2D E6 45 41 B1 52 D9 55   57 04 45 DC 07 51 E5 8E  -.EA.R.UW.E..Q..
0010: 5C 00 41 5F AB D5 84 A4   64 4D 55 CC 38 88 18 4E  \.A_....dMU.8..N

00D0: FD E9 93 D2 6A 55 24 F3   62 BE BD 99 EE 24 53 F5  ....jU$.b....$S.
00E0: 96 E7 2E DE 3E D2 7B 1C   77 9A 45 C7 FA 68 A1 76  ....>...w.E..h.v
00F0: 67 BA EC 81 83 FF 54 E2   A4 7E 47 AD 2C 39 62 F2  g.....T...G.,9b.

]
chain [1] = [
[
  Version: V3
  Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 19420289231323388569960227299938029487260953720447310437792509462236918786001726710037662040142546936643383523519471181931421354900828966157275086870493679916429749573
  public exponent: 65537
  Validity: [From: Mon Feb 08 00:00:00 UTC 2010,
               To: Fri Feb 07 23:59:59 UTC 2020]
  Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  SerialNumber: [    641be820 ce020813 f32d4d2d 95d67e67]

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 61 30 5F A1 5D A0 5B   30 59 30 57 30 55 16 09  .a0_.].[0Y0W0U..
0010: 69 6D 61 67 65 2F 67 69   66 30 21 30 1F 30 07 06  image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14   8F E5 D3 1A 86 AC 8D 8E  .+..............
0030: 6B C3 CF 80 6A D4 48 18   2C 7B 19 2E 30 25 16 23  k...j.H.,...0%.#
0040: 68 74 74 70 3A 2F 2F 6C   6F 67 6F 2E 76 65 72 69  http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D   2F 76 73 6C 6F 67 6F 2E  sign.com/vslogo.
0060: 67 69 66                                           gif


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.verisign.com
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7F D3 65 A7 C2 DD EC BB   F0 30 09 F3 43 39 FA 02  ..e......0..C9..
0010: AF 33 31 33                                        .313
]
]

[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.verisign.com/pca3-g5.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 63 70 73        risign.com/cps

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 1E 1A 1C 68 74 74 70   73 3A 2F 2F 77 77 77 2E  0...https://www.
0010: 76 65 72 69 73 69 67 6E   2E 63 6F 6D 2F 72 70 61  verisign.com/rpa

]]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
  2.16.840.1.113730.4.1
  2.16.840.1.113733.1.8.1
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  CN=VeriSignMPKI-2-7
]

[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D7 9B 7C D8 22 A0 15 F7   DD AD 5F CE 29 9B 58 C3  ...."....._.).X.
0010: BC 46 00 B5                                        .F..
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 71 B5 7D 73 52 4A DD D7   4D 34 2B 2E AF 94 46 A5  q..sRJ..M4+...F.
0010: 49 50 02 4F F8 2F 17 70   F2 13 DC 1F 21 86 AA C2  IP.O./.p....!...
0020: 4F 7C 37 3C D4 46 78 AE   5D 78 6F D1 BA 5A BC 10  O.7<.Fx.]xo..Z..
0030: AB 58 36 C5 8C 62 15 45   60 17 21 E2 D5 42 A8 77  .X6..b.E`.!..B.w
0040: A1 55 D8 43 04 51 F6 6E   BA 48 E6 5D 4C B7 44 D3  .U.C.Q.n.H.]L.D.
0050: 3E A4 D5 D6 33 9A 9F 0D   E6 D7 4E 96 44 95 5A 6C  >...3.....N.D.Zl
0060: D6 A3 16 53 0E 98 43 CE   A4 B8 C3 66 7A 05 5C 62  ...S..C....fz.\b
0070: 10 E8 1B 12 DB 7D 2E 76   50 FF DF D7 6B 1B CC 8A  .......vP...k...
0080: CC 71 FA B3 40 56 7C 33   7A 77 94 5B F5 0B 53 FB  .q..@V.3zw.[..S.
0090: 0E 5F BC 68 FB AF 2A EE   30 37 79 16 93 25 7F 4D  ._.h..*.07y..%.M
00A0: 10 FF 57 FB BF 6E 3B 33   21 DE 79 DC 86 17 59 2D  ..W..n;3!.y...Y-
00B0: 43 64 B7 A6 66 87 EA BC   96 46 19 1A 86 8B 6F D7  Cd..f....F....o.
00C0: B7 49 00 5B DB A3 BF 29   9A EE F7 D3 33 AE A3 F4  .I.[...)....3...
00D0: 9E 4C CA 5E 69 D4 1B AD   B7 90 77 6A D8 59 6F 79  .L.^i.....wj.Yoy
00E0: AB 01 FA 55 F0 8A 21 66   E5 65 6E FD 7C D3 DF 1E  ...U..!f.en.....
00F0: EB 7E 3F 06 90 FB 19 0B   D3 06 02 1B 78 43 99 A8  ..?.........xC..

