You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Da...@ubs.com on 2008/09/11 17:20:17 UTC
Unable to perform client authentication: client certificates not accessed from system certificate store by commons-httpclient
Setup:
commons-httpclient-3.1
java 1.6.0_04
java WebStart 6
client OS: windows XP professional
browser/certificate store: IE/Windows XP
I am trying to use commons-httpclient-3.1 from a WebStart-deployed
application to communicate through a web proxy over SSL with an HTTPS
URL that requires client authentication with a certificate retrieved
from the system certificate store, not a standalone one in the local
file system (e.g. a PKCS#12 file).
I can get this to work using a straight HttpsURLConnection, which
successfully accesses the client certificate from IE's personal
certificate store. The handshake succeeds, the connection is made and
the request is served. Below is the successful code using
HttpsUrlConnection:
private static String getURLConnectionCertTestResult() throws
URISyntaxException, IOException {
final String urlString =
"https://an.internet.url.requiring.mandatory.client.authentication";
final URI uri = new URI(urlString);
final ProxySelector ps = ProxySelector.getDefault();
final List<Proxy> pss = ps.select(uri);
Proxy proxy = null;
final Iterator<Proxy> pssi = pss.iterator();
while (null == proxy && pssi.hasNext()) {
final Proxy np = pssi.next();
if (Type.HTTP == np.type()) {
proxy = np;
}
}
final URL url = new URL(urlString);
final HttpsURLConnection conn;
if (null != proxy) {
conn = (HttpsURLConnection) url.openConnection(proxy);
} else {
conn = (HttpsURLConnection) url.openConnection();
}
final BufferedReader in = new BufferedReader(new
InputStreamReader(conn.getInputStream()));
String line;
final StringBuilder sb = new StringBuilder();
while (null != (line = in.readLine())) {
sb.append(line).append("\n");
}
return sb.toString();
}
However, I am unable to establish a connection to the same URL via
httpsclient, instead I receive a fatal handshake error:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:
1657)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:932)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.
java:746)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at
java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at
java.io.BufferedInputStream.read(BufferedInputStream.java:237)
at
org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at
org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at
org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.jav
a:1116)
at
org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBa
se.java:1973)
at
org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase
.java:1735)
at
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java
:1098)
at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMe
thodDirector.java:398)
at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho
dDirector.java:171)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
97)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
23)
at ...
Sample code:
private static String getHTTPClientCertTestResult() throws
URISyntaxException, IOException {
final String urlString =
"https://an.internet.url.requiring.mandatory.client.authentication";
final URI uri = new URI(urlString);
final ProxySelector ps = ProxySelector.getDefault();
final List<Proxy> pss = ps.select(uri);
Proxy proxy = null;
final Iterator<Proxy> pssi = pss.iterator();
while (null == proxy && pssi.hasNext()) {
final Proxy np = pssi.next();
if (Type.HTTP == np.type()) {
proxy = np;
}
}
final HttpClient client = new HttpClient();
client.getHttpConnectionManager().getParams().setConnectionTimeout(10000
);
if (null != proxy) {
final SocketAddress sa = proxy.address();
if (sa instanceof InetSocketAddress) {
final InetSocketAddress isa = (InetSocketAddress)
sa;
client.getHostConfiguration().setProxy(isa.getHostName(),
isa.getPort());
}
}
final HttpMethod get = new GetMethod(urlString);
get.setFollowRedirects(true);
client.executeMethod(get);
final BufferedReader br = new BufferedReader(new
InputStreamReader(get.getResponseBodyAsStream()));
final StringBuilder sb = new StringBuilder();
String nextLine;
while (null != (nextLine = br.readLine())) {
sb.append(nextLine).append('\n');
}
return sb.toString();
}
Looking at the SSL and handshake debugging output, it is clear that
httpclient is not accessing the client certificate out of the system
certificate store, and this is why the handshake fails:
###################### START TRACE ######################
11 09 08 15:56:18.948 [ main] INFO [
HttpMethodBase] Response content length is not known
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\dev\java\jdk1.6.0_04\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=AddTrust External CA Root, OU=AddTrust External TTP
Network, O=AddTrust AB, C=SE
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP
Network, O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 11:48:38 BST 2000 until Sat May 30 11:48:38 BST
2020
adding as trusted cert:
Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Algorithm: RSA; Serial number: 0x20000000000d678b79405
Valid from Tue Sep 01 13:00:00 BST 1998 until Tue Jan 28 12:00:00 GMT
2014
adding as trusted cert:
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Algorithm: RSA; Serial number: 0x35def4cf
Valid from Sat Aug 22 17:41:51 BST 1998 until Wed Aug 22 17:41:51 BST
2018
adding as trusted cert:
Subject: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford,
ST=Greater Manchester, C=GB
Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford,
ST=Greater Manchester, C=GB
Algorithm: RSA; Serial number: 0x1
Valid from Thu Jan 01 00:00:00 GMT 2004 until Sun Dec 31 23:59:59 GMT
2028
adding as trusted cert:
Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Algorithm: RSA; Serial number: 0x4
Valid from Mon Jun 21 05:00:00 BST 1999 until Sun Jun 21 05:00:00 BST
2020
adding as trusted cert:
Subject: CN=VeriSign Class 2 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 2 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a
Valid from Fri Oct 01 01:00:00 BST 1999 until Thu Jul 17 00:59:59 BST
2036
adding as trusted cert:
Subject: OU=Starfield Class 2 Certification Authority, O="Starfield
Technologies, Inc.", C=US
Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield
Technologies, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 18:39:16 BST 2004 until Thu Jun 29 18:39:16 BST
2034
adding as trusted cert:
Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 00:00:00 GMT 1996 until Thu Dec 31 23:59:59 GMT
2020
adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 1 Public Primary Certification Authority
- G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 1 Public Primary Certification Authority
- G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
Valid from Mon May 18 01:00:00 BST 1998 until Wed Aug 02 00:59:59 BST
2028
adding as trusted cert:
Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Thu Aug 01 01:00:00 BST 1996 until Thu Dec 31 23:59:59 GMT
2020
adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 3 Public Primary Certification Authority
- G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 3 Public Primary Certification Authority
- G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
Valid from Mon May 18 01:00:00 BST 1998 until Wed Aug 02 00:59:59 BST
2028
adding as trusted cert:
Subject: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE
Issuer: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 11:44:50 BST 2000 until Sat May 30 11:44:50 BST
2020
adding as trusted cert:
Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure
Inc., C=US
Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure
Inc., C=US
Algorithm: RSA; Serial number: 0x1
Valid from Mon Jun 21 05:00:00 BST 1999 until Sun Jun 21 05:00:00 BST
2020
adding as trusted cert:
Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Issuer: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Algorithm: RSA; Serial number: 0x3770cfb5
Valid from Wed Jun 23 13:14:45 BST 1999 until Sun Jun 23 13:14:45 BST
2019
adding as trusted cert:
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Algorithm: RSA; Serial number: 0x400000000010f8626e60d
Valid from Fri Dec 15 08:00:00 GMT 2006 until Wed Dec 15 08:00:00 GMT
2021
adding as trusted cert:
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1a5
Valid from Thu Aug 13 01:29:00 BST 1998 until Tue Aug 14 00:59:00 BST
2018
adding as trusted cert:
Subject: OU=Secure Server Certification Authority, O="RSA Data
Security, Inc.", C=US
Issuer: OU=Secure Server Certification Authority, O="RSA Data
Security, Inc.", C=US
Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0
Valid from Wed Nov 09 00:00:00 GMT 1994 until Thu Jan 07 23:59:59 GMT
2010
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c)
2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref.
(limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c)
2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref.
(limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x389b113c
Valid from Fri Feb 04 17:20:00 GMT 2000 until Tue Feb 04 17:50:00 GMT
2020
adding as trusted cert:
Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal
Premium CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal
Premium CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 00:00:00 GMT 1996 until Thu Dec 31 23:59:59 GMT
2020
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore,
C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore,
C=IE
Algorithm: RSA; Serial number: 0x20000b9
Valid from Fri May 12 19:46:00 BST 2000 until Tue May 13 00:59:00 BST
2025
adding as trusted cert:
Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal
Basic CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal
Basic CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 00:00:00 GMT 1996 until Thu Dec 31 23:59:59 GMT
2020
adding as trusted cert:
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000
Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits
liab.), O=Entrust.net
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 2000
Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits
liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x389ef6e4
Valid from Mon Feb 07 16:16:40 GMT 2000 until Fri Feb 07 16:46:40 GMT
2020
adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
Valid from Mon Jan 29 00:00:00 GMT 1996 until Wed Aug 02 00:59:59 BST
2028
adding as trusted cert:
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x23456
Valid from Tue May 21 05:00:00 BST 2002 until Sat May 21 05:00:00 BST
2022
adding as trusted cert:
Subject: CN=Sonera Class1 CA, O=Sonera, C=FI
Issuer: CN=Sonera Class1 CA, O=Sonera, C=FI
Algorithm: RSA; Serial number: 0x24
Valid from Fri Apr 06 11:49:13 BST 2001 until Tue Apr 06 11:49:13 BST
2021
adding as trusted cert:
Subject: OU=Class 1 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
Issuer: OU=Class 1 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55
Valid from Mon Jan 29 00:00:00 GMT 1996 until Wed Aug 02 00:59:59 BST
2028
adding as trusted cert:
Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy
Group, Inc.", C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy
Group, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 18:06:20 BST 2004 until Thu Jun 29 18:06:20 BST
2034
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000bf
Valid from Wed May 17 15:01:00 BST 2000 until Sun May 18 00:59:00 BST
2025
adding as trusted cert:
Subject: CN=UTN-USERFirst-Client Authentication and Email,
OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City,
ST=UT, C=US
Issuer: CN=UTN-USERFirst-Client Authentication and Email,
OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City,
ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500024b411d336252567c989
Valid from Fri Jul 09 18:28:50 BST 1999 until Tue Jul 09 18:36:58 BST
2019
adding as trusted cert:
Subject: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362afe650afd
Valid from Fri Jul 09 19:10:42 BST 1999 until Tue Jul 09 19:19:22 BST
2019
adding as trusted cert:
Subject: CN=VeriSign Class 1 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 1 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x8b5b75568454850b00cfaf3848ceb1a4
Valid from Fri Oct 01 01:00:00 BST 1999 until Thu Jul 17 00:59:59 BST
2036
adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 2 Public Primary Certification Authority
- G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 2 Public Primary Certification Authority
- G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xb92f60cc889fa17a4609b85b706c8aaf
Valid from Mon May 18 01:00:00 BST 1998 until Wed Aug 02 00:59:59 BST
2028
adding as trusted cert:
Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999
Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.), O=Entrust.net
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999
Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x3863b966
Valid from Fri Dec 24 17:50:51 GMT 1999 until Tue Dec 24 18:20:51 GMT
2019
adding as trusted cert:
Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1b6
Valid from Fri Aug 14 15:50:00 BST 1998 until Thu Aug 15 00:59:00 BST
2013
adding as trusted cert:
Subject: OU=Class 2 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
Issuer: OU=Class 2 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x2d1bfc4a178da391ebe7fff58b45be0b
Valid from Mon Jan 29 00:00:00 GMT 1996 until Wed Aug 02 00:59:59 BST
2028
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c)
1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits
liab.), O=Entrust.net, C=US
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c)
1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits
liab.), O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x374ad243
Valid from Tue May 25 17:09:40 BST 1999 until Sat May 25 17:39:40 BST
2019
adding as trusted cert:
Subject: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362de0b35f1b
Valid from Fri Jul 09 19:31:20 BST 1999 until Tue Jul 09 19:40:36 BST
2019
adding as trusted cert:
Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium
Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium
Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Thu Aug 01 01:00:00 BST 1996 until Thu Dec 31 23:59:59 GMT
2020
adding as trusted cert:
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999
Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by
ref. limits liab., O=Entrust.net, C=US
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999
Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by
ref. limits liab., O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x380391ee