]
chain [2] = [
[
  Version: V3
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 22109471102059671383796642714942393631149792360856487955190294587841800871022486252652612163196360832938367608763978013876844944237576704237206902072810376180366897841695320192789360300658269712766474225042097261456189264772686300705672328691871464945536513831768596383894122798581104077921511815271705394605095257256954381366139644740877956016759414080557948459417160074173313082409422023967584984099389949088073277478112907997447136173994433125025479812790590943737038696590266840534396683337181295383175344548120097700121250428676269067140626584500149856482388498317203907790209503513966223821253856296202557465877
  public exponent: 65537
  Validity: [From: Wed Nov 08 00:00:00 UTC 2006,
               To: Wed Jul 16 23:59:59 UTC 2036]
  Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  SerialNumber: [    18dad19e 267de8bb 4a2158cd cc6b3b4a]

Certificate Extensions: 4
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 61 30 5F A1 5D A0 5B   30 59 30 57 30 55 16 09  .a0_.].[0Y0W0U..
0010: 69 6D 61 67 65 2F 67 69   66 30 21 30 1F 30 07 06  image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14   8F E5 D3 1A 86 AC 8D 8E  .+..............
0030: 6B C3 CF 80 6A D4 48 18   2C 7B 19 2E 30 25 16 23  k...j.H.,...0%.#
0040: 68 74 74 70 3A 2F 2F 6C   6F 67 6F 2E 76 65 72 69  http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D   2F 76 73 6C 6F 67 6F 2E  sign.com/vslogo.
0060: 67 69 66                                           gif


[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7F D3 65 A7 C2 DD EC BB   F0 30 09 F3 43 39 FA 02  ..e......0..C9..
0010: AF 33 31 33                                        .313
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 93 24 4A 30 5F 62 CF D8   1A 98 2F 3D EA DC 99 2D  .$J0_b..../=...-

00C0: EF A5 7D 45 40 72 8E B7   0E 6B 0E 06 FB 33 35 48  ...E@r...k...35H
00D0: 71 B8 9D 27 8B C4 65 5F   0D 86 76 9C 44 7A F6 95  q..'..e_..v.Dz..
00E0: 5C F6 5D 32 08 33 A4 54   B6 18 3F 68 5C F2 42 4A  \.]2.3.T..?h\.BJ
00F0: 85 38 54 83 5F D1 E8 2C   F2 AC 11 D6 A8 ED 63 6A  .8T._..,......cj

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=services.americanexpress.com, OU=Web Hosting, O=American Express Company, L=Phoenix, ST=Arizona, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 30229676159696194917135440681975777728948709702479449945212097279930911021756291412408692828743836980749310830284879195994844527811837445892117218165863252223136982773
  public exponent: 65537
  Validity: [From: Wed Jun 26 00:00:00 UTC 2013,
               To: Fri Sep 01 23:59:59 UTC 2017]
  Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  SerialNumber: [    35f39c92 33cdc613 33b1d586 14e578b2]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.verisign.com
,
   accessMethod: caIssuers
   accessLocation: URIName: http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D7 9B 7C D8 22 A0 15 F7   DD AD 5F CE 29 9B 58 C3  ...."....._.).X.
0010: BC 46 00 B5                                        .F..
]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 63 70 73        risign.com/cps

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
  2.16.840.1.113730.4.1
  1.3.6.1.4.1.311.10.3.3
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: services.americanexpress.com
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 2D E6 45 41 B1 52 D9 55   57 04 45 DC 07 51 E5 8E  -.EA.R.UW.E..Q..
0010: 5C 00 41 5F AB D5 84 A4   64 4D 55 CC 38 88 18 4E  \.A_....dMU.8..N
0020: 1D CB 0D 88 D5 02 A5 E2   73 72 62 B3 51 49 6F 20  ........srb.QIo

00C0: B7 1E 87 B7 AE D8 AB 29   83 A5 69 00 D3 07 BE 45  .......)..i....E
00D0: FD E9 93 D2 6A 55 24 F3   62 BE BD 99 EE 24 53 F5  ....jU$.b....$S.
00E0: 96 E7 2E DE 3E D2 7B 1C   77 9A 45 C7 FA 68 A1 76  ....>...w.E..h.v
00F0: 67 BA EC 81 83 FF 54 E2   A4 7E 47 AD 2C 39 62 F2  g.....T...G.,9b.