Valid from Tue Oct 12 20:24:30 BST 1999 until Sat Oct 12 20:54:30 BST
2019
adding as trusted cert:
Subject: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500021b411d32a6806a9ad69
Valid from Thu Jun 24 19:57:21 BST 1999 until Mon Jun 24 20:06:30 BST
2019
adding as trusted cert:
Subject: CN=Sonera Class2 CA, O=Sonera, C=FI
Issuer: CN=Sonera Class2 CA, O=Sonera, C=FI
Algorithm: RSA; Serial number: 0x1d
Valid from Fri Apr 06 08:29:40 BST 2001 until Tue Apr 06 08:29:40 BST
2021
adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority -
G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
Valid from Fri Oct 01 01:00:00 BST 1999 until Thu Jul 17 00:59:59 BST
2036
adding as trusted cert:
Subject: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/,
OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
Issuer: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/,
OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Sat Jun 26 01:19:54 BST 1999 until Wed Jun 26 01:19:54 BST
2019
adding as trusted cert:
Subject: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE
Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network,
O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 11:38:31 BST 2000 until Sat May 30 11:38:31 BST
2020
trigger seeding of SecureRandom
done seeding SecureRandom
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1204367507 bytes = { 194, 47, 62, 174, 192, 133,
181, 38, 6, 13, 97, 91, 94, 12, 32, 163, 122, 70, 23, 15, 247, 197, 150,
67, 69, 11, 193, 144 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1204367507 bytes = { 200, 223, 34, 134, 222, 202,
93, 90, 104, 108, 231, 129, 10, 213, 231, 53, 253, 206, 252, 245, 3, 41,
24, 154, 83, 69, 222, 86 }
Session ID: {10, 144, 125, 86, 111, 163, 177, 197, 68, 77, 58, 188,
254, 109, 141, 240, 200, 154, 242, 190, 174, 12, 73, 37, 112, 140, 59,
202, 160, 10, 166, 176}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
main, READ: TLSv1 Handshake, length = 1994
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=clientlogin.ibb.ubstest.com, OU=UBSIB, O=UBS AG, L=London,
ST=London, C=GB
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
129447541890145071991101022832002158109224708439675452036468410592539104
637620478652526718037227906229222675361363850333837737575329466356863962
392654796921872195279584926011841169198219527620607459149008274790934011
223281850698270175234503465747086981862399311660626647499698802797322295
858505156739339909657
public exponent: 65537
Validity: [From: Tue Apr 01 01:00:00 BST 2008,
To: Thu Apr 02 00:59:59 BST 2009]
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign,
Inc.", O=VeriSign Trust Network
SerialNumber: [ 7f3da1e2 8d621fba 18475783 c7a092d8]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 62 30 60 A1 5E A0 5C 30 5A 30 58 30 56 16 09
.b0`.^.\0Z0X0V..
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06
image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14 4B 6B B9 28 96 06 0C BB
.+......Kk.(....
0030: D0 52 38 9B 29 AC 4B 07 8B 21 05 18 30 26 16 24
.R8.).K..!..0&.$
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69
http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 31
sign.com/vslogo1
0060: 2E 67 69 66 .gif
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/Class3InternationalServer.crl]
]]
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
2.16.840.1.113730.4.1
serverAuth
clientAuth
]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65
..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[6]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com]
]
[7]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 7B D1 C1 72 D7 F0 EF 59 61 22 DC E2 7E 8F D0 20 ...r...Ya".....
0010: F8 67 9A F9 C5 D4 91 87 EB 7F BE 2E C4 21 BF 9B
.g...........!..
0020: 55 98 A6 3A 4A 3B 46 6D 86 28 73 2C 11 46 23 C3
U..:J;Fm.(s,.F#.
0030: 47 30 E7 59 C6 4B E6 31 F3 47 A5 C0 B3 38 DF 71
G0.Y.K.1.G...8.q
0040: 8B F8 14 51 3D 2D 49 52 AC 01 88 A5 DA 2B EA 67
...Q=-IR.....+.g
0050: 82 60 F0 E3 B6 45 1C 31 15 FD 2B 78 E8 26 E9 0E
.`...E.1..+x.&..
0060: 4C 91 46 25 C9 CA FE 17 0B 49 0A 7D 41 0A 01 C4
L.F%.....I..A...
0070: 98 C1 1F B7 10 F5 ED BB 2F C9 DC 60 7B 9F 79 64
......../..`..yd
]
chain [1] = [
[
Version: V3
Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign,
Inc.", O=VeriSign Trust Network
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
152038337595048255423847391294280316829513160608880590645748454678611296
410614722508245144022405726502805452059694145417254341557335953427821740
975082044924575579268245924346494324451976855998250066581618028401376050
836623416546828558818294849045727347102003201845243865318616842453964918
804144784127904873327
public exponent: 65537
Validity: [From: Thu Apr 17 01:00:00 BST 1997,
To: Tue Oct 25 00:59:59 BST 2011]
Issuer: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
SerialNumber: [ 254b8a85 3842cce3 58f8c5dd ae226ea4]
Certificate Extensions: 6
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
]
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3.crl]
]]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65
..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 50 53 risign.com/CPS
]] ]
]
[6]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 08 01 EC E4 68 94 03 42 F1 73 F1 23 A2 3A DE E9
....h..B.s.#.:..
0010: F1 DA C6 54 C4 23 3E 86 EA CF 6A 3A 33 AB EA 9C
...T.#>...j:3...
0020: 04 14 07 36 06 0B F9 88 6F D5 13 EE 29 2B C3 E4
...6....o...)+..
0030: 72 8D 44 ED D1 AC 20 09 2D E1 F6 E1 19 05 38 B0 r.D...
.-.....8.
0040: 3D 0F 9F 7F F8 9E 02 DC 86 02 86 61 4E 26 5F 5E
=..........aN&_^
0050: 9F 92 1E 0C 24 A4 F5 D0 70 13 CF 26 C3 43 3D 49
....$...p..&.C=I
0060: 1D 9E 82 2E 52 5F BC 3E C6 66 29 01 8E 4E 92 2C
....R_.>.f)..N.,
0070: BC 46 75 03 82 AC 73 E9 D9 7E 0B 67 EF 54 52 1A
.Fu...s....g.TR.
]
***
Found trusted certificate:
[
[
Version: V1
Subject: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
Key: Sun RSA public key, 1024 bits
modulus:
141400322044550516865173371773024584879899609644618927642375342633349057
300960400037232334924701046781298765077061770383151646234219179990772047
200045837817821582483532549791304588064624083040538534190301571832597441
704620988055765289140138246856927863523873759538652326729606982847841094
220861282830980236711
public exponent: 65537
Validity: [From: Mon Jan 29 00:00:00 GMT 1996,
To: Wed Aug 02 00:59:59 BST 2028]
Issuer: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
SerialNumber: [ 70bae41d 10d92934 b638ca7b 03ccbabf]
]
Algorithm: [MD2withRSA]
Signature:
0000: BB 4C 12 2B CF 2C 26 00 4F 14 13 DD A6 FB FC 0A
.L.+.,&.O.......
0010: 11 84 8C F3 28 1C 67 92 2F 7C B6 C5 FA DF F0 E8
....(.g./.......
0020: 95 BC 1D 8F 6C 2C A8 51 CC 73 D8 A4 C0 53 F0 4E
....l,.Q.s...S.N
0030: D6 26 C0 76 01 57 81 92 5E 21 F1 D1 B1 FF E7 D0
.&.v.W..^!......
0040: 21 58 CD 69 17 E3 44 1C 9C 19 44 39 89 5C DC 9C
!X.i..D...D9.\..
0050: 00 0F 56 8D 02 99 ED A2 90 45 4C E4 BB 10 A4 3D
..V......EL....=
0060: F0 32 03 0E F1 CE F8 E8 C9 51 8C E6 62 9F E6 9F
.2.......Q..b...
0070: C0 7D B7 72 9C C9 36 3A 6B 9F 4E A8 FF 64 0D 64
...r..6:k.N..d.d
]
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 06 F5 AC 8B 2E 92 8C 47 7D B4 62 85 82 5A
.........G..b..Z
0010: F1 D2 66 9F 25 99 17 F2 81 43 B7 91 05 3D 31 91
..f.%....C...=1.
0020: 95 07 10 61 1B 5C 9F 26 E0 58 E2 E4 6B D3 15 9F
...a.\.&.X..k...
CONNECTION KEYGEN:
Client Nonce:
0000: 48 C9 31 93 C2 2F 3E AE C0 85 B5 26 06 0D 61 5B
H.1../>....&..a[
0010: 5E 0C 20 A3 7A 46 17 0F F7 C5 96 43 45 0B C1 90 ^.
.zF.....CE...
Server Nonce:
0000: 48 C9 31 93 C8 DF 22 86 DE CA 5D 5A 68 6C E7 81
H.1..."...]Zhl..
0010: 0A D5 E7 35 FD CE FC F5 03 29 18 9A 53 45 DE 56
...5.....)..SE.V
Master Secret:
0000: 33 3D 5B 57 E2 45 F2 C0 02 A2 4A A2 D3 3B C3 1C
3=[W.E....J..;..
0010: 1B C3 CD 95 D6 F1 F7 71 32 A8 57 67 B2 86 61 99
.......q2.Wg..a.
0020: B2 3E 0A F9 CF EF 9F 6C FB 8C 7A CE 69 67 17 67
.>.....l..z.ig.g
Client MAC write Secret:
0000: AB 1A 43 F5 6F 62 63 55 20 28 25 FD B8 2A 78 D3 ..C.obcU
(%..*x.
Server MAC write Secret:
0000: 51 3B 92 00 8D 29 73 96 7C D3 32 75 FD 4D C6 D9
Q;...)s...2u.M..
Client write key:
0000: 2F 89 D3 DF CE A4 16 74 88 EE AA E7 E1 2E C6 8A
/......t........
Server write key:
0000: CE 27 E7 9F B9 8E EE 7E 02 4F 92 44 26 26 AC E8
.'.......O.D&&..
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 83, 24, 211, 131, 24, 49, 1, 20, 66, 105, 111, 52 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 23, 242, 151, 202, 207, 47, 19, 137, 71, 238, 3, 53 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
main, WRITE: TLSv1 Application Data, length = 208
main, READ: TLSv1 Handshake, length = 20
*** HelloRequest (empty)
%% Client cached [Session-1, SSL_RSA_WITH_RC4_128_MD5]
%% Try resuming [Session-1, SSL_RSA_WITH_RC4_128_MD5] from port 2187
*** ClientHello, TLSv1
RandomCookie: GMT: 1204367508 bytes = { 123, 215, 110, 26, 233, 90,
151, 142, 150, 46, 45, 150, 251, 142, 55, 149, 141, 75, 92, 219, 135,
130, 192, 253, 12, 23, 245, 215 }
Session ID: {10, 144, 125, 86, 111, 163, 177, 197, 68, 77, 58, 188,
254, 109, 141, 240, 200, 154, 242, 190, 174, 12, 73, 37, 112, 140, 59,
202, 160, 10, 166, 176}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 121
main, READ: TLSv1 Handshake, length = 90
*** ServerHello, TLSv1
RandomCookie: GMT: 1204367508 bytes = { 242, 228, 202, 127, 93, 171,
183, 117, 77, 96, 121, 125, 21, 15, 182, 103, 171, 5, 55, 6, 219, 130,
36, 64, 126, 189, 104, 228 }
Session ID: {20, 85, 43, 79, 160, 43, 14, 213, 190, 145, 167, 197, 159,
117, 40, 204, 145, 250, 143, 55, 75, 251, 121, 120, 111, 163, 74, 108,
109, 192, 48, 182}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
main, READ: TLSv1 Handshake, length = 2010
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=clientlogin.ibb.ubstest.com, OU=UBSIB, O=UBS AG, L=London,
ST=London, C=GB
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
129447541890145071991101022832002158109224708439675452036468410592539104
637620478652526718037227906229222675361363850333837737575329466356863962
392654796921872195279584926011841169198219527620607459149008274790934011
223281850698270175234503465747086981862399311660626647499698802797322295
858505156739339909657
public exponent: 65537
Validity: [From: Tue Apr 01 01:00:00 BST 2008,
To: Thu Apr 02 00:59:59 BST 2009]
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign,
Inc.", O=VeriSign Trust Network
SerialNumber: [ 7f3da1e2 8d621fba 18475783 c7a092d8]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 62 30 60 A1 5E A0 5C 30 5A 30 58 30 56 16 09
.b0`.^.\0Z0X0V..