]
[read] MD5 and SHA1 hashes:  len = 4238
0000: 0B 00 10 8A 00 10 87 00   05 7A 30 82 05 76 30 82  .........z0..v0.
0010: 04 5E A0 03 02 01 02 02   10 35 F3 9C 92 33 CD C6  .^.......5...3..
0020: 13 33 B1 D5 86 14 E5 78   B2 30 0D 06 09 2A 86 48  .3.....x.0...*.H
0030: 86 F7 0D 01 01 05 05 00   30 81 BC 31 0B 30 09 06  ........0..1.0..
0040: 03 55 04 06 13 02 55 53   31 17 30 15 06 03 55 04  .U....US1.0...U.
0050: 0A 13 0E 56 65 72 69 53   69 67 6E 2C 20 49 6E 63  ...VeriSign, Inc
0060: 2E 31 1F 30 1D 06 03 55   04 0B 13 16 56 65 72 69  .1.0...U....Veri
0070: 53 69 67 6E 20 54 72 75   73 74 20 4E 65 74 77 6F  Sign Trust Netwo

07A0: C4 28 C6 E3 AD 79 1F 27   10 98 B8 BB 20 97 C1 28  .(...y.'.... ..(
07B0: 44 41 0F EA A9 A8 52 CF   4D 4E 1B 8B BB B5 C4 76  DA....R.MN.....v
07C0: D9 CC 56 06 EE B3 55 20   2A DE 15 8D 71 CB 54 C8  ..V...U *...q.T.
07D0: 6F 17 CD 89 00 E4 DC FF   E1 C0 1F 68 71 E9 C7 29  o..........hq..)
07E0: 2E 7E BC 3B FC E5 BB AB   26 54 8B 66 90 CD F6 92  ...;....&T.f....
07F0: B9 31 24 80 BC 9E 6C D5   FC 7E D2 E1 4B 8C DC 42  .1$...l.....K..B

1080: 54 83 5F D1 E8 2C F2 AC   11 D6 A8 ED 63 6A        T._..,......cj
[Raw read]: length = 5
0000: 16 03 03 00 2E                                     .....
[Raw read]: length = 46
0000: 0D 00 00 26 03 01 02 40   00 1E 06 01 06 02 06 03  ...&...@........
0010: 05 01 05 02 05 03 04 01   04 02 04 03 03 01 03 02  ................
0020: 03 03 02 01 02 02 02 03   00 00 0E 00 00 00        ..............
main, READ: TLSv1.2 Handshake, length = 46
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<Empty>
[read] MD5 and SHA1 hashes:  len = 42
0000: 0D 00 00 26 03 01 02 40   00 1E 06 01 06 02 06 03  ...&...@........
0010: 05 01 05 02 05 03 04 01   04 02 04 03 03 01 03 02  ................
0020: 03 03 02 01 02 02 02 03   00 00                    ..........
*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
[write] MD5 and SHA1 hashes:  len = 269
0000: 0B 00 00 03 00 00 00 10   00 01 02 01 00 BE 4B B7  ..............K.