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06
image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14 4B 6B B9 28 96 06 0C BB
.+......Kk.(....
0030: D0 52 38 9B 29 AC 4B 07 8B 21 05 18 30 26 16 24
.R8.).K..!..0&.$
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69
http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 31
sign.com/vslogo1
0060: 2E 67 69 66 .gif
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/Class3InternationalServer.crl]
]]
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
2.16.840.1.113730.4.1
serverAuth
clientAuth
]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65
..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[6]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com]
]
[7]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 7B D1 C1 72 D7 F0 EF 59 61 22 DC E2 7E 8F D0 20 ...r...Ya".....
0010: F8 67 9A F9 C5 D4 91 87 EB 7F BE 2E C4 21 BF 9B
.g...........!..
0020: 55 98 A6 3A 4A 3B 46 6D 86 28 73 2C 11 46 23 C3
U..:J;Fm.(s,.F#.
0030: 47 30 E7 59 C6 4B E6 31 F3 47 A5 C0 B3 38 DF 71
G0.Y.K.1.G...8.q
0040: 8B F8 14 51 3D 2D 49 52 AC 01 88 A5 DA 2B EA 67
...Q=-IR.....+.g
0050: 82 60 F0 E3 B6 45 1C 31 15 FD 2B 78 E8 26 E9 0E
.`...E.1..+x.&..
0060: 4C 91 46 25 C9 CA FE 17 0B 49 0A 7D 41 0A 01 C4
L.F%.....I..A...
0070: 98 C1 1F B7 10 F5 ED BB 2F C9 DC 60 7B 9F 79 64
......../..`..yd
]
chain [1] = [
[
Version: V3
Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign,
Inc.", O=VeriSign Trust Network
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
152038337595048255423847391294280316829513160608880590645748454678611296
410614722508245144022405726502805452059694145417254341557335953427821740
975082044924575579268245924346494324451976855998250066581618028401376050
836623416546828558818294849045727347102003201845243865318616842453964918
804144784127904873327
public exponent: 65537
Validity: [From: Thu Apr 17 01:00:00 BST 1997,
To: Tue Oct 25 00:59:59 BST 2011]
Issuer: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
SerialNumber: [ 254b8a85 3842cce3 58f8c5dd ae226ea4]
Certificate Extensions: 6
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
]
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3.crl]
]]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65
..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 50 53 risign.com/CPS
]] ]
]
[6]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 08 01 EC E4 68 94 03 42 F1 73 F1 23 A2 3A DE E9
....h..B.s.#.:..
0010: F1 DA C6 54 C4 23 3E 86 EA CF 6A 3A 33 AB EA 9C
...T.#>...j:3...
0020: 04 14 07 36 06 0B F9 88 6F D5 13 EE 29 2B C3 E4
...6....o...)+..
0030: 72 8D 44 ED D1 AC 20 09 2D E1 F6 E1 19 05 38 B0 r.D...
.-.....8.
0040: 3D 0F 9F 7F F8 9E 02 DC 86 02 86 61 4E 26 5F 5E
=..........aN&_^
0050: 9F 92 1E 0C 24 A4 F5 D0 70 13 CF 26 C3 43 3D 49
....$...p..&.C=I
0060: 1D 9E 82 2E 52 5F BC 3E C6 66 29 01 8E 4E 92 2C
....R_.>.f)..N.,
0070: BC 46 75 03 82 AC 73 E9 D9 7E 0B 67 EF 54 52 1A
.Fu...s....g.TR.
]
***
Found trusted certificate:
[
[
Version: V1
Subject: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
Key: Sun RSA public key, 1024 bits
modulus:
141400322044550516865173371773024584879899609644618927642375342633349057
300960400037232334924701046781298765077061770383151646234219179990772047
200045837817821582483532549791304588064624083040538534190301571832597441
704620988055765289140138246856927863523873759538652326729606982847841094
220861282830980236711
public exponent: 65537
Validity: [From: Mon Jan 29 00:00:00 GMT 1996,
To: Wed Aug 02 00:59:59 BST 2028]
Issuer: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
SerialNumber: [ 70bae41d 10d92934 b638ca7b 03ccbabf]
]
Algorithm: [MD2withRSA]
Signature:
0000: BB 4C 12 2B CF 2C 26 00 4F 14 13 DD A6 FB FC 0A
.L.+.,&.O.......
0010: 11 84 8C F3 28 1C 67 92 2F 7C B6 C5 FA DF F0 E8
....(.g./.......
0020: 95 BC 1D 8F 6C 2C A8 51 CC 73 D8 A4 C0 53 F0 4E
....l,.Q.s...S.N
0030: D6 26 C0 76 01 57 81 92 5E 21 F1 D1 B1 FF E7 D0
.&.v.W..^!......
0040: 21 58 CD 69 17 E3 44 1C 9C 19 44 39 89 5C DC 9C
!X.i..D...D9.\..
0050: 00 0F 56 8D 02 99 ED A2 90 45 4C E4 BB 10 A4 3D
..V......EL....=
0060: F0 32 03 0E F1 CE F8 E8 C9 51 8C E6 62 9F E6 9F
.2.......Q..b...
0070: C0 7D B7 72 9C C9 36 3A 6B 9F 4E A8 FF 64 0D 64
...r..6:k.N..d.d
]
main, READ: TLSv1 Handshake, length = 446
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=UBS Investment Bank External Client CA MANUAT, OU=CH 998, O=UBS,
C=CH>
<CN=clientlogin.ibb.ubstest.com, OU=UBSIB, O=UBS AG, L=London,
ST=London, C=GB>
<OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.",
O=VeriSign Trust Network>
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 157
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 CC E9 A5 19 46 57 62 86 75 0C CF A8 41 08
......FWb.u...A.
0010: 9E D3 62 58 9F 3C 9F 88 E5 47 83 BD CB 43 AD 98
..bX.<...G...C..
0020: C2 10 4B 57 DE 62 04 62 99 ED 60 6D 09 4D 92 EA
..KW.b.b..`m.M..