0110: 8F 98                                              ..
SESSION KEYGEN:
PreMaster Secret:
0000: 03 03 8D 61 C0 F9 AC 11   FA 20 C4 6D 78 C0 2E 3F  ...a..... .mx..?
0010: 0A 60 C6 BA 36 C2 E6 28   AE B3 12 38 EC F0 52 E0  .`..6..(...8..R.
0020: 72 BC 31 16 34 B5 88 3C   4E BB C8 E2 50 EA 20 00  r.1.4..<N...P. .
CONNECTION KEYGEN:
Client Nonce:
0000: 57 4A 6C 81 FD 94 DA 65   99 A0 39 F6 24 81 6F 3E  WJl....e..9.$.o>
0010: 6A E2 8D 8C 66 2F 7B F4   6C C0 0C 8C BB F9 D0 6A  j...f/..l......j
Server Nonce:
0000: 90 E6 BB 39 B7 B1 8E 67   DA 71 65 74 25 D1 B7 CF  ...9...g.qet%...
0010: ED D4 1A 6C 2B 0B 06 8C   0E 5E 25 07 3F 8D E3 6F  ...l+....^%.?..o
Master Secret:
0000: 38 C7 96 B8 C2 C3 51 55   49 E2 95 C2 D8 23 28 E9  8.....QUI....#(.
0010: 9D 08 40 21 3F C6 85 E9   3E 3B B7 67 6A 76 26 7E  ..@!?...>;.gjv&.
0020: 97 E6 2C 80 FF 81 C4 33   D1 9F BF 42 35 2D AB 73  ..,....3...B5-.s
Client MAC write Secret:
0000: 67 7E 5C C7 7B 2B 5F 5E   38 42 A1 21 2C FE F1 F2  g.\..+_^8B.!,...
0010: DD E4 BB 46 7D 35 BF C6   29 40 A8 8B B5 D6 DE 11  ...F.5..)@......
Server MAC write Secret:
0000: AD 34 13 00 5F 27 F1 21   AA 3B 63 75 76 1A 1A 89  .4.._'.!.;cuv...
0010: 9A CD 4D E3 1B DB 7F 83   65 1A 6A EE 0A 6F 33 86  ..M.....e.j..o3.
Client write key:
0000: E7 8D 41 0F FB 52 FF BF   A1 D4 DB E8 BB 25 91 96  ..A..R.......%..
Server write key:
0000: 3E 09 29 43 AF F4 AB 98   2A C3 4D 53 B1 9D 33 5D  >.)C....*.MS..3]
... no IV derived for this protocol
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 03 00 01 01                                  ......
*** Finished
verify_data:  { 82, 58, 56, 177, 242, 110, 34, 212, 168, 243, 94, 249 }
***
[write] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 52 3A 38 B1   F2 6E 22 D4 A8 F3 5E F9  ....R:8..n"...^.
Padded plaintext before ENCRYPTION:  len = 80
0000: 8C E5 C6 F2 8F A1 37 D2   7B 43 6A 26 FD 9F 23 48  ......7..Cj&..#H
0010: 14 00 00 0C 52 3A 38 B1   F2 6E 22 D4 A8 F3 5E F9  ....R:8..n"...^.
0020: EE EF 79 2B C0 62 2A 7B   C9 63 A3 71 41 F3 CE E2  ..y+.b*..c.qA...
0030: C2 6D EA 72 78 3C B5 10   FE BF D1 10 E8 A8 C1 BA  .m.rx<..........
0040: 0F 0F 0F 0F 0F 0F 0F 0F   0F 0F 0F 0F 0F 0F 0F 0F  ................
main, WRITE: TLSv1.2 Handshake, length = 80
[Raw write]: length = 85
0000: 16 03 03 00 50 A5 DE 9B   39 37 C5 1F 81 3E E4 00  ....P...97...>..
0010: 18 C8 89 6B F3 46 9B 89   73 4A 64 20 52 0E BD 93  ...k.F..sJd R...
0020: 4D F3 AF D8 6B 90 56 60   4F 9E DE 96 06 EE 05 F3  M...k.V`O.......
0030: 32 CC 7A A6 85 C9 22 72   59 A9 05 B3 D4 A5 A9 E2  2.z..."rY.......
0040: A9 6A B5 51 49 B8 E9 DC   CC 56 DB EF DB DB 06 8E  .j.QI....V......
0050: 37 BB F4 48 7F                                     7..H.
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Cannot figure out what this is, application was working with java1.6 but SSLPoke cannot pass both scenarios


回答1:


*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: ...
Cert Authorities:
<Empty>
...
Warning: no suitable certificate found - continuing without client authentication

Thus obviously the server wants you to send a client certificate back (CertificateRequest) which you don't have configured (no suitable certificate found). Probably you had the required certificate in the keystore with Java 1.6 but you don't have it in the keystore for Java 1.8.




回答2:


I have found out that client also had verification. So it was 2 way authentication. Client also had to import my public cert into their keystore.



来源:https://stackoverflow.com/questions/37506233/java-ssl-handshake-failure-sslpoke

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!