CONNECTION KEYGEN:
Client Nonce:
0000: 48 C9 31 94 7B D7 6E 1A E9 5A 97 8E 96 2E 2D 96
H.1...n..Z....-.
0010: FB 8E 37 95 8D 4B 5C DB 87 82 C0 FD 0C 17 F5 D7
..7..K\.........
Server Nonce:
0000: 48 C9 31 94 F2 E4 CA 7F 5D AB B7 75 4D 60 79 7D
H.1.....]..uM`y.
0010: 15 0F B6 67 AB 05 37 06 DB 82 24 40 7E BD 68 E4
...g..7...$@..h.
Master Secret:
0000: 0A BD AB 76 A0 E1 DD ED 70 94 A9 B1 9D C1 1A F9
...v....p.......
0010: 52 E0 28 5E 8C B5 A2 D8 1D 03 D6 0A 63 E2 8C 49
R.(^........c..I
0020: A4 DB E6 E7 36 EF E3 24 CB EC 9E 40 DB DB 7C 83
....6..$...@....
Client MAC write Secret:
0000: E4 FF 6E 9D 9A 92 7E 34 D3 78 40 55 F4 04 1D A8
..n....4.x@U....
Server MAC write Secret:
0000: 1F 6C 16 BA BD 59 94 AC 0B 02 D5 23 E2 C8 F2 73
.l...Y.....#...s
Client write key:
0000: 9E 4A 2F 22 0F C0 EF AC 4E C0 92 CF 12 71 0E E5
.J/"....N....q..
Server write key:
0000: 16 09 B8 79 D5 58 D7 97 5D 1A FD 65 A5 84 9B A4
...y.X..]..e....
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 17
*** Finished
verify_data: { 44, 49, 175, 236, 21, 127, 88, 19, 136, 220, 0, 77 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Alert, length = 18
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
###################### END TRACE ######################
I say "it's clear" because when I compare this debug output with that
from using an HttpsURLConnection, I see the client certificate being
accessed:
###################### START TRACE ######################
...
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=UBS Investment Bank External Client CA MANUAT, OU=CH 998, O=UBS,
C=CH>
<CN=clientlogin.ibb.ubstest.com, OU=UBSIB, O=UBS AG, L=London,
ST=London, C=GB>
<OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.",
O=VeriSign Trust Network>
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 157
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 88 18 17 93 3F 09 00 99 12 6B 79 37 7C 39
......?....ky7.9
0010: 21 10 EE 34 CB 14 71 FE 2F 98 4A 66 4C 34 8F AC
!..4..q./.JfL4..
0020: B4 2D 6C D6 47 48 8A 55 7C ED B5 D3 9B A1 77 D1
.-l.GH.U......w.
CONNECTION KEYGEN:
Client Nonce:
0000: 48 C9 34 56 9C 76 CB C4 4F 58 56 35 14 10 CF 06
H.4V.v..OXV5....
0010: D5 BE E0 9B 09 1B 13 CE CC 96 98 ED 58 1F 5C 7A
............X.\z
Server Nonce:
0000: 48 C9 34 56 6C 2D 83 73 30 5F 5E F3 CB A6 29 84
H.4Vl-.s0_^...).
0010: 05 45 2C C0 AB D7 2C 71 B8 14 92 7F C8 0E A1 66
.E,...,q.......f
Master Secret:
0000: 70 23 D6 89 E5 0A 92 52 CD CB 31 A4 4D 53 8E 13
p#.....R..1.MS..
0010: E6 9A 16 5A A6 2A D3 9E E3 72 15 4B E1 0B EE 05
...Z.*...r.K....
0020: 43 52 0E 88 B8 E7 74 40 7F EF FF 8D C9 46 6F 17
CR....t@.....Fo.
Client MAC write Secret:
0000: 35 01 8A A4 E9 9D 40 7F ED CD 6E EA 5A BB 25 BF
5.....@...n.Z.%.
Server MAC write Secret:
0000: CF 03 27 B0 D2 5B AD 57 A5 E6 B3 25 C5 76 48 A1
..'..[.W...%.vH.
Client write key:
0000: 79 D7 43 BB 1F C6 F3 EB 82 9D DA E6 68 01 82 71
y.C.........h..q
Server write key:
0000: F3 B0 25 86 43 1D 66 A5 24 7F F4 B1 B7 9B F2 15
..%.C.f.$.......
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 17
*** Finished
verify_data: { 203, 74, 205, 61, 80, 111, 247, 82, 197, 135, 13, 247 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Alert, length = 18
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1204368470 bytes = { 242, 162, 42, 240, 240, 151,
191, 232, 130, 131, 103, 126, 152, 230, 13, 133, 239, 38, 138, 147, 248,
230, 54, 47, 194, 221, 64, 161 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1204368470 bytes = { 88, 97, 73, 197, 26, 138, 164,
214, 82, 34, 8, 2, 71, 208, 153, 137, 119, 3, 76, 93, 215, 245, 176, 26,
7, 21, 127, 225 }
Session ID: {229, 91, 138, 60, 67, 6, 25, 127, 52, 21, 50, 155, 113,
176, 7, 63, 200, 188, 88, 93, 185, 52, 122, 232, 184, 5, 92, 128, 141,
215, 47, 160}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
main, READ: TLSv1 Handshake, length = 1994
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=clientlogin.ibb.ubstest.com, OU=UBSIB, O=UBS AG, L=London,
ST=London, C=GB
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
129447541890145071991101022832002158109224708439675452036468410592539104
637620478652526718037227906229222675361363850333837737575329466356863962
392654796921872195279584926011841169198219527620607459149008274790934011
223281850698270175234503465747086981862399311660626647499698802797322295
858505156739339909657
public exponent: 65537
Validity: [From: Tue Apr 01 01:00:00 BST 2008,
To: Thu Apr 02 00:59:59 BST 2009]
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign,
Inc.", O=VeriSign Trust Network
SerialNumber: [ 7f3da1e2 8d621fba 18475783 c7a092d8]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 62 30 60 A1 5E A0 5C 30 5A 30 58 30 56 16 09
.b0`.^.\0Z0X0V..
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06
image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14 4B 6B B9 28 96 06 0C BB
.+......Kk.(....
0030: D0 52 38 9B 29 AC 4B 07 8B 21 05 18 30 26 16 24
.R8.).K..!..0&.$
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69
http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 31
sign.com/vslogo1
0060: 2E 67 69 66 .gif
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/Class3InternationalServer.crl]
]]
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
2.16.840.1.113730.4.1
serverAuth
clientAuth
]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65
..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[6]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com]
]
[7]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 7B D1 C1 72 D7 F0 EF 59 61 22 DC E2 7E 8F D0 20 ...r...Ya".....
0010: F8 67 9A F9 C5 D4 91 87 EB 7F BE 2E C4 21 BF 9B
.g...........!..
0020: 55 98 A6 3A 4A 3B 46 6D 86 28 73 2C 11 46 23 C3
U..:J;Fm.(s,.F#.
0030: 47 30 E7 59 C6 4B E6 31 F3 47 A5 C0 B3 38 DF 71
G0.Y.K.1.G...8.q
0040: 8B F8 14 51 3D 2D 49 52 AC 01 88 A5 DA 2B EA 67
...Q=-IR.....+.g
0050: 82 60 F0 E3 B6 45 1C 31 15 FD 2B 78 E8 26 E9 0E
.`...E.1..+x.&..
0060: 4C 91 46 25 C9 CA FE 17 0B 49 0A 7D 41 0A 01 C4
L.F%.....I..A...
0070: 98 C1 1F B7 10 F5 ED BB 2F C9 DC 60 7B 9F 79 64
......../..`..yd
]
chain [1] = [
[
Version: V3
Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign,
Inc.", O=VeriSign Trust Network
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
152038337595048255423847391294280316829513160608880590645748454678611296
410614722508245144022405726502805452059694145417254341557335953427821740
975082044924575579268245924346494324451976855998250066581618028401376050
836623416546828558818294849045727347102003201845243865318616842453964918
804144784127904873327
public exponent: 65537
Validity: [From: Thu Apr 17 01:00:00 BST 1997,
To: Tue Oct 25 00:59:59 BST 2011]
Issuer: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
SerialNumber: [ 254b8a85 3842cce3 58f8c5dd ae226ea4]
Certificate Extensions: 6
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
]
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3.crl]
]]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65
..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 50 53 risign.com/CPS
]] ]
]
[6]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 08 01 EC E4 68 94 03 42 F1 73 F1 23 A2 3A DE E9
....h..B.s.#.:..
0010: F1 DA C6 54 C4 23 3E 86 EA CF 6A 3A 33 AB EA 9C
...T.#>...j:3...
0020: 04 14 07 36 06 0B F9 88 6F D5 13 EE 29 2B C3 E4
...6....o...)+..
0030: 72 8D 44 ED D1 AC 20 09 2D E1 F6 E1 19 05 38 B0 r.D...
.-.....8.
0040: 3D 0F 9F 7F F8 9E 02 DC 86 02 86 61 4E 26 5F 5E
=..........aN&_^
0050: 9F 92 1E 0C 24 A4 F5 D0 70 13 CF 26 C3 43 3D 49
....$...p..&.C=I
0060: 1D 9E 82 2E 52 5F BC 3E C6 66 29 01 8E 4E 92 2C
....R_.>.f)..N.,
0070: BC 46 75 03 82 AC 73 E9 D9 7E 0B 67 EF 54 52 1A
.Fu...s....g.TR.
]
***
Found trusted certificate:
[
[
Version: V1
Subject: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
Key: Sun RSA public key, 1024 bits
modulus:
141400322044550516865173371773024584879899609644618927642375342633349057
300960400037232334924701046781298765077061770383151646234219179990772047
200045837817821582483532549791304588064624083040538534190301571832597441
704620988055765289140138246856927863523873759538652326729606982847841094
220861282830980236711
public exponent: 65537
Validity: [From: Mon Jan 29 00:00:00 GMT 1996,
To: Wed Aug 02 00:59:59 BST 2028]
Issuer: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
SerialNumber: [ 70bae41d 10d92934 b638ca7b 03ccbabf]
]
Algorithm: [MD2withRSA]
Signature:
0000: BB 4C 12 2B CF 2C 26 00 4F 14 13 DD A6 FB FC 0A
.L.+.,&.O.......
0010: 11 84 8C F3 28 1C 67 92 2F 7C B6 C5 FA DF F0 E8
....(.g./.......
0020: 95 BC 1D 8F 6C 2C A8 51 CC 73 D8 A4 C0 53 F0 4E
....l,.Q.s...S.N
0030: D6 26 C0 76 01 57 81 92 5E 21 F1 D1 B1 FF E7 D0
.&.v.W..^!......
0040: 21 58 CD 69 17 E3 44 1C 9C 19 44 39 89 5C DC 9C
!X.i..D...D9.\..
0050: 00 0F 56 8D 02 99 ED A2 90 45 4C E4 BB 10 A4 3D
..V......EL....=
0060: F0 32 03 0E F1 CE F8 E8 C9 51 8C E6 62 9F E6 9F
.2.......Q..b...
0070: C0 7D B7 72 9C C9 36 3A 6B 9F 4E A8 FF 64 0D 64
...r..6:k.N..d.d
]
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 17 2E 8D 74 15 0C D5 16 58 87 90 F4 60 3A
.....t....X...`:
0010: D8 41 06 E7 85 8A A7 F7 D5 28 F9 D3 71 AA D1 47
.A.......(..q..G
0020: EB 80 8B 05 5D D7 DD ED 58 79 06 1B E1 20 8E DE ....]...Xy...
..
CONNECTION KEYGEN:
Client Nonce:
0000: 48 C9 34 56 F2 A2 2A F0 F0 97 BF E8 82 83 67 7E
H.4V..*.......g.
0010: 98 E6 0D 85 EF 26 8A 93 F8 E6 36 2F C2 DD 40 A1
.....&....6/..@.
Server Nonce:
0000: 48 C9 34 56 58 61 49 C5 1A 8A A4 D6 52 22 08 02
H.4VXaI.....R"..
0010: 47 D0 99 89 77 03 4C 5D D7 F5 B0 1A 07 15 7F E1
G...w.L]........
Master Secret:
0000: FA C1 83 6E 31 63 EF 1C B1 E1 C5 AF F6 D7 28 24
...n1c........($
0010: DE FD 55 49 0F C9 04 F8 5D 81 DD AD 9A 24 67 36
..UI....]....$g6
0020: 15 26 CA 5F 0D 71 6B 6F 81 9A E4 03 1E 58 D9 27
.&._.qko.....X.'
Client MAC write Secret:
0000: 61 83 E3 AB 94 05 AE FA C3 66 47 EA 22 21 7D 57
a........fG."!.W
Server MAC write Secret:
0000: C3 00 10 52 7B 19 9A 6A 00 E7 47 85 F4 8C F7 B2
...R...j..G.....
Client write key:
0000: 3C AA AE C9 11 F9 19 18 E4 83 B8 96 D8 0E BB E7
<...............
Server write key:
0000: 34 75 B0 D6 FA 4A 2B AB E9 3F 60 F8 97 EF 03 B9
4u...J+..?`.....
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 198, 118, 20, 25, 4, 49, 8, 153, 177, 95, 97, 83 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 213, 190, 225, 76, 127, 110, 180, 89, 1, 115, 48, 64 }
***
%% Cached client session: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, WRITE: TLSv1 Application Data, length = 142
main, READ: TLSv1 Application Data, length = 283
main, READ: TLSv1 Alert, length = 18
main, RECV TLSv1 ALERT: warning, close_notify
main, called closeInternal(false)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 18
main, called close()
main, called closeInternal(true)
###################### END TRACE ######################
I have a suspicion the solution may involve a custom
SecureProtocolSocketFactory, but I have been unable to solve the problem
myself.
Can anyone give me any pointers?
Thanks,
Damian
Visit our website at http://www.ubs.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mails are not encrypted and cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities
or related financial instruments.
UBS Limited is a company registered in England & Wales under company
number 2035362, whose registered office is at 1 Finsbury Avenue,
London, EC2M 2PP, United Kingdom.
UBS AG (London Branch) is registered as a branch of a foreign company
under number BR004507, whose registered office is at
1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.
UBS Clearing and Execution Services Limited is a company registered
in England & Wales under company number 03123037, whose registered
office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: Unable to perform client authentication: client certificates not accessed from system certificate store by commons-httpclient
Posted by Da...@ubs.com.
I spent a fair amount of time looking at the SSL guide, and posted this
question because I didn't find anything helpful in them.
Never mind. I've abandoned httpclient for making mutually authenticated
connections and fallen back to using HttpsURLConnection.
Damian
-----Original Message-----
From: Oleg Kalnichevski [mailto:olegk@apache.org]
Sent: 15 September 2008 12:53
To: HttpClient User Discussion
Subject: Re: Unable to perform client authentication: client
certificatesnot accessed from system certificate store by
commons-httpclient
On Thu, 2008-09-11 at 16:20 +0100, Damian.Ryan@ubs.com wrote:
> Setup:
>
> commons-httpclient-3.1
> java 1.6.0_04
> java WebStart 6
> client OS: windows XP professional
> browser/certificate store: IE/Windows XP
>
> I am trying to use commons-httpclient-3.1 from a WebStart-deployed
> application to communicate through a web proxy over SSL with an HTTPS
> URL that requires client authentication with a certificate retrieved
> from the system certificate store, not a standalone one in the local
> file system (e.g. a PKCS#12 file).
>
> I can get this to work using a straight HttpsURLConnection, which
> successfully accesses the client certificate from IE's personal
> certificate store. The handshake succeeds, the connection is made and
> the request is served.
Damian
HttpClient is unable to access trusted certificates stored in the
personal certificate store. So, you have to manually configure the SSL
context and populate it with those certificates you application should
treat as trusted. For details please refer to "Customizing SSL in
HttpClient" and "Examples of SSL customization in HttpClient" sections
of the HttpClient SSL guide:
http://hc.apache.org/httpclient-3.x/sslguide.html
Hope this helps
Oleg
> I have a suspicion the solution may involve a custom
> SecureProtocolSocketFactory, but I have been unable to solve the
problem
> myself.
>
> Can anyone give me any pointers?
>
> Thanks,
>
> Damian
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Visit our website at http://www.ubs.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mails are not encrypted and cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities
or related financial instruments.
UBS Limited is a company registered in England & Wales under company
number 2035362, whose registered office is at 1 Finsbury Avenue,
London, EC2M 2PP, United Kingdom.
UBS AG (London Branch) is registered as a branch of a foreign company
under number BR004507, whose registered office is at
1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.
UBS Clearing and Execution Services Limited is a company registered
in England & Wales under company number 03123037, whose registered
office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Unable to perform client authentication: client certificates
not accessed from system certificate store by commons-httpclient
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2008-09-11 at 16:20 +0100, Damian.Ryan@ubs.com wrote:
> Setup:
>
> commons-httpclient-3.1
> java 1.6.0_04
> java WebStart 6
> client OS: windows XP professional
> browser/certificate store: IE/Windows XP
>
> I am trying to use commons-httpclient-3.1 from a WebStart-deployed
> application to communicate through a web proxy over SSL with an HTTPS
> URL that requires client authentication with a certificate retrieved
> from the system certificate store, not a standalone one in the local
> file system (e.g. a PKCS#12 file).
>
> I can get this to work using a straight HttpsURLConnection, which
> successfully accesses the client certificate from IE's personal
> certificate store. The handshake succeeds, the connection is made and
> the request is served.
Damian
HttpClient is unable to access trusted certificates stored in the
personal certificate store. So, you have to manually configure the SSL
context and populate it with those certificates you application should
treat as trusted. For details please refer to "Customizing SSL in
HttpClient" and "Examples of SSL customization in HttpClient" sections
of the HttpClient SSL guide:
http://hc.apache.org/httpclient-3.x/sslguide.html
Hope this helps
Oleg
> I have a suspicion the solution may involve a custom
> SecureProtocolSocketFactory, but I have been unable to solve the problem
> myself.
>
> Can anyone give me any pointers?
>
> Thanks,
>
> Damian
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org